Disposable email addresses are a foundational piece of infrastructure for online abuse. Just like proxies help attackers distribute traffic and hide the origin of automated requests, disposable email providers help them scale account creation and rotate identities at low cost.
Without access to large pools of throwaway inboxes, many fake signup campaigns, promo abuse operations, spam systems, and bot-driven growth abuse attacks would become significantly harder to automate.
Access to mass volumes of disposable inboxes is one of the key enablers of scalable fake account creation.
Over the years, we also observed disposable email infrastructure becoming increasingly industrialized, similarly to the proxy ecosystem. Some providers now expose APIs specifically designed to automate mailbox creation and message retrieval at scale, effectively turning disposable inboxes into programmable infrastructure for bot operators.
In our investigation of tinyhost[.]shop, we showed how attackers leveraged a disposable email platform exposing mailbox creation and email retrieval APIs to automate fake account creation across large online platforms.
Today, Castle’s research team is releasing a new open source repository designed to help defenders operationalize disposable email detection more easily:
https://github.com/castle/disposable-email-domains
The repository contains a curated list of the top 1,000 disposable email domains observed in real abuse activity, updated daily.
Why we built this
There are already many public disposable email lists available online. Most are community-maintained, updated through pull requests, and built by aggregating domains from multiple public sources.
Over time, these lists tend to accumulate:
- Stale domains
- Duplicate entries
- Privacy-oriented email providers
- Domains with unclear ownership
- Low-signal entries that are difficult to validate
This creates two operational problems:
- Increased false positives
- Large noisy datasets that are difficult to consume safely in production systems
We built this repository with a different philosophy.
The goal is not to create the largest disposable email list on the internet. The goal is to provide a smaller, higher-signal dataset that is operationally useful for fraud detection and abuse prevention teams.
What makes this list different
Curated, not aggregated
We do not import domains from public disposable email repositories. Every domain included in this list is independently verified and tied to an actual disposable email provider or disposable email infrastructure.
Strictly disposable
One major issue with public disposable email lists is that they often mix:
- Disposable email providers
- Privacy-oriented email services
- Legitimate niche email providers
This creates unnecessary false positives when teams use the lists operationally.
Our list intentionally excludes providers whose primary purpose is privacy or encrypted communication, such as SimpleLogin or Addy.
The goal is not to block privacy-conscious users. The goal is to identify infrastructure whose primary purpose is disposable account creation.
Based on real abuse telemetry
The domains in this repository are not theoretical.
They are actively observed in:
- Fake signup campaigns
- Multi-accounting
- Promo abuse
- Spam operations
- Automated account creation
across Castle’s network.
The list is ranked by observed abuse prevalence, which means the highest-signal domains appear first.
Small and operationally usable
We intentionally limit the public repository to 1,000 domains.
Bigger is not always better for detection datasets. Extremely large disposable email lists tend to become noisy and harder to maintain safely.
A focused dataset is easier to review, faster to query, and less likely to create collateral damage.
Why disposable email detection matters
Disposable email detection is sometimes treated as a minor hygiene problem during signup flows.
In practice, it is much more than that.
Disposable email providers are part of the operational infrastructure attackers rely on to scale abuse. They reduce the cost of identity rotation in the same way proxy providers reduce the cost of IP rotation.
When attackers can create unlimited inboxes programmatically, they can:
- Create fake accounts at scale
- Bypass per-account limits
- Abuse free trials and promotions
- Run spam operations
- Evade account bans by continuously rotating identities
The disposable email ecosystem has evolved significantly over the years. Many providers now operate large pools of rotating domains, expose APIs, and maintain infrastructure specifically designed for automation workflows.
This makes disposable email detection an important signal for detecting:
- Fake account creation
- Mass signup campaigns
- Referral abuse
- Promo abuse
- Bot-driven growth abuse
Of course, email domains alone are not enough to stop sophisticated attackers. But disposable email infrastructure remains one of the strongest ecosystem-level signals available during account creation flows.
A replacement for static tracker posts
Over the years, we periodically published disposable and fraudulent email domain trackers and infrastructure investigations on the Castle research blog, such as https://blog.castle.io/fraudulent-email-domain-tracker-august-2025/
These articles were useful to surface new disposable email infrastructure and abuse patterns, but they were not ideal operational artifacts.
Security teams typically do not want to manually extract domains from blog posts or consume large CSV dumps attached to research articles. They want a dataset that is easy to fetch programmatically and load into their detection systems.
This repository is meant to partially replace static tracker posts with a format that is significantly easier to operationalize.
How we collect domains
The repository combines several collection approaches.
Website scraping
We continuously monitor disposable email provider websites to extract served domains.
DNS infrastructure analysis
Disposable email providers often expose large numbers of domains sharing the same MX infrastructure.
By analyzing DNS records such as MX and A records, we can identify related domains and uncover hidden disposable email infrastructure that does not appear in public lists.
This is the same methodology we discussed in our tinyhost[.]shop investigation.
Real-world abuse observations
Castle protects large consumer platforms against fraud and bot attacks.
Domains are ranked based on observed abuse activity across Castle’s network, including:
- Fake account creation
- Multi-accounting
- Promo abuse
- Spam campaigns
The result is a dataset that reflects current abuse patterns.
Repository format
The repository is intentionally simple:
disposable-email-domains.txt
One domain per line, sorted by observed abuse prevalence.
This makes it easy to consume:
curl -sL https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt
Disposable domains are only one signal
It is important to emphasize that disposable email usage alone is not enough to identify malicious activity.
Sophisticated attackers increasingly rotate through:
- Custom disposable domains
- Freshly registered domains
- Compromised inboxes
- Legitimate Gmail or Outlook accounts
This is why disposable email detection works best when combined with other signals, including:
- Device fingerprinting
- Behavioral analysis
- Proxy detection
- Velocity analysis
- Account graph analysis
As we showed in our tinyhost[.]shop investigation, attackers using disposable email infrastructure also relied heavily on automated browsers, residential proxies, and behavioral evasion techniques.
Effective detection comes from correlating multiple weak signals together rather than relying exclusively on the email domain itself.
The repository is public, updated daily, and available here:
