Thursday, October 12, 2017

The X-Mailinator-SMTP Header

Our customers love Mailinator for email testing. Thousands of inboxes all auto-created on the fly enables some pretty unique test scenarios. Once things get going though, it's not uncommon for customers to send us many (many) thousands of emails in a short period of time.

That's great but invariably there are questions about how delivery performed. The Internet is a wild place with variability at every step. So to provide better visibility for our users, we've introduced the X-Mailinator-SMTP email header. Mailinator injects this into every email that enters the system. It looks something like this (json parsed version):

"x-mailinator-smtp": [
            "open;0",
            "start;0",
            "220 mail.mailinator.com ESMTP Postfix;0",
            "EHLO r214.email.hm.com;90",
            "250-mail.mailinator.com  250-8BITMIME  250-SIZE 180000  250 Ok;90",
            "MAIL FROM: newsletter@email.zz.com;181",
            "250 Ok;181",
            "RCPT TO: joe@mailinator.com;241",
            "250 Ok;241",
            "DATA;331",
            "354 End data with .;331"
        ],

You can see this on any email in the Mailinator system by viewing the email, then in the upper-right drop-down, click "json".  Subscribers will get this in the API of course starting immediately.

In every line is an event that happened in the SMTP transaction followed by a semicolon and then the number of milliseconds since the connection was open. If you know SMTP, you know that the events above starting with 3-digit integers are responses from the Mailinator server. The other capitalized commands are sent from the sender.

The "open" notes the connection open (always 0ms) and the "start" indicates when the Mailinator queue started processing (hopefully also always 0ms). It's been pretty enlightening to see the different behaviors of different emailing systems (who are you folks who wait 20s to start sending SMTP?).

We hope this feature brings our customers further visibility into the delivery of email into Mailinator.

Friday, July 28, 2017

Introducing the Mailinator Real-Time Inbox

Mailinator is changing the way email works.

For most users, an inbox is an email’s final destination on a journey through the internet. It’s an endpoint, your endpoint, that holds your emails as they come to you. Checking your email, or refreshing your browser, is when your inbox asks if there’s anything new for you.

But Mailinator doesn’t see it that way because inboxes @mailinator.com don’t really belong to anyone. The public Mailinator system gets many (oh so many) millions of emails per day - and you can read any of them. So can anyone else. With Mailinator, you don’t even have to create an inbox. You can just start sending email to it.

One way to think about it is that all inboxes already exist. Another way to think about it is that Mailinator creates inboxes on-the-fly as email arrives.




From Mailinator’s point of view the email flow is relentless and constant. We call it the Mailinator Stream. Previously, inboxes got new mail the way all inboxes do - periodically they asked the server if there was any new email to display.

But now we’ve hooked you up to the stream. Directly. To every inbox. In real time.

Welcome to the Mailinator Real-time Inbox. 

The moment someone sends an email to Mailinator, it’ll show up on your screen (just as fast as the internet allows). There’s no delay. You’ll never again have to hit ‘refresh’ on a Mailinator inbox. (Go ahead and give it at try - pick an inbox @mailinator.com, send an email to it, and watch it arrive an instant later - be sure to turn off the "undo" feature of Gmail or it'll delay 30 seconds before sending)

Now, with Mailinator’s inbox page tapped into the stream, an inbox is a filter. Everything that matches your filter will show up in real time.

For most users, that won’t make much of a difference. You’ll get your anonymous, no-sign-up emails like always, except now they'll arrive instantly. An inbox will still act like an inbox.

But paid subscribers with private domains can query the stream at a deeper level. (For those who didn't know, you can upgrade your Mailinator account to get your own private, not-auto-deleting version of Mailinator pointing at at your own domain that your whole team can access simultaneously).

Subscribers can create more complex filters and persistent queries that capture more than just a single <inbox> from the stream. You can tap into multiple inboxes at the same time. You can also use a trailing asterisk as a wildcard. Asking your inbox to capture testing* will fill your inbox with all the emails sent to testing1, and testing99, and testing-xyz, and anything else which matches.

Mailinator has always been about providing public email addresses for anyone to use (no signup required), and now it does it in real-time with some great new features. Interested in your own private Mailinator where every inbox you can think up is yours (instantly and wildcard searchable)? Request a Trial today.


Thanks for using Mailinator!

Thursday, May 4, 2017

Mailinator and the Recent Google Docs Phishing Attack

Yesterday (Wednesday, May 3rd), someone launched a clever phishing attack against Google users.

