The only account that I received is one I used on my public website as a "mailto:" link. 100% of my spam comes from this address. I host on runbox.com.
Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?
I would argue the former since I still get 30 spam emails a day from my website email address, and zero from companies that ask for them.
Email databases for sale are not always for spam or malware. They are often used for tracking and cross marketing calculations. Placing a companies name in the address will signal a canary and they may likely filter your contact out of their database or at least flag it and treat it differently.
I've been using email canaries for decades but recently had to adjust my canaries to be less obvious. A few vendors got upset that I had their name in the address and one even accused me of fraud and canceled my $500 gift card. That was the Tractor Supply Company.
Either way I will continue using canaries and multiple domains as it is a good way to be filtered out of some cross marketing databases and to avoid some behavioral tracking and some machine learning. It is also useful to find companies that get upset. This is an indicator to me they lack integrity and should be avoided. Canaries are also a good indicator to detect if a company has been compromised.
A few years ago I created an account with a freemium publisher with the email address their.domain@my.domain and as soon as I logged into my account I had full unlimited access to all content.
I suspect their system had a routine that detected staff accounts based on a string search for their domain.
But even with the most rudimentary web-dev languages you can replace the inner string match with a lowercase transform, split on @ and perform an exact string compare. Insanely simple stuff. Probably still a one-liner in any sane/productive framework.
The default is greedy... match match match nom nom nom!
I have had this happen a few times.
> Canaries are also a good indicator to detect if a company has been compromised.
Yep, this is a fantastic use case.
I've noticed a couple breaches, and also a few unexpected transfers of my email address between semi-related parties.
Just once it appeared an address was sold via a marketing list, after filling out a lead-form for a free online conference hosted by multiple companies that you've seen on HN.
Surprisingly, unsubscribing tends to stop emails from everyone.
It is fun to receive a survey about "an anonymous company you have used in the past"... sent to myemail+uber@gmail.com.
*yet less reliable, '+' in email addresses isn't always accepted, and when it is sometimes only partly, e.g. signup works but password reset doesn't
Plusaddressing is valid and has been since 1982[1]. It's part of RFC822 and the subsequent RFC2822.
The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.
[1] https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-a...
Or just sanity.
I am totally onboard (https://news.ycombinator.com/item?id=31797121#31822961) with having compliant parsers (or just not using them)
But the RFC from what I can recall is _wild_. I can't find the part so maybe I am mixing something else up, but I believe you can embed comments into an email address.
All I am saying is that the possible scope of valid email addresses is likely so large, trying to write a parser for them is a sign of an underexperienced team rather than not having one at all.
There won't be a general approach to deduplicating addresses that map to the same mailbox as the mapping rules aren't always public. But for Gmail, the rule is public, so a best effort deduplication could strip the +.
Also, depending on the legislative framework, it might be illegal: If I give company my email address with a plus and an identifier in it, I give them permission to contact me under that specific email (with the plus on it). If I as a result receive emails under another address (without the plus on it), this might be a GDPR violation.
For example: A lot of pentesting companies offer "darknet research" as part of their engagement; these have a non-nefarious use for these leaks, including private addresses: Given a list of customer's employees it's easy to guess some obvious Gmail/GMX/Yahoo/... addresses and check if they might be affected by any leaks (password reuse is pretty popular, especially with the not so technically minded). Troy Hunt, who runs haveibeenpwned, uses these lists as well; I suppose he normalizes Gmail, too.
Yes, OP could still be an evil /dudett/..., but while "innocent until proven guilty" might not be a HN rule, it's still something I like to assume about random people in the internet.
Not that spam laws are enforced or particularly enforceable.
In either case, the existence of the different authorised email address is irrelevant.
I used to use + addressing schemes, but abandoned it for the reasons you mentioned (websites breaking horribly).
I think there’s an unofficial Terraform provider but I haven’t looked recently.
Nice, hadn't thought about :-)
My favourite is services that let you sign up with a + in the address but then break when you try and login or reset your password.
I personally use Thunderbird and AWS SES to send mail, but many people who grew up on web interfaces are intimidated by Thunderbird.
That surprises me; it's web interfaces that intimidate me.
It's the only thing I missed when I switched to Fastmail. (Which has since added it too, but not before I left in favour of my own SES-based solution.)
Iirc there was a section of settings called 'sending & receiving', and there was a drop-down to select 'reply from same address' or similar.
I.e. if your main email address is ojford@ojford.com but you're also preconfigured e.g. foobar@ojford.com you could set that option to have Gmail use either ojford@ojford.com or foobar@ojford.com as your return address, depending on the originating email's TO address. However, if you _also_ have a catchall address and somebody sends to newservice@ojford.com, even with the setting set your return address would be ojford@ojford.com.
How does it work?
If a company to which you have provided an email address, gets compromised, it's likely that you'll start getting automated pishing emails to that address? And that the address ends up in... some "warning" database like Have I Been Pawned, and you'll get notified?
Or something else?
