Looking at the automatic first email and the network tab, this appears to be just wrapping around guerrillamail which is a classic disposable email website, and polling their API (doesn't seem to use websockets). Can you clarify what relationship you have with guerrillamail, if any, and whether or not the encryption and zero persistence claims extend to guerrillamail's service?
You're right that the current beta uses Guerrilla Mail as the upstream provider for mail delivery. My 'Zero-Persistence' and 'No-Cookie' claims specifically apply to the Mephisto layer: we don't store your data in our own DB, we don't use tracking cookies, and we purge all session metadata from our RAM.
Regarding polling vs WebSockets: The frontend currently polls the Mephisto proxy to ensure maximum compatibility with strict corporate firewalls, but a native WebSocket implementation for our own mail-server node is the long-term goal. I’m being transparent about the proxying—Mephisto is designed as a privacy-hardened 'frontend wrapper' that adds an extra layer of anonymity between you and the upstream providers.
I’m genuinely overwhelmed by the traffic (hitting 145+ concurrent sessions!) and the deep technical feedback from this community.
As a solo developer, seeing Mephisto being analyzed so thoroughly is incredible. If you support the idea of a 100% cookie-free, zero-persistence temporary mail tool, please consider starring the project on GitHub. It helps with visibility and keeps the motivation high to implement the complex features we’ve been discussing here (like IP-based domain allocation and secure reply-only logic).
I want to be completely transparent here. Mephisto currently utilizes a few different upstream providers (including Guerrilla Mail and 1secmail) via a custom proxy layer to ensure high availability. The goal of this project isn't to build a new mail protocol from scratch, but to provide a hardened, cookie-free, and zero-persistence 'privacy frontend' that bridges the gap between these APIs and the end-user.
Regarding the AI claim: I've used modern dev tools to speed up the React/TypeScript implementation, but the architecture (RAM-only storage, IndexedDB caching, and PWA focus) is a deliberate design choice I've made to solve specific privacy frustrations I had with existing services. I appreciate the call for better attribution, and I'll be updating the 'About' section to clearly credit all upstream providers.
That’s a very fair point. Showing the full list makes it easier for automated scrapers to blacklist the whole pool. I’m considering moving to a 'Random Rotation' by default, and only revealing the domain picker for advanced users. Balancing discoverability and resilience is definitely the biggest challenge here.
being able to reply IS the ability to send to an arbitrary address, because the SMTP protocol makes it trivial to SEND an email from any arbitrary address.
You hit the nail on the head. From an SMTP perspective, 'replying' is functionally identical to 'sending,' which is why most disposable mail services are strictly receive-only.
The moment you allow outbound traffic, you risk being weaponized as an open relay for spam. To implement a safe 'Reply-Only' feature, Mephisto would need a sophisticated validation layer that cryptographically links the outbound reply to a specific, recently received message ID. Even then, rate-limiting would have to be extremely aggressive. For now, staying receive-only is a deliberate choice to protect the service's reputation and ensure 100% uptime.
nah its just me lol english isnt my native language so i tried way too hard to sound professional and clear... guess i overdid it and sounded like a bot. im just super nervous with 145 users right now my heart is still racing trying to keep up
As an avid user of malinator.com I really like this. mailinator started being recognised and rejected in many forms. Maybe there's something you can do to get ahead of this? Maybe being able to generate random 1st level domain or pick from a large list could go a long way?
That is a great point, and it's definitely on the roadmap.
The "cat and mouse" game between disposable email services and site filters is constant. I'm currently looking into rotating a pool of less common TLDs to keep the service viable for longer.
The idea of letting users pick from a list is also solid—it gives them more agency and potentially bypasses blanket filters that only target the "default" domain.
Absolutely agree with both of you. I just deployed an update that includes a domain picker directly in the address bar. Users can now manually choose from 8 different domains (including .net, .org, .la, and .info) to bypass blanket filters that often target the default TLDs.
Rotating less common TLDs automatically is the next logical step to keep the service resilient. Appreciate the support!
All of these domains are already widely known because Guerrilla Mail are the ones actually running the email service, his website is a wrapper with a CORS proxy.
He doesn't own or operate the cors proxies, mail infra, domains or the api
That is an intriguing feature request. Most disposable services avoid outgoing mail entirely to prevent being abused for spam, but a strict 'Reply-Only' policy (where you can only send to the address that just emailed you) is a clever middle ground.
Implementing this while maintaining the zero-persistence architecture would require a secure, ephemeral SMTP relay. It’s definitely a complex challenge, but the value it adds for verifying accounts that require a response is huge. I’m adding this to the experimental roadmap!
thanks for the links sixtyj. the cat and mouse game with these lists is never ending... i agree that the ethical use cases like whistleblowing are why these tools need to exist. its a tough balance to keep them accessible but not abused.
Great question. The emails are stored in volatile RAM on the backend only for the duration of the active session.
To ensure a smooth experience if you accidentally navigate away or refresh, I’ve recently implemented IndexedDB local caching on the client side. This keeps your messages accessible in your browser's local storage without them ever being written to our server's hard drive.
However, Mephisto follows a strict 'Zero-Persistence' policy: the moment you explicitly clear your session or the session naturally expires, a wipe sequence is triggered, and all data is cryptographically purged from both the server's RAM and your browser's local cache. If you navigate away without a cache, the signal is lost—just like a true burner phone.
That is a valid point. Currently, the backend keeps them in RAM mainly to support multi-device syncing (like the QR handoff feature) during an active session. If a user scans the QR code to open the same inbox on mobile, the backend needs to serve those existing messages to the new client.
However, I'm exploring a 'Transfer & Purge' logic where, once a message is successfully delivered and acknowledged by the primary client, it could be encrypted or removed from the server-side RAM entirely, leaving the responsibility of persistence to the client-side IndexedDB. It’s a delicate balance between UX and the absolute 'zero-trace' goal.
Wow, thank you so much! That means a lot coming from this community. I'm trying to keep it as lean and purposeful as possible. Glad the implementation resonated with you!
Looking at the automatic first email and the network tab, this appears to be just wrapping around guerrillamail which is a classic disposable email website, and polling their API (doesn't seem to use websockets). Can you clarify what relationship you have with guerrillamail, if any, and whether or not the encryption and zero persistence claims extend to guerrillamail's service?
You're right that the current beta uses Guerrilla Mail as the upstream provider for mail delivery. My 'Zero-Persistence' and 'No-Cookie' claims specifically apply to the Mephisto layer: we don't store your data in our own DB, we don't use tracking cookies, and we purge all session metadata from our RAM.
Regarding polling vs WebSockets: The frontend currently polls the Mephisto proxy to ensure maximum compatibility with strict corporate firewalls, but a native WebSocket implementation for our own mail-server node is the long-term goal. I’m being transparent about the proxying—Mephisto is designed as a privacy-hardened 'frontend wrapper' that adds an extra layer of anonymity between you and the upstream providers.
I’m genuinely overwhelmed by the traffic (hitting 145+ concurrent sessions!) and the deep technical feedback from this community.
As a solo developer, seeing Mephisto being analyzed so thoroughly is incredible. If you support the idea of a 100% cookie-free, zero-persistence temporary mail tool, please consider starring the project on GitHub. It helps with visibility and keeps the motivation high to implement the complex features we’ve been discussing here (like IP-based domain allocation and secure reply-only logic).
Repo: https://github.com/jokallame350-lang/temp-mailmephisto
Generated by AI. Use 1secmail API without giving any credit.
False advertisment.
I want to be completely transparent here. Mephisto currently utilizes a few different upstream providers (including Guerrilla Mail and 1secmail) via a custom proxy layer to ensure high availability. The goal of this project isn't to build a new mail protocol from scratch, but to provide a hardened, cookie-free, and zero-persistence 'privacy frontend' that bridges the gap between these APIs and the end-user.
Regarding the AI claim: I've used modern dev tools to speed up the React/TypeScript implementation, but the architecture (RAM-only storage, IndexedDB caching, and PWA focus) is a deliberate design choice I've made to solve specific privacy frustrations I had with existing services. I appreciate the call for better attribution, and I'll be updating the 'About' section to clearly credit all upstream providers.
What about adding an option to reply to emails (only reply, not send to arbitrary address)? I think none of temp mail services has it.
That’s a very fair point. Showing the full list makes it easier for automated scrapers to blacklist the whole pool. I’m considering moving to a 'Random Rotation' by default, and only revealing the domain picker for advanced users. Balancing discoverability and resilience is definitely the biggest challenge here.
Random choice allows collecting all the domains by merely refreshing the page. You might want to allocate several domains per AS or per IP block.
being able to reply IS the ability to send to an arbitrary address, because the SMTP protocol makes it trivial to SEND an email from any arbitrary address.
You hit the nail on the head. From an SMTP perspective, 'replying' is functionally identical to 'sending,' which is why most disposable mail services are strictly receive-only.
The moment you allow outbound traffic, you risk being weaponized as an open relay for spam. To implement a safe 'Reply-Only' feature, Mephisto would need a sophisticated validation layer that cryptographically links the outbound reply to a specific, recently received message ID. Even then, rate-limiting would have to be extremely aggressive. For now, staying receive-only is a deliberate choice to protect the service's reputation and ensure 100% uptime.
Can you please write comments yourself instead of feeding every comment into an LLM and saying "reply to this"?
nah its just me lol english isnt my native language so i tried way too hard to sound professional and clear... guess i overdid it and sounded like a bot. im just super nervous with 145 users right now my heart is still racing trying to keep up
As an avid user of malinator.com I really like this. mailinator started being recognised and rejected in many forms. Maybe there's something you can do to get ahead of this? Maybe being able to generate random 1st level domain or pick from a large list could go a long way?
That is a great point, and it's definitely on the roadmap.
The "cat and mouse" game between disposable email services and site filters is constant. I'm currently looking into rotating a pool of less common TLDs to keep the service viable for longer.
The idea of letting users pick from a list is also solid—it gives them more agency and potentially bypasses blanket filters that only target the "default" domain.
Thanks for the feedback, Tony!
This would be awesome. +1
There aren’t many anonymous mail services that would rotate less common TLDs. Usually it is a constant list of domains you can choose from.
Absolutely agree with both of you. I just deployed an update that includes a domain picker directly in the address bar. Users can now manually choose from 8 different domains (including .net, .org, .la, and .info) to bypass blanket filters that often target the default TLDs.
Rotating less common TLDs automatically is the next logical step to keep the service resilient. Appreciate the support!
If you provide a choice of domain name, it becomes easier to collect them for adding into blacklist. Maybe you better not show all the domains.
All of these domains are already widely known because Guerrilla Mail are the ones actually running the email service, his website is a wrapper with a CORS proxy.
He doesn't own or operate the cors proxies, mail infra, domains or the api
https://www.guerrillamail.com
And the entire app was just generated with https://aistudio.google.com
(check view-source: and you'll see "aistudiocdn.com" for all the imports)
That is an intriguing feature request. Most disposable services avoid outgoing mail entirely to prevent being abused for spam, but a strict 'Reply-Only' policy (where you can only send to the address that just emailed you) is a clever middle ground.
Implementing this while maintaining the zero-persistence architecture would require a secure, ephemeral SMTP relay. It’s definitely a complex challenge, but the value it adds for verifying accounts that require a response is huge. I’m adding this to the experimental roadmap!
OP has to rotate them faster /s
The problem I see that bad actors can misuse such services.
The disposable mail services should be used for whistleblowing.
https://github.com/disposable-email-domains/disposable-email...
https://github.com/unkn0w/disposable-email-domain-list
It seems that lists are updated quite often.
thanks for the links sixtyj. the cat and mouse game with these lists is never ending... i agree that the ethical use cases like whistleblowing are why these tools need to exist. its a tough balance to keep them accessible but not abused.
The GitHub link in the footer links to… GitHub
How long are emails stored on ram? If I navigate away, what happens? Does it stop?
Great question. The emails are stored in volatile RAM on the backend only for the duration of the active session.
To ensure a smooth experience if you accidentally navigate away or refresh, I’ve recently implemented IndexedDB local caching on the client side. This keeps your messages accessible in your browser's local storage without them ever being written to our server's hard drive.
However, Mephisto follows a strict 'Zero-Persistence' policy: the moment you explicitly clear your session or the session naturally expires, a wipe sequence is triggered, and all data is cryptographically purged from both the server's RAM and your browser's local cache. If you navigate away without a cache, the signal is lost—just like a true burner phone.
Is there any reason you need to store them in the RAM on the backend once they have been transferred to the client?
That is a valid point. Currently, the backend keeps them in RAM mainly to support multi-device syncing (like the QR handoff feature) during an active session. If a user scans the QR code to open the same inbox on mobile, the backend needs to serve those existing messages to the new client.
However, I'm exploring a 'Transfer & Purge' logic where, once a message is successfully delivered and acknowledged by the primary client, it could be encrypted or removed from the server-side RAM entirely, leaving the responsibility of persistence to the client-side IndexedDB. It’s a delicate balance between UX and the absolute 'zero-trace' goal.
Hate to be the "shallow comment guy" but, uh....
absolute perfection. no fucking notes.
Every decision you've described seems like the one I would have made, and the implementation is elegant. Thank you!
Wow, thank you so much! That means a lot coming from this community. I'm trying to keep it as lean and purposeful as possible. Glad the implementation resonated with you!