SpamEater is a production-ready, self-hosted temporary email service that automatically destroys emails after 24 hours. Perfect for testing, avoiding spam, and protecting your privacy.
Click to view screenshots
Create temporary email addresses instantly with SpamEater's clean interface
Active inbox ready to receive and display emails in real-time
- Catch-all email receiver - Accepts emails to any address @yourdomain.com
- Auto-deletion - All emails automatically deleted after 24 hours
- Military-grade encryption - AES-256-GCM encryption for email bodies
- Web interface - Clean, responsive UI for viewing emails
- Real-time updates - Instant email delivery and display
- Mobile-friendly - Fully responsive design
- ModSecurity WAF with OWASP Core Rule Set
- SSL/TLS with automatic Let's Encrypt certificates
- Rate limiting at nginx and application levels
- CSRF protection on all endpoints
- Delete token authentication for email removal
- fail2ban integration for brute force protection
- Security event logging and audit trails
- XSS, SQL injection, and path traversal protection
-
Domain Name: You must own a domain (e.g., example.com)
-
DNS Configuration: Configure these DNS records BEFORE installation:
MX example.com 10 mail.example.com A mail.example.com YOUR_SERVER_IP A example.com YOUR_SERVER_IPNote: DNS changes can take up to 48 hours to propagate. Verify DNS is working before proceeding.
-
Server Requirements:
- Ports 25, 80, 443 must be open and not in use
- Root/sudo access
- Static IP address
- Docker Engine 20.10+
- Docker Compose v2+
- AlmaLinux 9 / Ubuntu 22.04+ / Debian 11+ host OS
- AlmaLinux 9 / RHEL 9 / Rocky Linux 9
- Fresh installation recommended
Before any installation, configure your DNS records:
MX example.com 10 mail.example.com
A mail.example.com YOUR_SERVER_IP
A example.com YOUR_SERVER_IP
Verify DNS is working:
dig MX example.com
dig A mail.example.com# Clone the repository
git clone https://github.com/rufftruffles/spameater.git
cd spameater/docker
# Configure
cp .env.example .env
# Edit .env with your domain
# Deploy
docker compose up -d# Clone the repository
git clone https://github.com/rufftruffles/spameater.git
cd spameater
# Run setup (AlmaLinux/RHEL/Rocky 9)
sudo ./setup.shConfigure your DNS records at your domain registrar or DNS provider:
MX example.com 10 mail.example.com
A mail.example.com YOUR_SERVER_IP
A example.com YOUR_SERVER_IP
Important:
- Replace
example.comwith your actual domain - Replace
YOUR_SERVER_IPwith your server's public IP address - DNS changes can take up to 48 hours to propagate
- SSL certificate generation will fail if DNS is not properly configured
Verify DNS before installation:
# Test MX record
dig MX yourdomain.com
# Test A records
dig A mail.yourdomain.com
dig A yourdomain.com| Variable | Description | Default |
|---|---|---|
EMAIL_DOMAIN |
Domain for receiving emails | Required |
WEB_DOMAIN |
Domain for web interface | EMAIL_DOMAIN |
DELETE_TOKEN_SECRET |
32-char secret for delete tokens | Auto-generated |
CSRF_SECRET |
32-char CSRF protection secret | Auto-generated |
ENCRYPTION_KEY |
32-char encryption key | Auto-generated |
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Internet │────▶│ Nginx │────▶│ Express │
└─────────────┘ │ (SSL/WAF) │ │ API │
│ └─────────────┘ └─────────────┘
│ │
▼ ▼
┌─────────────┐ ┌─────────────┐
│ Haraka │───────────────────────▶│ SQLite │
│ SMTP │ │ Database │
└─────────────┘ └─────────────┘
- Haraka - High-performance SMTP server
- Nginx - Web server with ModSecurity WAF
- Express - REST API backend
- SQLite - Lightweight database with encryption
- Vanilla JS - Frontend (no frameworks, maximum performance)
Full Docker documentation: docker/README.md
cd docker
docker compose build --no-cache
docker compose up -dsudo ./setup.shThe setup script will:
- Install all dependencies
- Configure Haraka SMTP server
- Setup nginx with SSL
- Configure ModSecurity WAF
- Initialize the database
- Setup systemd services
sudo ./uninstall.shSpamEater implements defense-in-depth security:
- Input validation and sanitization
- Parameterized queries (SQL injection prevention)
- CSRF tokens on all state-changing operations
- Rate limiting per IP and per inbox
- Secure random token generation
- Email body encryption at rest
- ModSecurity WAF with OWASP CRS
- fail2ban for brute force protection
- Security headers (CSP, HSTS, X-Frame-Options)
- TLS 1.2+ only
- Automatic SSL certificate renewal
- Audit logging
- No tracking or analytics
- No external dependencies in frontend
- All emails auto-deleted after 24 hours
- No email content logging
- No user registration required
telnet your-server.com 25
HELO test
MAIL FROM: <test@example.org>
RCPT TO: <anything@yourdomain.com>
DATA
Subject: Test
Test message
.
QUIT# Should return 403 Forbidden
curl "https://yourdomain.com/?test=<script>alert(1)</script>"
curl "https://yourdomain.com/../../etc/passwd"# Docker
docker compose logs -f
# Native
journalctl -u haraka -f
journalctl -u spameater-api -f
tail -f /opt/spameater/logs/modsec_audit.log# Docker
docker compose exec spameater supervisorctl status
# Native
systemctl status haraka
systemctl status spameater-api
systemctl status nginxContributions are welcome! Please read our contributing guidelines and submit pull requests to our repository.
# Clone repository
git clone https://github.com/rufftruffles/spameater.git
cd spameater
# Install dependencies
npm install
# Run in development mode
NODE_ENV=development node api-server.jsMIT License - see LICENSE file for details.
- Haraka - The excellent SMTP server
- OWASP CRS - Web application firewall rules
- Let's Encrypt - Free SSL certificates
SpamEater is designed for temporary email reception. Do not use it for important emails. All emails are automatically deleted after 24 hours with no recovery option.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report security issues via GitHub Security tab
Remember: SpamEater deletes all emails after 24 hours. No exceptions, no recovery.