Seems like a good idea :-)
When it happens, I say "this is because your company is so important to me that it has its own mailbox to be prioritized accordingly"
It worked every single time :)
If they still object then I don't sign up. I've had web form refuse to accept an email address with their company name in, so that sale went elsewhere, and one physical retail store wouldn't let me sign up to their prize draw with such an address, so I didn't. In neither case do I suspect anything of value was lost by myself!
Eventually the conversation went like:
"So you're saying you created a new email address just to use with us?"
"Sure, yeah."
"...That's weird."
Also have one for thifty@mydomain.com (the car rental company) - when they saw my email address at the counter they gave me the employee discount rate - I didn't correct them :)
This is a killer feature, I love Fastmail.
Expect this to change, if Apple's anonymous e-mail forwarding becomes popular.
Just like when IT departments (including the one at my company) insisted that everyone use Blackberries because iPhones weren't suitable for a corporate environment.
Once enough C-levels start using any feature, it spreads like wildfire.
They'll continue to block the non-apple ones regardless.
Oh, good point. I guess I may have invalidated all my research! :|
name1@website.com
name2@website.com
etc.
In a spreadsheet, you have one column with the number, and another with the company name. You might want to change this up, putting the identifier in different parts of the email address, to avoid similar "canary" signals.
Personally, I use BitWarden to generate usernames for each website, to help keep my fingerprint (somewhat) scrambled. LastPass also has a good username generator. [1] I would just avoid using complete non-sense words, since there might be some amount of human review.
[1] https://www.lastpass.com/features/username-generator
I had to read my e-mail address to someone there just last week.
rot13 FTW
Google becomes hpphar.
Easy to [en/de]code on the fly by looking at your keyboard.
You don't use a password manager?
I've had more confused than upset, but Samsung straight-up refuses to accept email addresses with "samsung" in them. I'm not sure what they think they're accomplishing.
I think I get more spam from hacked/leaked email databases than sold ones. Dropbox is the worst (signed up and used it briefly over a decade ago, and now suffer an eternity of spam).
Kinda annoying of then, maybe I would go for an opaque (or maybe just a simplified) canary. Like the initials or abbreviation
No one got upset, but a record label was confused and asked me about it, and another company had their legal department ask me under what license I use their TM ;) In both cases a simple explanation was the end of it.
Please name!, or give details of size.
Not for shame — for curiosity!
As I said, one quick explanation of single-use emails cleared everything up.
[0]: https://en.wikipedia.org/wiki/T%C3%9CV_Nord
I believe sqrl uses a system like that.
I'd like to start doing this, but wondering what I would do if I figured out someone had passed the address on or been compromised.
I may be misreading your comment, but if not, it sounds like the OP (of this Tell HN) did exactly that.
I've ran my own domain for longer than you have, and many emails have been compromised.
Some are 100% from companies selling the emails to sister companies.
The majority, though, is from a company itself being compromised by hackers / database access / etc. LinkedIn, Neopets, ProFlowers, TeeSpring, etc. I can go on.
The most surprising one is ongoing spam (and semi-legitimate contacts from recruiters) to an address that I only (intentionally) used at O'reilly. I just checked HIBP and that address was exposed in the July 2018 Apollo exposure.
It would have to somehow be protected against bad actors scrubbing themselves by any other means than no longer being bad actors.
It’s on another level now.
I also get a handful of spams a month from default addresses (hostmaster, etc), all of which come from Chinese IPs. I don't have any email address posted on my websites to scrape from (mailto: or otherwise), so I don't get any spam from that.
The end result is pretty much no spam. I assumed when I first setup my domain I'd have to configure spam assassin at some point, but that point has never come, thankfully.
It's not quite spam, it's not quite illegitimate, but it's not what I signed up for.
But then from around 2010 onward, that type of spam became much less common, and nowadays it's as you say. The vast majority, probably 90%, come from compromised accounts, like linkedin@[mydomain.com]. The rest hit the unique email addresses I have submitted in domain registration forms.
That's even more surprising considering that I've since shifted to using [username]+[company]@[mydomain.com]. Spammers could pretty easily strip off the `+[company]`, but I haven't seen that happen much.
And that may have dropped off because there was a concerted effort to make it harder to do that around then. In particular, that's kind of what killed qmail as an in-vogue MTA, because it wasn't being updated and you had to use awkward patches to stop backscatter.
If it's not what you signed up for, isn't that pretty much the definition of spam?
Then again, I actually fill out that little question after unsubscribing. The above I consider "legit" as long as unsubscribe works.
If I want emails from you, I will explicitly ask to be added to your mailing list. Anything else is spam as far as I'm concerned.
Ah: prior commercial relationship. That's not spam, unless they ignore your unsubscribe request.
I hope you're not notifying the world that your preferred supplier of [X] is a spammer. I like to stay on good terms with my preferred suppliers.
If I didn’t ask for it, it’s spam, regardless of whatever holes the US has punched in its definition to keep business owners happy.
Nope. There's not much point in relying on a "definition" of spam that is essentially subjective. "Hey, I signed up for your newsletter, but what you've sent me isn't news to me, or I just don't like it; so it's spam".
That's why it's important that spam continues to be defined as Unsolicited Bulk Email.
At least in the EU, if you make a complaint, it falls on the sender to assert the legal basis for sending the email, so it's on them to prove informed consent (if that's the basis they're relying on).
> That's why it's important that spam continues to be defined as Unsolicited Bulk Email.
I'm not sure you've made the case that's important. In the EU, spam has been long defined as unsolicited commercial communications (since the E-privacy Directive in 2002) - no requirement for it to be in bulk.
True. But spam has existed since long before EU regulators got interested; one type of spam that isn't covered by the EU rules is political spam. At one time I used to get a lot of political spam from US politicians and parties. I've never been a US citizen, and I don't get to vote in US elections - these politicians were spamming mailing lists.
The EU rules specifically exclude spam that isn't trying to sell you something for money. Why? Possibly because the rules are made by politicians, who prefer that their own spam isn't included.
The pizza place down the street uses a third party digital order system, that was compromised. One of the first emails I actually had to blackhole due to the insane volume of spam and attacks that started coming to it.
Also.. my previous landlord. His computer or account got compromised at some point, and that was another email I had to blackhole due to the insane volume of porn spam that started coming to it.
I have a couple of addresses that look to have been sold (e.g. addresses used in cheap kickstarter campaigns), but that is more rare.
And to compound this after doing a half ass job of what OP has done, I recently moved my custom google apps free domain to have a second reception domain i use JUST for this with a `.email` TLD (side note: the amount of tools that don't see modern TLD's as valid is enraging)>
I made the (maybe poor) choice of donating to political campaigns before the last US election using these emails
- `Biden-campaign@` - `democrats@` - `<specific local race@`
All of those I've had to unsubscribe from about 2-3 dozen total OTHER email lists as those emails are literally sold/given out to other campaigns. the biden one being the worst.
Also if you have your own business you'll start getting solicitations, LOTS of solicitations. And god forbid your email is on an old resume, or somewhere else.
Now, is any of this "technically" spam? Maybe but not really. Do I consider it worthless? yes.
But to site your last specific one. I did a search for an address I know was on a compromised product. Specifically a game Heroes of Newerth. They were hacked in I believe 2015 and the list was sold. My email was my old method `name+hon@email.domain`. I get like 20~ emails to that a year and all of them go to spam or are flagged as spam automatically.
1) Just because it hasn't happened to you, that doesn't mean it doesn't happen. I have quite a few examples of companies selling or otherwise sharing, whether intentionally or through compromise, my email addresses.
2) If someone (some company) is going to sell email addresses, it's not unreasonable to imagine that they'd want to remove any addresses that would directly link those addresses to their source, so a quick search to remove any address with the word "adobe" in it when selling Adobe mailing lists would not be unexpected in the least.
Years ago I set out to learn more about the "missing sock" problem (https://en.wikipedia.org/wiki/Missing_sock). I bought a dozen pair of brand new socks and I ironed on labels identifying each and every sock. Guess what? The labeled socks never went missing. The act of labeling the socks dramatically affected the experiment.
Perhaps using companies' names in our email addresses is affecting our results.
That's a good explanation.
In my experience, I got tons of spam, especially after a leak.
By far, the _most_ spam I get to is get to government agencies and medical facilities. I started getting male enhancement messages to my parknyc (NYC parking meters) address in under a week after registering.
Since my addresses are never used for more than one service, I can be reasonable sure they had a leak of some sort, but it is also not suffice evidence to actually report it.
They even do have something called "Visa Secure" and "Mastercard Identity Check" ( see https://stripe.com/guides/3d-secure-2 ) but I've never seen this come up in practice. I guess it's easier for them to just let merchants assume the fraud risk. We need some laws that put the burden on the card issuers to get them to actually care about CC fraud, but obviously the ones benefiting from the current system are very well-funded and have lots of sway with lawmakers.
I gave a custom username email to a in-person store (big chain) with a rewards program because they were offering a huge discount if you did. Since then they've sent at least 1 email a day, with an average of about two (I've redirected all their emails to a folder I never look at). Which is a particularly remarkably obnoxious rate of sending emails...
I've also split my email addresses in to a public one (displayed in my profile here, on github, on a website, etc) and a private one. The public one gets a spam email or two a week.
Incidentally, I was surprised to discover that pinterest forbids you from having the word pinterest in your email (or did when I signed up).
Why are you setting up these custom filters instead of just clicking the link and opting out?
I've encountered many companies that let you unsubscribe, then add you to a 'new' mailing list a few months later. You can usually identify these companies because when you click to unsubscribe they take you to a page with a dozen or more 'newsletters' that you have to uncheck to remove yourself from if you can't find the 'all' link.
Also after getting home and already having multiple marketing emails I was sort of curious about just how many they were going to send, which is why it's in its own folder.
I then resorted to unsubscribing, but in my experience that doesn't always seem to work. I could be wrong here as I haven't kept track of who I unsubscribe from and if I would still get newsletters after the fact. But I've experienced receiving newsletters from some company I could've sworn I just unsubscribed from a few times.
However it wouldn't be surprising if some website's unsubscribe feature was buggy. I can also imagine it's not being reported. Or if it was it, and you could figure out where to report to, the report would get lost on its way customer support to the people responsible.
> Is the fear of "people selling your email to spammers" a modern myth
100% absolutely. Your email address itself is not valuable or interesting in any way.
I can't imagine there being an internet black market for random email addresses, but if I had to guess what they would be worth, it would be fractions of a fraction of a cent per email. Meanwhile, Mailchimp charges ~$0.02 per month for every email contact you hold onto. It makes absolutely no financial sense for your average retailer or newsletter to be selling your email addresses.
However, your contact information might get sold if it is attached to high value sales activities. Like if you signed up for a quote on a $50k HVAC system or indicate you are a big donor to certain political causes. Your email address/phone number are valuable in that they are now attached to some pretty valuable purchasing intent. This is where less than scrupulous sites will live to harvest your data.
This is still a bit of an outlier activity. If I sell expensive HVAC systems, the only people interested in this data would be direct competitors. If the information is actually valuable, it will be less likely to be widely disseminated.
A decade ago I worked for a service that let you send bulk emails.
Any time we thought a customer was using a purchased email list, we came down on them hard or booted them off the platform. Same for other forms of spamming, not including an unsubscribe link, etc.
This wasn't necessarily altruistic: if their emails were marked as spam it would poison the reputation of our sending IPs and threaten the business.
It's clearly imperfect, but the industry's incentives seem to help.
I really enjoy that the spam filter catches borderline messages like promotional newsletters from companies I do business with that I didn't intend to sign up for. And I can count on one hand the number of times since 2004 that an email that actually mattered was sent to my spam folder by mistake.
Every form of communication I use has spam and most are much worse than email. I get SMS spam, phone call spam, snail mail spam, WhatsApp spam, phone notification spam. In most cases the spam is harder to deal with and a larger percentage of the total. Phone call spam and snail mail spam in particular are way above 50% for me. Even after doing all the marketing opt-outs I can find.
How often do you check? I see a few false positives a week.
Now we get inconvenienced by spam in the form of overactive spam filters that take critically important messages from people we've been communicating with for years and files them as spam.
In almost all cases with companies of any significant size/reputation it was entities that either publicly admitted or were publicly called out as having been hacked – so incompetence or the bad luck rather than deliberately selling my details on.
In a few of cases (a couple of hosting providers, a physical-store electronics retailer) it has been a business that had failed before the spam started, so presumably their contacts were sold as an asset as part of the winding down.
I give different addresses to any online forum too — they have seen a much higher rate of addresses needing to be dropped due to spam.
If you use a catch-all address rather than setting up each alias individually then you may get “dictionary” attacks at some point. Early on when I used <varies-by-company-or-other>@domain.tld I saw that a few times, with someone sending to alan@, alana@, alvin@, … Since moving over to <varies-by-company-or-other>@sub.domain.tld (where “sub” is a static sub domain operating as catch-all, with only a whitelist of addresses on the main domain now accepted) I've not seen this again. I don't know if that is because name dictionary attacks like that are simply rare, are not attempted on more complex addresses, or never really worked so spammers don't use the technique at all any more.
Where an address ends in a number, I've seen guesses that increment that number – so as well as getting junk to somecompany2@sub.domain.tld I get junk to somecompany3@sub.domain.tld and so on. I assume this is an address farmer bulking out their database.
One place where passing on of your email address seems rife is kickstarter and indigogo projects. I'm on several mailing lists I've never subscribed to on those addresses, and another appears every couple of months — I don't know if it is the projects themselves or the survey management third parties that are to blame, I suppose I could test that by cycling the address but I'm not been bothered enough to make that effort. I have messages from those lists auto-filed into a folder, and if I'm tempted to support a project I search that folder first – if they have been carried by one of the spammy mailing lists I won't be giving them any of my money. I've saved money on three projects thus far with this. A petty victory perhaps, but I like my petty little victories!
You sign up for a health plan using healthplan@example.com. Great, until you need to send them a document. You send it from myrealaddress@example.com, and they write back and say hey, that’s not the account on file, etc.
So now you have to set up healthplan@example.com, configure it in your mail client, etc. And now you have this long list of special addresses to remember to have to send from, depending on the situation.
Email is already something I loathe. Why would I make it harder on myself?
Historically I used a more convoluted method. When I used to use migadu (dont use them) I had a little script that would check the first line of any email I sent myself for a target email and resend it from the receive address. It was janky but worked.
Are you able to share what made you stop using them? I've been contemplating trying them out :-)
There are a few other threads on HN about them as well.
Essentially they are a bargain basement supplier and expect them to treat you as accordingly. If you're happy with that then its fine!
But I have few needs. I set mailboxes up, I IMAP to them, that works. They're great value. Job done.
1: https://simplelogin.io/docs/getting-started/reverse-alias/
It comes in two forms.
One is that companies subscribe to the marketing emails without asking. When this happens, they tend to re-offend on unsubscription, so they had to be blocked by blacklisting.
The second form is that they do in fact share my email address with others. Not two months ago booked a hotel in Europe and got a spam from some other company before I got a booking confirmation. So this happens.
That all said, the point of using per-company emails is less about spam and more about denying them an option of collating my online activity. The fact that you don't get spam doesn't mean your email address (+ relevant personal details) aren't getting resold, shared and otherwise vacuumed by the data collectors. That's them I more worried about than an occasional spam.
Possible confounding factor: I try to keep my personal and professional lives ~separate and so the retailers/etc most likely to be compromised get a personal email address (whose inbox is virtually unusable due to amount of commercial email it receives, though relatively little of that is spam per se).
Back then, my college required us to forward our university email to a personal account. That's fine as our personal addresses were hidden and not public.
What was not fine was one day the IT department changed everyone's public email address to their private address. They also changed mailing lists from BCC to CC so that you got to see everyone's email who received the email.
A few hours later after these changes, the spam started rolling in. At first it was a moderate amount of spam, a few messages a day, but it quickly increased. At one point it was up to 200-300 spam messages a day and stayed that way for several years. In any given month my gmail spam count sat between 3,000 to 6,000.
Over the past 10 years, as botnets have been taken down, those numbers have come down an order of magnitude. I still get between 20 - 30 spam messages a day on that account.
I have no idea what "hot" email addresses sell for on the dark nets, but it's probably something greater than $0, which means the outsourced third-world CRM workers will scrape and sell them whenever possible.
Marking them all as spam seems to be helping more than unsubscribing.
And I like PP but goddamn, emails coming from a swath of domains, a neverending stream of physical mail.
I won't donate to them again because the amount of contact they try to have with me is absurd.
Can confirm.
Joined an art museum in a major city.
Within a month, the unique e-mail address was getting spam from the aquarium, the science museum, the local PBS television station, and some museums I never even knew existed.
Retailers make money from your email address by trying to use it to get you to spend more money with them. That can be as simple as sending you marketing emails--which many people consider spam! So when you hear people complain about "spam" from retailers, it's often this: real marketing emails that they are mad about getting.
Companies can also use customer email addresses as tokens for targeting in ad networks. In doing so, they may upload your email address to the ad platform. In that case they are sharing it with another company, but it won't result in spam. It will result in greater correlation between the otherwise separate tracking of your behavior across companies. In this case, using company-specific email addresses may actually be an advantage in terms of foiling such correlation.
This is written like it's "not spam", but I'd consider that unsolicited marketing emails because I bought something once to be clearly spam - the only way these emails would not be spam to me would be if there was some sort of affirmative, opt in that was clear about what you're opting in for.
The only "actual" spam I ever get are for email addresses where the marketplace has shared my email address with the seller. Ebay, especially. I have to rotate my ebay email address periodically and block the old one in order to keep the spam down to a reasonable level.
However, I still use custom email addresses when signing up with various companies/services because the trend over the last five years has been for every company (large and small) to automatically subscribe you to their asinine daily newsletters and other marketing crap even when you specifically opted-out on signup. Yes, the emails themselves _usually_ have unsubscribe links, but those only have a 50% success rate in my experience. And this is from otherwise reputable companies. Easiest to just block the whole email address and move on with my day.
However, it’s entirely possible I’m not seeing many messages that are getting blocked by spam controls (gmail), so I hesitate to draw any sweeping conclusions about it.
I’m also very cautious about what I sign up for. I can say that from what I’ve seen with others, the amount of spam and phishing is very dependent on what you do. For example marketing people need to go widely distribute their addresses as part of their job, and I definitely see them receiving far more spam/phishing than others.
Address linked with "mailto:" on a contact page had to be blocked after a few years. Same with WHOIS addresses (published before there were sane privacy rules for those). Address with "@" and "." replaced with "at" and "dot" receive no spam at all.
Summed up, there are a few hundred inbound messages a day. Spamassassin and some basic postfix rules filters almost all of them. One or two a month get through.
An address I used only for Comcast Xfinity gets a surprisingly large amount of spam. (I'm no longer a customer and have disabled the address.) I'm not the only one to suspect they've had a data breach:
https://news.ycombinator.com/item?id=30062511
https://news.ycombinator.com/item?id=30980625
https://news.ycombinator.com/item?id=31118355
I've had obvious aliases at a number of compromised databases and so far none of those generate any spam. In fact, recently I received an email from some white hat that my address was part of a site that has been hacked twice and the site-owners have not reported it, so the white hat was sending out email blasts to tell people. I've never been spammed to that address.
Where I've seen one alias spread when it somehow ended up on some political list. A non-political blogger's newsletter address has spread from here to kingdom come and I suspect that the blogger had someone else managing the sending of that newsletter who decided to borrow the list, and the people he gave it to decided to do some more sharing.
[1] https://krebsonsecurity.com/2022/08/the-security-pros-and-co...
E.g. I bought insurance after looking at a comparison site, used different email addresses for each, and then found out the comparison site must've passed on 'my email address' to the insurance company when I got a later email, that turned out to be from a third company contracted to do part of their business; to whom they'd given the wrong email from my file, the one I didn't know they had.
It's not a huge problem, but it makes you aware of these things.
