Addresses and URLs seem to be timestamp strings that change every microsecond, with the URL code being generated just before the email address. This makes it trivial to read someone's mail if you know their address.
You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)
The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).
The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?
Issues raised:
1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).
2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)
3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.
