Inside the Industrialized Abuse Economy: Castle’s Open-Source Disposable Email Domain List Revealed + Video

Listen to this Post

Featured Image

Introduction

In the battle against automated fraud, email is the first line of defense—and attackers know it. Disposable email providers have evolved from niche tools for privacy into industrialized infrastructure, offering APIs for automated mailbox creation and rotating domain pools, just as proxies help attackers obfuscate their origins. Castle’s research team has released a new open-source dataset: a curated list of the top 1,000 disposable email domains, updated daily, designed to give defenders a high-signal, low-noise tool to combat fake account creation and signup abuse at scale.

Learning Objectives

  • Understand the scale and industrialization of disposable email abuse infrastructure
  • Implement real-time disposable email detection using Castle’s open-source dataset
  • Build automated defense pipelines with Python, JavaScript, and shell scripting

You Should Know

1. The Industrialization of Disposable Email Infrastructure

The disposable email ecosystem has matured into a sophisticated, API-driven industry. Attackers no longer simply register accounts using public services like 10minutemail. Instead, they leverage programmable infrastructure designed for automation.

What the post reveals: Castle’s research has documented how some providers now expose APIs specifically built to automate mailbox creation and message retrieval, turning disposable inboxes into programmable infrastructure for bot operators. In an investigation of tinyhost[.]shop, Castle showed how attackers used such APIs to automate fake account creation across large online platforms.

Key characteristics of modern disposable email abuse:

  • API-driven creation: Attackers programmatically generate email addresses on demand
  • Rotating domain pools: Infrastructure cycles through hundreds of domains to evade static blocklists
  • White-label services: Disposable email providers offer custom domains to fraudsters, making detection harder

How attackers scale fake account creation:

  1. Source emails: Use disposable inboxes (e.g., 10minutemail, Maildrop) or Gmail alias generators (e.g., Emailnator)
  2. Handle SMS verification: Leverage services offering shared virtual numbers with APIs
  3. Automate signup flow: Deploy bots that simulate human behavior, solve CAPTCHAs, and complete email verification

This industrialized approach means defenders can no longer rely on static, community-maintained lists. The need for real-time, abuse-telemetry-driven data has never been greater.

  1. Why Castle’s List is Different: Curated, Strictly Disposable, and Abuse-Driven

Most public disposable email lists suffer from critical flaws: they aggregate domains from multiple sources, accumulate stale entries, mix privacy-oriented services with true disposable providers, and grow into large, noisy datasets that are difficult to operationalize.

Castle’s repository takes a fundamentally different approach:

  • Curated, not aggregated: Every domain is independently verified against actual disposable email infrastructure
  • Strictly disposable: Privacy-focused services like SimpleLogin and Addy are intentionally excluded; the list targets infrastructure whose primary purpose is disposable account creation
  • Based on real abuse telemetry: Domains are ranked by observed activity in fake signups, promo abuse, spam, and multi-accounting across Castle’s protected networks
  • Small and focused: Only 1,000 domains—small enough to load entirely into memory for fast querying, yet impactful enough to block the most prevalent abuse vectors

How Castle collects disposable domains:

  • Continuous website scraping of known disposable email provider sites to identify the domains they serve
  • DNS analysis of MX and A records to uncover white-label services and hidden custom domains
  • Real-world abuse telemetry from large consumer platforms to rank domains by actual abuse prevalence

This multi-layered collection methodology ensures the dataset reflects current attack patterns rather than historical artifacts.

  1. Deploying Castle’s Disposable Email List: A Production-Ready Blueprint

Deploying disposable email detection requires more than just downloading a list. The following step-by-step guide demonstrates how to integrate Castle’s dataset into production systems, ensuring real-time protection with minimal latency.

Step 1: Fetch the latest list directly from GitHub

 Linux/macOS - download the latest list
curl -sL https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt -o disposable_domains.txt

Windows PowerShell
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt" -OutFile "disposable_domains.txt"

Step 2: Load the list into memory (Python implementation)

import urllib.request

URL = "https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt"

Fetch and create a set for O(1) lookups
disposable_domains = set(
urllib.request.urlopen(URL)
.read()
.decode()
.splitlines()
)

def is_disposable(email: str) -> bool:
"""Check if an email address uses a disposable domain."""
domain = email.rsplit("@", 1)[-1].lower()
return domain in disposable_domains

Example usage
email = "[email protected]"
if is_disposable(email):
print(f"Blocked: {email} uses disposable domain")

Step 3: JavaScript/Node.js implementation

// Node.js with native fetch
async function loadDisposableDomains() {
const response = await fetch(
"https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt"
);
const text = await response.text();
const disposableDomains = new Set(
text.split("\n").map(d => d.trim()).filter(Boolean)
);
return disposableDomains;
}

function isDisposable(email, disposableDomains) {
const domain = email.split("@").pop().toLowerCase();
return disposableDomains.has(domain);
}

// Usage
const domains = await loadDisposableDomains();
console.log(isDisposable("[email protected]", domains)); // true

Step 4: Automate daily updates with cron (Linux/macOS)

!/bin/bash
 /usr/local/bin/update_disposable_list.sh

LIST_URL="https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt"
LIST_PATH="/var/lib/security/disposable_domains.txt"

Download and validate
curl -sL "$LIST_URL" -o "$LIST_PATH.tmp"
if [ -s "$LIST_PATH.tmp" ]; then
mv "$LIST_PATH.tmp" "$LIST_PATH"
echo "$(date): List updated successfully" >> /var/log/disposable_update.log
else
echo "$(date): Update failed - empty response" >> /var/log/disposable_update.log
fi

Schedule daily update:

 crontab -e
0 3    /usr/local/bin/update_disposable_list.sh

Step 5: Integrate with an API validation service

For production deployments, consider layering additional signals:

  • Syntax validation before performing domain lookups
  • MX record checking to verify domain existence
  • Risk scoring based on multiple indicators: domain age, TLD entropy, catch-all detection

Open-source tools like `email-validator-js` (Node.js) or `bloombox` (standalone API) can complement Castle’s domain list with real-time SMTP verification and MX record validation.

