Home / Industry

100K+ List of Disposable Email Domains Under Security Analysis

This post was updated on Nov 23, 2023.

The use of disposable email addresses is quite widespread and for different reasons. We briefly explored some of them in this post and performed a short security analysis on a massive list of disposable email domains.

But first, it’s essential to acknowledge that various types of disposable or temporary email addresses exist. These include:

  • Throwaway email addresses: This type of disposable email address is mostly meant for one-time use and created using a domain that differs from the owner’s permanent email address. The list of disposable email domains studied in this post belongs to this category.
  • Alias email addresses: Email addresses of this type are hosted by the owner’s primary email service provider, such as Gmail and Outlook. However, they may not be the user’s primary email address and could be used temporarily or for secondary purposes.
  • Forwarding email addresses: This type of email address uses a different domain from the owner’s primary email account. It is set up to forward messages to the primary email address.

Why Do People Use Disposable Email Addresses?

The idea behind creating disposable email addresses is probably well-intentioned from the standpoint of privacy. However, throwaway email addresses may be misused for spamming and abusive and possibly even malicious purposes. We tackled both uses of disposable emails below.

Common Privacy-Related Uses of Disposable Email Addresses

Legitimate uses of disposable email addresses include the following:

Privacy Protection: Some people use throwaway or temporary email addresses to help protect their privacy and remain anonymous online. Users with this use case in mind are typically concerned with the ongoing global privacy issues that the Internet often creates.

Avoid Marketing Emails: Disposable email addresses can also help people avoid getting too many marketing emails. In hindsight, the use of temporary email addresses may also hint at the lack of trust users often have in companies, as they don’t want to expose their official email addresses to security breaches or spam-like marketing messages.

Test Email Workflows: Throwaway email addresses may be helpful for professional purposes, too. Software engineers and testers, for instance, often use disposable email addresses to test the email workflows of their products.

Abusive or Malicious Uses of Disposable Email Addresses

Some people may also employ disposable email addresses for more questionable endeavors, hence the relevance of possibly monitoring disposable email domains.

For example, an individual can sign up for a free trial using a throwaway email address. When the period ends, he or she would again sign up for another round using another temporary email address. What are the repercussions of this behavior? Here are a few.

  • Decline in email marketing performance: Among the first things that visibly get affected are email marketing metrics. If your email contact list includes disposable email addresses, it could result in low open and high bounce rates. The worst-case scenario for marketers is that their email-sending reputation gets damaged, possibly landing them on spam blocklists.
  • Fewer sales conversion: Freemium abuse using disposable email addresses also results in negative consequences beyond affecting email marketing metrics. There is little to no chance of converting disposable email users into paying customers, even though some utilize a company’s products and resources beyond the allowable free limit.
  • Vehicles for cyber attacks: There is also a scenario where spammers or cyber attackers can use disposable email domains to send malicious emails to targets and deliver malware embedded in links or files attached to the messages. Since victims don’t have to respond to the messages to get their computers infected, cyber attackers can just use a new throwaway email address when others get blocked. In fact, we found some suspicious and even malicious email domains in our analysis in the next section.

Analysis of a Disposable Email Domain List

Monitoring disposable email domains can help organizations keep spammy or dangerous emails away and also strengthen email security solutions. At the same time, a list of disposable email domains can help keep businesses afloat by increasing their chances of sales conversion.

We analyzed one fake email domain list containing tens of thousands of disposable email domains as of 16 November 2023.

Categorizing Our List of Disposable Email Domains

The list of disposable email domains we obtained contains a wide range of domain names, but four categories stood out.

Random-Looking Email Domains

First on the list are random-looking and what could be machine-generated email domains. It is possible that these were created using a domain generation algorithm (DGA), a common method that allows malware families to communicate with their command-and-control (C&C) servers while evading detection. Some disposable email domains are random strings of numeric characters, such as:

  • 0815[.]su
  • 0317123[.]cn
  • 07819[.]cf
  • 0039[.]cf
  • 021[.]com
  • 02466[.]cf

Some make use of random-looking character sequences, including:

  • 45kti[.]xyz
  • b2bx[.]net
  • iq2kq5bfdw2a6[.]ga
  • suxt3eifou1eo5plgv[.]cf
  • szi4edl0wnab3w6inc[.]gq
  • uqxcmcjdvvvx32[.]cf

Some of the examples above have already been reported for spamming and malware activities.