So, I never had to explicitly filter e-mails out by "To:" field, but using this system still gives me some sense of control.
I came to the same conclusion as you, but additionally decided it has been a major waste of time and I'm slowly trying to undo it
[1] https://www.notcheckmark.com/2022/06/catch-all-domain/ [2] https://news.ycombinator.com/item?id=31585463
There's no real need to undo it now, however. It is more of after thought.
(I also didn't realize that I now must own this domain FOREVER because if I sell it, the next owner will have all of my email addresses for password resets.)
- digikey.com (Feb. 2021)
- gamasutra.com (Jun. 2017)
- buydig.com
- kickstarter.com (May 2017)
- seagate.com (2016)
Of course this doesn't include the addresses I have had to disable because companies either started sending me "legitimate" promotional emails I did not request or they did not respect my unsubscribe requests (I believe this is what we used to call "ham").
It was an early warning for me to change my password at that bank (this was pre-2fa), so the practice has kinda stuck with me.
- My Kickstarter address (well-known leak).
- My Paypal address (probably leaked through a web shop).
Both email addresses have been blocked since then. I also got a spam mail through one address I used for a forum, though the forum owner denied that they were ever hacked, and it stayed at that one single mail, so... not sure what happened there. So yeah, it does happen, and when it happens it's nice being able to just block that address completely within seconds and use a new one.
I still use Yahoo Mail primarily because of its 'Disposable Email Addresses' super-feature. For my new Yahoo account, I have maintained the habit of creating new disposable email addresses for every site I need to register with. The disposable addresses always contain the name of site/organization I am registering with. I have also kept a few pre-created email addresses at my disposal :) in case I need to provide one on a retail store.
In last five years, there hasn't been a single spam message on any of these disposable addresses. I always had the option to delete these addresses as soon as I start receiving spams on them but until date, I never needed to exercise them. The messages that are moved to Spam folder are always false positives, so in a way, I don't lose sight of any message just because the mailing service decided to mark it as spam.
Caveat, sometimes an unsubscribe website can't handle the "+" symbol in an email and you'll continue to get spam. So, just add a filter for that "TO" email to forward to the spam/trash folder.
Even if the website you provide it to doesn't do that. Anyone who buys it can.
I'm guessing the answer is, "Most companies are too lazy", but that seems like a weak behavior to depend on.
Sending emails to everyone on the planet is one thing; but taking pains to send emails to people who are clearly trying to dodge them seems terminally stupid, and I'd fire anyone who was trying to spend my money on an effort like that.
When I start receiving spam at one of these aliases, I'll update my email address with the relevant site(s), then after a cooldown period to ensure no more legitimate mail arrives at the original alias, I'll use the original alias as a spam trap - any mail sent to it is learned as spam, then accepted and discarded by my MTA.
The most spammy of them has been equifax, but that one was so publicly hacked that I didn't need spam to know about it. Confirmation has its value I guess. It'd be nice to know if equifax sold the information and got hacked, that's entirely ambiguous and now equifax has plausible deniability thanks to the hack. Le sigh.
I've gotten spam to places that have had their databases leaked and widely reported. Off the top of my head, Zynga and Consumerist.
I've also gotten spam from individual eBay vendors (etc), to my ebay@ and paypal@ address. But there's no way to particularly stop that, beyond knowing that ebay and paypal leak my email address.
I get a lot of spam to an admin@ address on a domain I bought that was evidently in use previously.
I also get spam from companies I used quite a while ago, and were either acquired and renamed, or are still in business. I haven't purchased or even signed into the website of "PCB Fab Express" in over 15 years, but they still see fit to email me.
In general I don't find it that much of a hassle to hit 'd' on spam, hence not particularly caring about a spam filter, or not setting up a procmail recipe that bounces the spammy businesses.
FWIW I actually don't get much spam any more to the first category of email leaks. I'm sure it goes in waves with whatever lists are in vogue.
I still do find the custom email addresses nice for creating a small impediment to cross-referencing surveillance data, and don't see any reason to stop them. If the saying "YourCompany@" to a Your Company rep was really that awkward, I'd switch to opaque shorter handles, but it hasn't been a problem. Sometimes I'll just own it and say I do this so I know when companies sell my email address to spammers.
Also, I read my email with mutt in a terminal, possibly passing it through lynx when I need to. If my client loaded image bugs or other html nonsense, my experience might be much different.
The bigest spam magnet is the email address one leaves with a registrar; that is horrible.
Then come contact@, webmaster@, and other generic accounts that spammers can guess for each domain.
I get it that people need to sell to stay in business, so does my company, but it's starting to be a nuisance, especially since it many times passes the spam filters, and each email gets 2-3 "just following up" emails.
On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.
Impact to you No customer information other than email address was impacted
In the beginning I used to receive a lot of spam -- sometimes dozens per day. I'd frequently get blasted with dozens of the same spam, to every possible alias they had access to. Sometimes they would use randomized From: addresses or other small customizations to trick spam filters, but frequently not even that.
