firefox burned

The maintainers of a “disposable email service” blocklist have decided to add Firefox Relay to the list, leaving many users of the service upset.

Firefox Relay is a privacy-centric email service that enables users to protect their real email addresses and hence limit spam.

Firefox Relay to go into disposable email blocklist

Launched in November 2021, Firefox Relay was created with the goal of helping users safeguard their privacy and limit the amount of email spam directed at them. 

Available as a free and premium offering, the service hides the user’s real email address to help protect their identity by giving them an alias to use.

Disposable email address services work by providing users with a temporary, intermediate email address that “relays” mail to their real inbox.

Users signing up for Firefox Relay are assigned an @*.mozmail.com email alias which forwards their mail to their actual email address.

Firefox Relay's mozmail domain
FireFox Relay’s mozmail.com domain in use (Mozilla)

Although disposable email services might provide users with peace of mind when signing into free Wi-Fi portals that require an email address, and services with a high probability of sending marketing emails to users, they can also become a nuisance for service providers.

For example, mission-critical sites providing e-commerce and online banking services may become susceptible to abuse by threat actors if they allow the use of disposable emails.

Therefore, blocklists of domains used by burner email services are compiled and maintained by third-parties.

These can be referred to by online service providers from time to time to deny account signups to users presenting a disposable email address.

As seen by BleepingComputer today, the list, “disposable-email-domains” present on a GitHub repository by the same name contains known burner email services like 10minutemail, GuerrillaMail, and Mailinator.

Alongside these domains, relay.firefox.com was also proposed for addition as of a few days ago:

firefox relay added to blacklist
Firefox Relay domain added to blocklist (GitHub)

It isn’t clear who all or how many service providers reference the “disposable-email-domains” list when checking if a provided email address is a burner.

But, note, we did not see *.mozmail.com domains on the list just yet: “mozmail.com” is the functional domain used by email aliases generated by Firefox Relay.

Back in November 2021, Firefox Relay’s team lead had requested the maintainer of a separate burner email list, “burner-email-providers” to exempt the particular domain form the blocklist:

“We are operating Relay with a number of features that I think mitigate the risks that these aliases pose,” Mozilla’s privacy and security engineer Luke Crouch explained in November.

Firstly, if a @mozmail.com alias is disabled by the user, any emails sent to the alias are not bounced back but instead discarded with a 404 error message returned by the service’s HTTP webook, stated Crouch. 

Secondly, he explained, the anti-abuse protections built into Relay limit free users to a total of five aliases, and further rate-limit premium customers so they cannot abuse the service by creating large-scale throw-away aliases for, say, automated signups to web services.

With that reasoning, mozmail.com was swiftly removed from that blocklist. And it appears, the creators of “disposable-email-domains” have also honored the clause, for now.

Users upset at the decision

The move to propose the addition of Firefox Relay’s main domain to the disposable email providers blocklist has left many users confused and unpleased, prompting the list’s maintainers to lock the GitHub discussion before it gets “too heated.”

“Well, nice pickle. Why are you doing this to us Firefox? Among other things this throws a wrench in the original (not really rock-solid) reasoning about domain levels from here — so it breaks our CI even if in the correct order,” asked software developer Martin Cech, who is one of the contributors to the blocklist’s repository.

“My reasoning on including this is that an email with a mozmail domain is never going to be a primary email and is always going to forward to some other address,” responded the list’s co-maintainer, Dustin Ingram, who is also a Google open source security team member.

But, one of the pseudonymous GitHub users, worldofgeese cautioned that such blocklists could strip users of “one of the few defenses they have” against their email address leaking, and from threat actors waiting to flood users’ mailboxes with spam.

“Can you not do this? You look like extremely bad actors. Please don’t contribute to an unsafe internet,” wrote worldofgeese.

“I use Private Relay to protect my personal mail address, not as a tool for spam. I’m not even sure how a user would use Private Relay for spam, as users cannot begin email chains with a Relay address, only respond to mails delivered to those addresses.”

Another GitHub user urged that the decision to blocklist Firefox Relay be reconsidered as the service is one of the safeguards that prevent personal email addresses from turning up in data breaches and being spammed.

Interestingly, privacy-focused email services like Fastmail allow creation of both real and randomly generated email aliases via their primary domain (i.e. @fastmail.com).

“Good luck blocking the hundreds of thousands of Fastmail users by trying to block the minority using masked addresses,” challenged a Hacker News commentator.

As seen by BleepingComputer, fastmail.com is present on the allowlist within the “disposable-email-domains” repo.

Some surmised that, with additional effort, malicious actors could choose to abuse legitimate email providers like Gmail just as well, rather than turning to a service like Firefox Relay, thereby rendering such blocklists futile.

And the divide seems to be stern between those who vouch by the efficacy of Firefox Relay and disposable email services, and those with the painful task of maintaining anti-spam blocklists.

“The reason disposable email addresses exist and are popular is because services have abused users’ trust to not use these emails for shady ad revenue and marketing schemes,” writes a user on Hacker News.

“It’s further compounded by shoddy security that leads to leaks and exposure of people’s personal email addresses to pwned compromised lists. People don’t want to give up their personal email addresses so that they can be spammed or hacked. Until services do better (ie don’t sell me out for cheap) I’ll keep using the latest disposable email address to sign up for your user-hostile websites.”

Whether the privacy afforded by email relay services outweighs the risks posed by their abuse remains an ongoing debate.

Source: www.bleepingcomputer.com