They wrote a little application and falsely named it "Google Docs." Given the chance, it compromises your Gmail account and reads your contacts list. Then, using Google’s own email servers, it sends itself to all your contacts.

This kind of attack lives or dies by how successful it is at getting people to believe it and click through. If no one clicks, or if no one grants it the permissions it asks for, then it doesn't spread and nothing happens. But every time someone clicks through and grants the app the access it wants, the attack multiplies by the number of times it propagates.

The attack was very successful at getting people to click through and grant it permissions, and it spread very quickly.

But it did so in a quirky way, one that made Mailinator one of its victims. It emailed itself from one victim's account to the next set of targets by BCC (blind carbon-copy). If you received the email, it came to you that way. Your email address wasn't in the TO field, it was in the BCC field.

That's a little bit clever. Since the BCC: is blind, the victim doesn't see themselves included in a long list of recipients (many of whom they don't recognize), which is often a big clue that the email is nefarious (or some dumb joke that a clueless relative has forwarded to everyone they know). Any one attack email might have been BCC'd to dozens of new victims.


When you send an email, you can't just BCC people. To make it legit, there has to be something in the TO field. Since all the victim's contacts were in the BCC field, the address the emails are TO isn't part of the attack. The attacker just needs a dumping ground. Something that looks just-so to the target; not a name that stands out for being unfamiliar, but also a real address that works and won’t bounce. That will improve deliverability and believability. So who did the attacker choose to send these emails to?

hhhhhhhhhhhhhhhh@mailinator.com

What is the significance of that inbox? As far as we can tell, there isn't one. Since all addresses already exist at Mailinator, using your finger to hold down a key for a bit generates a completely innocuous - but usable - inbox name. The significance of using mailinator.com is clear: our well-deserved reputation for successfully handling high volumes of incoming email.

In effect, they were relying on Mailinator’s proven ability to receive lots of email.

From the attacker's perspective, it doesn't matter much what is in the TO field. They just need to make sure that the emails get out the door. Mailinator is very good at receiving emails, the attack spread very quickly, and very soon the hhhhhhhhhhhhhhhh inbox at Mailinator was getting thousands of emails.

We noticed the activity early on, and shut down the inbound stream of emails to the hhhhhhhhhhhhhhhh inbox. Unfortunately, this did nothing to stop the attack. That's because nothing about the attack was happening via Mailinator. Mailinator was simply another recipient of the email. The attack could not propagate itself via Mailinator but it sure could send us email when other people propagated it. By the time we shut down the inbound stream, hundreds of thousands of emails to hhhhhhhhhhhhhhhh had shoved their way through our system. Any one inbox at Mailinator only shows 50 emails, and that inbox was (at peak) receiving a few thousand emails per second. Because the volume was so large, it wasn’t possible to read any of these emails at Mailinator. Before anyone could have clicked on one to read it, Mailinator had expired it to make room for thousands more that were pouring in.

The emails to hhhhhhhhhhhhhhhh were of no consequence to the attack. Even the name was irrelevant.

Strangely, we've seen a few articles mentioning that that inbox was the sender. Most even showed a screenshot on the same page contradicting that idea with the Mailinator address clearly in the TO field and one of the victim's contacts as the sender.

Just to be clear: the Gmail phishing attack sent email to a victim’s contacts using Google’s email servers and all emails were FROM another Google user. Each time the attack propagated, it also emailed TO Mailinator as a receiver, nothing more. None of those emails came from Mailinator, they came from Gmail.

It's true that all of the attack emails were TO: hhhhhhhhhhhhhhhh@mailinator.com, but it seems pretty clear that if you're looking for where the emails came from, you'd want to look at the FROM: field.

Additionally, the emails can't be from Mailinator because Mailinator can't send email. It’s a receive-only service. The Mailinator system was not part of the attack - it was just a recipient like all the other victims. The only difference between us and the other recipients was that we received hundreds of thousands of these emails in a very short time.

If you visit that inbox now (here's a link to hhhhhhhhhhhhhhhh inbox - don't worry, it's safe to click, it will take you right to Mailinator), you’ll notice no such phishing emails. We turned the inbound stream of attack emails off very soon after the phishing scam started.

Service to our legitimate users was uninterrupted.

Mailinator remains, as always, the best place to get a free, disposable email. We can’t prevent people from sending email to us (receiving email is the whole point of the service!) and we still love our regular users: thousands of QA Teams that send us millions of test emails, and you - whenever you want to protect your real email address from spam.