Also I remember receiving spam on addresses used for companies which had never publicly disclosed they'd been hacked (looking at you, NYC MTA [1]). A few times I tried reaching out to the company to alert them, but it was always met with skepticism, plain denial, or outright passive-aggressiveness (e.g., "_How do you know?_", potentially implying I was involved). Fool's errand.
At some point I moved to Gmail when they started offering Google Apps for Business with custom domains. At the beginning their spam filter was very weak, but it got progressively better.
Over the last 5-6 years, the volume decreased dramatically. At most I get a couple of dozen emails per week (almost all flagged as Spam). I'd imagine the combination of IP filtering, email authentication (DMARC, SPF, DKIM), and ML-based spam filtering got so good that spam isn't profitable for anymore.
I also monitor my domains with Have I Been Pwned [2]. As of today, I have 59 of my aliases in leaked databases -- which is a small fraction of the leaks I've experienced firsthand over the years.
[1] https://twitter.com/GuiAmbros/status/1555358970516328449
[2] https://haveibeenpwned
1- An address I used for buying an RPi from a french retailer (kubii.fr) which seems to have had a data breach
2- An address I used at Decathlon when I signed up for 4x payment plan. They seem to share the address you use with Sofinco which keeps spamming me even after unsubscribing.
Most of the spam/phishing I get is from companies that stored my personal details and then got hacked.
I would say it's likely you just got lucky.
I wish I'd been more aggressive at switching to it as the one account I got the most spam from was Kickstarter when they got compromised. I'd say 70% of all my spam came from that one breach. That unfortunately was an email address I can't burn.
I use SimpleLogin.io now after hand rolling a solution for a few years after I saw it linked from a HN post. The caveat is that my family members that hang off one of my domains struggle to understand it, despite them only seeing the personal Gmail account I created to receive their email to.
Eventually I created a new email address and just used that all high priority stuff that I needed to read. All was good for a while but then a couple of companies that have my email address got hacked and I guess my info must have been sold because since then I've started receiving spam emails again. It's manageable at the moment, but I wonder if there will again come a time that I have to start over with a new email address.
These days I'm moving to a completely randomized not human memorable model, because often the obvious aliases are also tried.
Incidentally I don't think I've ever had aliases shared they're typically just harvested as part of breaches or incompetence.
That being said, this alone seems to work great! I've always been curious about how many tracking companies have sophisticated-enough logic that they can tell two email addresses from the same domain belong to the same person. Probably not many, since it's such a niche solution.
Now I need to get better at using random names instead of my own, when possible.
My experience with generated one-per-contact addresses is similar. I think pretty much 100% spam came from the ones I use for Usenet.
In my case, mail destined for these addresses bypasses all anti-spam checks, so I know it's not the spam filters: there are none.
(Filtering mail destined for generated addresses is counterproductive; you often need them in situations where maximum deliverly reliability is paramount. Plus, such a system is a complete anti-spam scheme; it doesn't need to be combined with any other.
The problem is that they copy it into a DB and it is a globally unique identifier. Once this happens you have lost control. You can never ungive that GUID. Your only recourse becomes spam filtering or migrating to another email GUID and waiting until the new one gets leaked all over the intarwebs and then doing it again. Phone numbers are even worse.
The solution is fairly simple, as discovered by the OP. Don't give out the same GUIDs when you sign up for an online "relationship".
It is a shame this pattern exists, people should stop designing accounts like this.
There have been a few random incidents. I did get one spam message to my kickstarter email address, presumably because some project I funded did not protect my address. I also once got spam from a reservation I made for brunch at a local jazz club.
You also can’t stop them from sending you postal mail.
Fortunately non-profits and politicians are lazy and they all use just a few emailers which you can identify via the headers, so a couple Fastmail rules catch most of it. NGP VAN is the worst offender on the Democratic side, and can be identified by “Return-Path:” contains “bounce.myngp.com”.
The strangest one ever was an email address given to a boutique spa hotel in Oregon showing up on spam announcing a new production from a local California community musical theatre. I must have given the hotel my zipcode as well so the email was sold based upon my location.
> Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?
If your spam filter is catching something, then you're receiving spam, it's just not being delivered.
For the most part, I get more ham (false positives) than negatives (actual spam).
I don’t think any half-way decent sites are selling your mails to spammer, but hacks and breaches happen, as they did to ledger [0].
Besides that, there’s a chinese store and a vaping store that both have no easy unsubscribe, so those addresses are also blocked.
[0]: https://haveibeenpwned.com/PwnedWebsites#Ledger
Edit to add: I have no spam filters on those accounts.
Some of these addresses were the unique style you mentioned.
So I guess you’re just lucky.
I've also found burnermail to be a super useful tool, they have a chrome extension which lets you generate a site/day specific alias and have it forward to your inbox, you can block them in their site too.
I do often get asked if I work for said company when giving it in person or over the phone, and I just say it’s so I know if it gets sold or leaked I know where it came from.
I seem to remember a few years ago I couldn’t sign up to a service with the company name in the email, but that’s the only time I came across that.
Phone number on the other hand – it is a nightmare – how every service (office front desk, apartment front desk, car wash, restaurant, barbershop etc) takes your phone number and uploads it to some spam database and then you get so many spam sms and calls.