  1. Beyond Simple Blocklisting: Graph Clustering to Uncover Hidden Attacker Infrastructure

Attackers who evade simple disposable domain blocklists often register custom domains for specific campaigns. These custom domains rarely appear on public blocklists and typically disappear quickly. Castle’s research demonstrates a practical graph-based technique to cluster fraudulent domains and uncover relationships that would be missed when looking at domains in isolation.

Core methodology:

  • Extract signals from HTML content, server response headers, and DNS records
  • Build nodes and edges where edges represent shared attributes (IP addresses, HTML fingerprints, SSL certificate hashes)
  • No ML required—just simple graph construction to reveal domain clusters likely controlled by the same operator

Practical implementation approach:

 Simplified example: cluster domains by shared IP
def build_ip_clusters(domain_ip_mapping):
"""
domain_ip_mapping: dict {domain: ip_address}
Returns list of clusters (domains sharing IPs)
"""
clusters = {}
for domain, ip in domain_ip_mapping.items():
clusters.setdefault(ip, set()).add(domain)
return [list(domains) for domains in clusters.values() if len(domains) > 1]

Extend with additional signals:
 - HTML hash matches
 - SSL certificate fingerprints
 - SQL injection of server header values

This graph-based approach is particularly valuable for threat hunting: it helps defenders discover previously unseen fraudulent infrastructure by connecting the dots across attributes that individually appear benign.

  1. Building a Layered Defense Against Fake Account Creation

No single technique stops fake account creation. Effective defense requires layering multiple signals both before and after account creation.

Pre-account creation checks (inline blocking):

  • Disposable domain detection using Castle’s list (fast, O(1) lookup)
  • Temporary phone number detection via SMS verification services
  • Browser fingerprinting to identify automation frameworks
  • CAPTCHA challenges (with progressive difficulty for suspicious sessions)

Post-account creation monitoring:

  • Behavioral analytics to detect unusual activity patterns
  • Graph-based clustering to identify fraud rings
  • Machine learning models analyzing hundreds of signals including login location, device characteristics, and interaction sequences

API security hardening:

For platforms exposing public APIs, implement rate limiting and anomaly detection:

 Rate limiting with iptables (Linux)
 Limit new account requests per IP to 5 per minute
iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-name accounts \
--hashlimit-above 5/minute --hashlimit-burst 10 -j DROP
 Nginx rate limiting for signup endpoints
http {
limit_req_zone $binary_remote_addr zone=signup:10m rate=5r/m;
server {
location /api/signup {
limit_req zone=signup burst=10 nodelay;
proxy_pass http://backend;
}
}
}

6. Windows-Specific Deployment for Security Teams

Windows environments can implement disposable email detection using PowerShell and scheduled tasks.

PowerShell implementation:

 load_disposable_list.ps1
$url = "https://raw.githubusercontent.com/castle/disposable-email-domains/master/disposable-email-domains.txt"
$listPath = "C:\Security\Lists\disposable_domains.txt"

Download with error handling
try {
Invoke-WebRequest -Uri $url -OutFile $listPath -ErrorAction Stop
Write-Host "List updated successfully at $(Get-Date)" -ForegroundColor Green
} catch {
Write-Host "Failed to update list: $_" -ForegroundColor Red
}

Function to test email domain
function Test-DisposableEmail {
param([bash]$email)
$domain = $email.Split('@')[-1].ToLower()
$domains = Get-Content $listPath
return $domain -in $domains
}

Example
Test-DisposableEmail "[email protected]"

Schedule with Windows Task Scheduler:

 Create scheduled task for daily update
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\load_disposable_list.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 3:00AM
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "UpdateDisposableEmailList" -Action $action -Trigger $trigger -Principal $principal

What Undercode Say

  • Static blocklists are insufficient: Attackers rotate domains faster than community-maintained lists can keep up. Castle’s daily-updated, abuse-telemetry-driven dataset provides a higher-signal alternative for production defenses.
  • Industrialized abuse requires industrialized defense: The same API-driven automation that benefits fraudsters must be mirrored on the defense side, with real-time updates and automated detection pipelines.
  • Layering is non-negotiable: Disposable email detection is one signal among many. Effective fake account prevention combines domain blocklists, browser fingerprinting, behavioral analytics, and machine learning models.

The shift from manual fraud to automated, API-driven abuse operations demands a corresponding evolution in defensive tooling. Castle’s disposable email list is a practical step toward operationalizing detection without drowning teams in false positives. By focusing on curated, high-confidence signals rather than exhaustive lists, defenders can block prevalent abuse patterns while maintaining low friction for legitimate users. The next frontier will be real-time, adaptive detection that evolves as attacker infrastructure changes—moving from static blocklists to dynamic risk scoring powered by behavioral and graph-based models.

Prediction

In the coming year, expect leading fraud prevention platforms to move beyond static domain lists toward real-time, adaptive detection that correlates disposable email usage with behavioral anomalies, device fingerprints, and graph-based relationships. Attackers will increasingly abandon traditional disposable providers in favor of custom-registered domains and compromised legitimate inboxes, rendering simple blocklists less effective. The arms race will pivot to ML-powered risk engines that analyze hundreds of signals simultaneously, making disposable email detection a single component in a layered defense architecture rather than a standalone solution.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Antoinevastel Today – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky