Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Mailinator here:

Yes, we sent the inbox to a blackhole but keep in mind, Mailinator does not and can not actually "Send" any email.

It's a receive-only service. As always, any email "from" @mailinator.com has had it's reply-to forged (which is pretty trivial).

Also - even before we blackholed the email, it's unlikely any email in that inbox (i.e. hhhh..) was read. Each box has a 50 email limit (FIFO) which was immediately overwhelmed. You couldn't click fast enough between seeing the inbox list and clicking an email.

Mailinator is simply a "receiver" in all of this but we have no indication our servers were otherwise involved.



I don't see a TXT record for _dmarc.mailinator.com. If you created a DMARC reject policy all the major webmail providers would block messages "from" mailinator.com


DMARC basically doesn't work, many mailservers don't look at it and those that do frequently ignore the policy -- even setting a REJECT policy typically results in mail being passed through like nothing happened.


> Each box has a 50 email limit (FIFO) which was immediately overwhelmed.

That makes me think the malicious author didn't expect this to spread as wide as it did.


It's my guess that Mailinator is extremely irrelevant to their plan.

They planned to propagate via BCC but they needed a "To:" address - preferably one that didn't bounce.

So they hit the "h" key awhile, then added @mailinator.com


Would it have made a difference if they made the "To:" a non-existent address? Would a bounce also prevent delivery to BCC recipients?


Technically, they have to defeat greylisting and server validity checks anyway to get mails accepted to most modern mail servers.


Why didn't they just send the email to the recipient? What does the BCC add in this context?


BCC recipients can't see (or contact) each other to mitigate the spread. If you look at the source code, it BCCs 99 contacts from the infected account per message.


This is probably some kid. cutpastemonkey the code from here:

http://stackoverflow.com/questions/37321100/how-to-login-wit...

Probably sat in his bedroom right now waiting for the feds going 'wow that escalated quickly'.


When I received a copy of the email 9 hours ago, I tried loading that h^16 mailinator inbox a few times. It was showing as empty except every few minutes a response to the virus email would come in. I saw "stop phishing" and "suck it!" and a couple of others. The virus email itself wasn't showing there.


> it's unlikely any email in that inbox (i.e. hhhh..) was read.

Any way you can tell for sure?

Do you have any logs that could be used to graph the spread of this? E.g. if you were able to find the earliest email to that mailbox you should be able to tell when it started, and with who.


Half the people reading this post probably have gone there by now and read what's there.


Those can be easily harvested from there




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: