Disposable email addresses are quite widespread, and for different reasons. We briefly explored some of them in this post and performed a security analysis on a massive list of disposable email domains.

But first, it's essential to acknowledge that there are various possible types of disposable or temporary email addresses. These include:

• Throwaway email addresses: This type of disposable email address is mostly for one-time use and created using a different domain. The list of disposable email domains studied in this post belongs to this category.
• Alias email addresses: Email addresses of this type are hosted by the owner's main email service provider, such as Gmail and Outlook. However, they are not the person's primary email address and maybe used temporarily or for secondary purposes.
• Forwarding email addresses: This type of email addresses uses a different domain from the owner's primary email account. It is set up to forward messages to the primary email address.

Why Do People Use Disposable Email Addresses?

The idea behind creating disposable email addresses is probably well-intentioned from the standpoint of privacy. However, throwaway email addresses may also be misused for spam, abusive, and possibly even malicious purposes. We tackled both uses of disposable emails below.

Common Privacy-Related Uses of Disposable Email Addresses

Some people use throwaway or temporary email addresses to help protect their privacy and remain anonymous online. This makes a lot of sense, especially considering the ongoing global privacy concerns while on the Internet.

Disposable emails can also help people avoid getting too many marketing emails. And in hindsight, the use of temporary email addresses may as well hint at the lack of trust users have in a company, as they don't want to expose their official email addresses to security breaches or to spam-like marketing messages.

Throwaway email addresses may be helpful for professional purposes too. Software engineers and testers, for instance, often use disposable email addresses to test the email workflows of their products.

Abusive or Malicious Uses of Disposable Email Addresses

Some people may also employ disposable email addresses for more questionable endeavors, hence the relevance of possibly monitoring disposable email domains.

For example, an individual can sign up for a free trial period using a throwaway email address. When the period ends, he or she would again sign up for another round using another temporary email address. What are the repercussions of this behavior?

Among the first things that visibly get affected are email marketing metrics. When your email contact list includes disposable email addresses, this could result in low open rates and high bounce rates. The worst-case scenario for marketers is that their email sending reputation gets damaged, possibly landing them on spam blocklists.

Freemium abuse using disposable email addresses also results in negative consequences that go beyond email marketing metrics. There is little to no chance of converting disposable email users to paying customers, and users may benefit from the company's products and resources beyond the allowable free limit.

There is also a scenario where disposable email domains can be used by spammers or even cyber attackers to send malicious emails to their targets and deliver, say, malware embedded in links or files within the email message. Since victims don't have to respond to the messages to get infected, cyber attackers can just use a new throwaway email address when the other email addresses get blocked. In fact, we found some suspicious and even malicious email domains in our analysis in the next section.

Analysis of a Disposable Email Domains List

Monitoring disposable email domains can help organizations keep spammy or dangerous emails away, and it can also strengthen email security solutions. At the same time, a list of disposable email domains can help keep businesses afloat by increasing the chance of sales conversion.

We analyzed one fake email domain list which, as of 20 April 2021, contained 130,160 disposable email domains. This is enough to create hundreds of billions of throwaway email addresses.

Categorizing Our List of Disposable Email Domains

The list of disposable email domains that we obtained contains a wide range of domain names, but four categories stood out.

Random-Looking Email Domains

First on the list are random-looking and what could be machine-generated email domains. It is possible that these were created using a domain generation algorithm (DGA), a common method that allows malware families to communicate with their command-and-control (C&C) servers while evading detection. Some disposable email domains are random strings of numeric characters, such as:

• 01428570[.]xyz
• 01502[.]monster
• 0164445[.]com
• 01689306707[.]mobi
• 19940111[.]xyz

Some make use of alphanumeric characters, including:

• 00b2bcr51qv59xst2[.]cf
• 00b2bcr51qv59xst2[.]ga
• 0440tlrfm056aznoelu9775[.]com
• 0440tvrzee5qzzbpreu8481[.]com
• 19f6cop53ghzrys[.]xyz

The last disposable email domain above was deemed suspicious according to VirusTotal, while 19940111[.]xyz was tagged outright malicious.

Filtering out these kinds of disposable email addresses can help strengthen email security solutions and protect an organization's network from malware and other malicious campaigns.

Typosquatting Email Domains

We also noticed some online entities on the list of disposable email domains that seem to be mimicking popular brands. These domains could have been created in the hope that users mistype the brands' official domains. They could also be used to mislead users into opening a phishing or scam email.

Three disposable email domains on the list seem like PayPal copycats. These are via-paypal[.]com, paypal[.]comx[.]cf, and paypalserviceirc[.]com. Three may not be a huge number, yet via-paypal[.]com has already been reported for phishing.

One internationalized domain name (IDN) also seems to be imitating PayPal — xn--paypa-9tb[.]com. When converted to Unicode text, it reads "paypaǀ[.]com." But instead of the lowercase "L," a vertical bar is used, so it still looks like the mimicked domain name. Since the use of IDNs or Punycode has already been observed in other typosquatting campaigns, it would be a good security practice to also keep an eye out for them on a disposable email domains list.

About a dozen disposable email domains also seem to mimic avito[.]ru. Based on WHOIS Lookup results, none of these are under Avito Holding AB, the registrant organization indicated in the WHOIS record of avito[.]ru:

• avito-boxberry[.]ru
• avito-dilivery[.]ru
• avito-office[.]ru
• avito-package[.]ru
• avito-payshops[.]ru
• avito-repayment[.]online
• avito-safe[.]online
• avito-save[.]online
• avitoguard[.]online
• avitosafe[.]online
• avitoxpress[.]online

Avito is the largest classified ads website in Russia and the second-largest globally, next to Craigslist. Anyone that lands on an imitation website could become a victim of data theft, ransomware attack, or other cybercrime.

Coronavirus- and COVID-19-Inspired Email Domains

The list of disposable email domains detected more than 40 domain names related to coronavirus or COVID-19. Some suggest providing news updates and information about the coronavirus, while others allude to discussing the pandemic's economic effects.

Below is a screenshot of some of the disposable email domains containing the word "corona."

Here is a screenshot of disposable email domains using the word "covid" alongside the search results for email domains containing "pandemic."

A number of the pandemic-inspired email domains are associated with phishing, malware, and other suspicious activities.

Finance-Targeted Email Domains

Hundreds of finance-related domains were also on the list of disposable email domains. We used the strings "crypto," "insurance," "loan," and "bank." These email domains could be used in scams and cyber attacks targeting financial institutions.

Breaking Down the List of Disposable Email Domains by TLD

Several studies have established that people tend to trust URLs and domains with the .com generic top-level domain (gTLD). In terms of usage in disposable email domains, .com also takes the lead, accounting for about 35% of the total disposable email domains. The remaining email domains are distributed between 126 other TLDs.

The chart below shows the top 20 TLDs used in the list of disposable email domains. Of the 20 TLDs, eight are country code TLDs (ccTLDs), namely, .ru, .tk, .ga, .ml, .cf, .gq, .us, and .pl.

Knowing that shady individuals often use disposable email addresses, people should not trust recipients based on TLD usage alone.

This in-depth analysis of the list of disposable email domains shows that there is a need to protect networks from disposable email addresses. The presence of typosquatting, finance-related, suspicious, and malicious email domains on our list of disposable email domains supports this.

While there are legitimate uses of disposable emails, some could also serve as entry points for attackers to carry out malware infections, financial scams, data theft, and other forms of cybercrime.