Typosquatting Email Domains

We also noticed some online entities on the list of disposable email domains that mimic popular brands. These domains could have been created hoping users mistyped the brands’ official domains. They could also be used to mislead users into opening a phishing or scam email.

Some disposable email domains on the list seem like PayPal copycats, such as enpaypal[.]com, paypal[.]comx[.]cf, paypalserviceirc[.]com, and via-paypal[.]com. The typosquatting domain enpaypal[.]com has already been reported as malicious.

Other typosquatting domains target popular brands. Some examples are shown in the table below.

Gucci Look-Alike DomainsLouis Vuitton Look-Alike Domains
• borsegucc1outletitaly[.]com
• borsegucciitalia3[.]com
• borseguccimoda[.]com
• borseguccioutletit[.]biz
• borsegucciufficialeitt[.]com
• bagslouisvuitton2012[.]com
• bollouisvuittont[.]info
• borseelouisvuittonsitoufficiale[.]com
• cheaplouisvuitton-handbags[.]info
• cheaplouisvuittonaubags[.]com
Microsoft Look-Alike DomainsRolex Look-Alike Domains
• dailymicrosoft[.]com
• genuinemicrosoftkeyclub[.]com
• login[.]microsoft-office[.]live
• microshoftoffice[.]xyz
• microsofl[.]website
• rolex19bet[.]com
• rolexbahis[.]com
• rolexdaily[.]com
• rolexok[.]com
• rolexpoker88[.]asia

We also noticed several internationalized domain names (IDNs) that seemed to imitate brands. Below are some examples of Gmail-targeted IDN-using typosquatting domains with their Unicode and Punycode versions.

UnicodePunycode
gmaıl[.]comxn—gmal-nza[.]com
gmaiö[.]comxn—gmai-8qa[.]com
gmaıl[.]netxn—gmal-nza[.]net
gmaìl[.]comxn—gmal-spa[.]com

Notice that instead of the lowercase “i,” a vertical bar is used in the first example, so it still looks like the mimicked domain name.

About a dozen disposable email domains also mimicked avito[.]ru. Based on WHOIS lookup results, none of these belonged to Avito Holding AB, the registrant organization indicated in the WHOIS record of avito[.]ru:

  • avito-boxberry[.]ru
  • avito-dilivery[.]ru
  • avito-office[.]ru
  • avito-package[.]ru
  • avito-payshops[.]ru
  • avito-repayment[.]online
  • avito-safe-order[.]online

Avito is Russia’s largest classified ad website and the second-largest globally, next to Craigslist. Anyone who lands on an imitation website could become a victim of data theft, ransomware attack, or other cybercrime.

Blockchain- and Crypto-Themed Email Domains

The list of disposable email domains detected more than 100 email domains related to blockchain and cryptocurrency. Below is a screenshot of some disposable email domains containing the strings “blockchain” and “crypto.”

A few of these domains have already been flagged as malicious, including crypto-net[.]club, cryptonet[.]top, and cryptontrade[.]ga.

Finance-Targeted Email Domains

Hundreds of finance-related domains were also found on the list of disposable email domains. We used the strings “loan,” “insurance,” and “bank.” These email domains could be used in scams and cyber attacks targeting financial institutions. In fact, chipbankasi[.]com has already figured in spamming activities.

Breaking Down the List of Disposable Email Domains by TLD

Several studies have established that people tend to trust URLs and domains with the .com generic top-level domain (gTLD) extension. In terms of usage in disposable email domains, .com also took the lead, accounting for about 38% of the total number of disposable email domains on our list. The remaining email domains are distributed among hundreds of other TLDs.

The chart below shows the top 20 TLDs used in the list of disposable email domains. Of the 20 TLDs, eight were country-code TLDs (ccTLDs), namely, .ru, .tk, .ml, .ga, .cf, .gq, .pl, and .co.

Knowing that shady individuals often use disposable email addresses, people should not trust email addresses based on TLD usage alone.


This in-depth analysis of a list of disposable email domains highlight the need to protect networks from disposable email addresses. The presence of typosquatting, finance-related, suspicious, and malicious email domains in our list of disposable email domains supports this.

While there are legitimate uses of disposable emails, some may serve as entry points for attackers to carry out malware infections, financial scams, data theft, and other forms of cybercrime.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global