You just got a Slack webhook notification. You have 3 new users who created an account on your SaaS:
It’s great, your latest marketing initiatives are finally working out. In a few days these brand new users may go from free trial to paid customers.
You go to https://aiphotoeditor.io/ and you see a real photo editor based on AI, must be legit.
Same for https://whitehousecalculator.com/, you visit it, and the content of the site looks consistent with the domain name.
Everything looks legit.
But after a few minutes, you notice other accounts created with email domains linked to whitehousecalculator.com… and all of them are tied to Southeast Asian IP addresses.
It doesn’t feel normal.
That’s what happened to one of our customers (protected by Castle). Hundreds of account creation attempts linked to these almost-legit domains.
When we looked at the traffic for these email domains, we saw they were heavily used by users from Southeast Asia.
Weird.
Why would users from Southeast Asia create accounts using email domains linked to a calculator for US taxes?
These domains are not what they look like
The reason is simple.
These are disposable email domains… just much more convincing than usual.
Better domain names.
Real websites.
Actual tools that match the domain name.
But still disposable email domains.
“Are you sure?”
Yes, 100%.
These domains are linked to https://tempmail.la/
Which is… a temporary email provider. It’s literally in the name.
What makes this setup different from most disposable email providers is that the domains resolve to real websites.
If you visit them, they look legitimate. They are not dead domains or obvious throwaways.
The screenshots below show the list of domains currently available for disposable email creation.
This is where it breaks
At this point, things flip.
What looked like new users…
are actually fake accounts.
And not just a few.
Hundreds of them.
Instead of growth, you’re dealing with abuse.
Can you actually block this?
Often, the first instinct is to look at DNS.
host whitehousecalculator.com
whitehousecalculator.com has address104.21.49.22
whitehousecalculator.com has address172.67.188.200
whitehousecalculator.com has IPv6 address2606:4700:3037::ac43:bcc8
whitehousecalculator.com has IPv6 address2606:4700:3036::6815:3116
whitehousecalculator.com mail is handled by52 route1.mx.cloudflare.net.
whitehousecalculator.com mail is handled by88 route2.mx.cloudflare.net.
whitehousecalculator.com mail is handled by30 route3.mx.cloudflare.net.
And for another domain:
host aiphotoeditor.io
aiphotoeditor.io has address172.67.215.253
aiphotoeditor.io has address104.21.75.66
aiphotoeditor.io has IPv6 address2606:4700:3034::ac43:d7fd
aiphotoeditor.io has IPv6 address2606:4700:3035::6815:4b42
aiphotoeditor.io mail is handled by49 route1.mx.cloudflare.net.
aiphotoeditor.io mail is handled by62 route3.mx.cloudflare.net.
aiphotoeditor.io mail is handled by16 route2.mx.cloudflare.net.
Unfortunately… nothing useful here.
Both domains use Cloudflare for DNS/MX records.
Which means:
- It’s shared infrastructure
- It’s used by legitimate services
- You can’t just block based on that
So you try scraping
Another approach is to scrape the provider directly.
If you know the source, you can extract the list of domains they offer.
In this case, even though Cloudflare is in front…
… but you can still access the list of domains without hitting a CAPTCHA since it's only used to protect the access to the emails themselves.
The irony
Cloudflare is supposed to fight bots, yet it often sits in front of services that enable large-scale abuse, whether it’s disposable email providers or proxy networks.
Not trying to make a point here, but this situation has been coming up a lot recently.
What to take away
A few takeaways from this:
- At Castle, we detect malicious and disposable email domains using a wide range of techniques to ensure maximum coverage and freshness
- This includes scraping, DNS analysis, and various ML / heuristic-based detection methods
- You cannot rely on a single signal
And more generally:
Just because something looks legit… doesn’t mean it is.
We covered a similar pattern here with eu.org email domains https://blog.castle.io/you-see-an-email-ending-in-eu-org-must-be-legit-right/
Want to go deeper?
If you want to learn more about disposable email:
- https://blog.castle.io/understanding-disposable-emails/ (the basics)
- https://blog.castle.io/investigating-tinyhost-shop-a-disposable-email-api-used-for-large-scale-fake-account-creation/ (a deeper investigation into a disposable email provider)
