Refill a disposable through an email message

A place for polls.

Are you interested in the "refill by email" feature? (See description below)

Poll ended at Tue May 18, 2004 4:00 am

Very interested
Somewhat interested
Not really interested
No votes
Not interested at all
No votes
Total votes : 10

Refill a disposable through an email message

Postby SysKoll » Wed Feb 18, 2004 4:00 am

Proposed feature: Give users an option to refill one of their disposable through an email interface.
  • A user would use the web site to pick a refill password.
  • Then, to refill a disposable, the user would send an email (from anywhere) to that disposable with subject "REFILL X password" where X = 1 to 20. The disposable's counter would immediately be reset to that number X.

For instance, say you pick "P3ngu1n" as your refill password and you want to refill your disposable joe.blow.UserName. You send an email to joe.blow.UserName@spamgourmet with subject "REFILL 10 P3ngu1n" and this disposable's counter gets set to 10.
-- SysKoll
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Refill a disposable through an email message

Postby kyricc » Wed Feb 18, 2004 11:50 am

As I suggested in the original thread for this request, I would suggest (as an added bit of security) to only allow this request to come from your registered 'real address'.

Posts: 5
Joined: Wed Feb 18, 2004 10:55 am
Location: Nebraska, USA

Postby SysKoll » Wed Feb 18, 2004 2:40 pm


The From field of an email is so easy to forge that this is not adding much security.
-- SysKoll
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby josh » Wed Feb 18, 2004 3:40 pm

I agree that it's not secure enough to verify that the command came from your "real" address -- not because I imagine that ill-wishers will be refilling sg users' disposables with forged From: headers, though: after all, sg keeps the ill wishers from knowing the real address in the first place, and if they do know it somehow, it seems like a lot of evil-doing pain for not much evil-getting gain -- why not just send email to the real address? :) ...

Rather, the possibility of abuse (however implausible) will occur to tech journalists, who will then bash the feature as "insecure" -- I've read too many reviews (e.g.,,4149,12616,00.asp ,,4149,844094,00.asp - both are so "important" that they're the number two google hit for the search term "spamgourmet") that focus on sg auto-create as a security problem without a) mentioning prefixes and watchwords, which effectively seal it off, or b) admitting what a silly scenario it is to imagine spammers sitting around making up disposable email addresses, or that sg no-brainer users have been enjoying the service with absolutely no maintenance worries or "made up" addresses for *years* now... (and if one had listened to the journalists years ago, he or she would have missed out on all that transparent spam protection)

So, learning the harsh lessons of journalistic blockheadedness, I'd say the shallow *appearance* of security is, unfortunately, almost as important as actual security.
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby Guest » Sat Feb 21, 2004 2:28 pm

I was thinking this could be a way of interacting with spamgourmet through email. For example:

- Add more messages:
Subject: RESTOCK 20 oranges

- Shutdown an address:
Subject: RESTOCK 0 oranges

You know when you want to create that initial munged address so you can send an email so it looks like it came from spamgourmet (the mysendto page). How about enabling that functionality through email. Like I send an email:

Subject: MUNGE oranges

Then what spamgourmet does is send me an email with the from address set to the munged address. Then I can reply to that email and my real address will be hidden.

Postby Guest » Sat Feb 21, 2004 3:04 pm

Adding a trusted sender:

Subject: ADDTRUSTED P3ngu1n

Postby Guest » Sun Feb 22, 2004 12:00 am

Get status of an address:

Subject: GETSTATUS P3ngu1n

Returns current message count and trusted senders.

Postby ben » Tue Feb 24, 2004 3:05 pm

It would be better to allow it in the message body and allow for multiple instructions.


Yes please!

Postby csunderland » Fri Feb 27, 2004 4:58 pm

I think this is a great idea.

I'm not sure at all of the best way to implement it, but I just wanted to voice my support :!:

Posts: 1
Joined: Fri Feb 27, 2004 4:55 pm
Location: London, UK

Postby cerk » Mon Mar 01, 2004 12:49 pm

Good idea, and I second the suggestion on only allowing refilling when mailed from users original mail address. Although "From" field is easy to forge, the "Sent from" field in the mail header is (close to) impossible. Besides, I can't really imagine spammers going to that extent of trouble on hacking into Sent-from field just to enable your disposable address.

Go for it.

Postby kyricc » Tue Mar 02, 2004 12:41 pm

SysKoll wrote:Kyricc,

The From field of an email is so easy to forge that this is not adding much security.

I guess I was coming from the standpoint of your original message to the poll. While the From: header is easy to fake you had stated something about a password. I was figuring the combination of correct From: header + correct password would suffice.

Posts: 5
Joined: Wed Feb 18, 2004 10:55 am
Location: Nebraska, USA

Postby anon » Tue Mar 02, 2004 12:49 pm

The from: field is easy to forge, but the only thing that spamgourmet protects is your real email address -- so if someone *has* your real email address, and can therefore forge a from: field, what's the point of doing so? That person can just send email *straight to* your real email address and circumvent spamgourmet altogether -- no worries about refilling or anything else...

Postby bill1000 » Sun May 16, 2004 4:42 pm

How about just making it an option that the user could turn off and on as desired? Maybe also assigning a seperate password that could only be used for e-mail commands. If someone actually does go to the trouble of sniffing out the e-mail password and spam quotas start changing, then the actual user could just log in with his real password and change the e-mail one or just turn that option off.


Postby prolixity » Tue Aug 03, 2004 11:44 am

perhaps to ease fears of other people changing your settings

1) send email command from "real" address
2) SG replies to "real" address somehow with a confirmation url

Should the SG user not click the url the account change(s) are not implemented. Perhaps set a url expiry time just in case (3 days?)

* somehow =

- to the alias being modified -- but not reduce it's "count"
- other?
Posts: 3
Joined: Tue Aug 03, 2004 11:30 am

Postby Mercury » Thu Oct 21, 2004 7:51 pm

sorry, but it makes no sense to me: if you have time to send mail to sg, you also have time to visit sg's webpage to change whatever you want. there's no advantage.


Return to Polls

Who is online

Users browsing this forum: No registered users and 1 guest