There’s also cases like Dropbox who had a data breach a few years back, and for whose associated addresses I’m receiving some spam since.
However, I am receiving a _bunch_ of spam email to "first.lastname@mydomain.xz". I do have one default inbox everything goes into, if it does not match a filter.
I could (and should) shame at least a dozen decently well-known organizations, just ridiculously low on my list to go digging again.
Surely partly due to filters, but also our activities/circles - and the control over their data. A lot of compromises lead to leaked lists of addresses to both spam and target for gaining access
More often I've had to directly block companies whose unsubscribe links just wouldn't work. I have a very low tolerance for that—If I unsubscribe I mean it.
One of my aliases was clearly compromised and it is now sent a lot of spam.
Do I simply delete the alias and retire it and update my email with whatever services I care to hear from?
As an aside, I have found the spam filter on Fastmail to be pretty bad. Anyone else have this experience?
This is a big one for me. Some companies will send me mails from a bunch of different email addresses, sometimes with different domains. So much easier to have one rule for one of my email addresses than a bunch of rules for a bunch of theirs that I don't even know of yet.
Same. I love Fastmail, but even after almost a decade of training, spam filtering is quite bad compared to eg. Google Mail.
Fastmail catches what Gmail does not in my case. Though the reverse has not been tested.
I have received exactly one spam email where I could identify who sold the db (or maybe it was leaked and they haven't owned up yet).
Most of the spam I receive is to an address I used before that leaked in some hack a while ago, so that one is truly for sale everywhere at this point.
One time I actually got my phone fixed faster because the receptionist thought I was Samsung worker (samsung@m.....pt) and their store were Samsung partners.
Anyway, I also do not receive any spam on the custom ones.
I actually have a service in the works that has a simple API to create aliases etc, with hosted imap though not forwarding because forwarding is stupid. The main issue though is by itself it's not useful, it needs browser integration etc
I've been using custom email for a couple of decades. Definitely get spam on a bunch of them, including recently.
The worst though is the email I registered with the county clerk for voting. That one gets a ton of spam.
godaddy@kraln.com allwinner10@kraln.com couponmom@kraln.com ppcgeeks@kraln.com
Each one either directly or indirectly related to a known breach (i.e. haveibeenpwned). It's not just selling your email that could happen, but also careless IT security resulting in your email getting in the hands of spammers.
It's not exactly Adobe selling my email to a spammer, but a data breach, and then marketers decided that would be a good target to blast their marketing emails.
1. keen.io when they sold to a PE firm 2. 1password - we're not sure why this one happened, 1password's security team worked with me to dig into it and it's likely that the name I used was just too generic and landed on a keyword list.
Confronted them about it and got accused of being sloppy and hacked... I am certainly not the smartest person alive, but I'm not a complete clown.
Semi permanent fake addresses ending in @icloud.com that forward to my gmail address. Apple is also one of the few companies I’d probably trust to the task.
Wish it was a standalone app rather than buried in the settings menu.
I could say the same about Passwords. I'm happy that they * finally * got passwords out of that relic called Keychain Access and into the System Preferences, but they could do even more.
I hope to see an actual "online security" center on iOS and macOS within 2 years, with passwords, temporary emails, even learning material.
The most frequent recipients are the ones I rotate annually for LinkedIn. Mostly UCE rather than scams. Anecdotally it looks like 2019-2020 was a lousy period for their information security.
- my last lettings agency. Lettings agencies are scum.
People that have been compromised:
- an aws account (!) - local city council
I use a <service>.<date>.<nonce>@<domain> setup, the nonce has only protected from various colleagues being major PITAs.
Many email providers automatically create a folder with the “plus” name.
For example: youremail+company@yourdomain.com
Creates a folder named “company” and puts those received emails into it.
Just adding a sample.
It's definitely a problem for postal mail addresses.
Do know if you are getting _any_ spam or just that all of your spam is marked as such not reaching your inbox?
they're not really spam sources but the other criticisms of email tracking/cross marketing apply.
Encyclopedia Britannica?
I am doing the same thing as you do, and I am getting spammed on this address.
me@example.org -> _me@example.org. "Yup now the account is deleted, we hope to see you again soon!"
It's too bad the GDPR authority in the Netherlands is much too swamped to care about a literal purge option doing literally nothing. In both instances, I was still able to login to the account with the original password (clearly not information necessary for tax record reasons, or whatever excuse they might come up with). I don't always check the developer console for the API response that might hint at this, and don't delete accounts that often to begin with, so it wouldn't even surprise me if a majority of services turned out to do something similar under the hood.
Screenshot: https://snipboard.io/Y2MpbU.jpg (DigitalOcean's account deletion page, this is the option I checked but was still able to log in. The other offender, I don't want to even give the benefit of free negative publicity.)
---
Catch-alls are fun. Sometimes when I email a company, like Contoso@mydomain.example.org, I will subsequently receive business email from their vendor (helpdesk or IT or whatever service they provide that made my email end up in the autocomplete) that was intended for their contact person at Contoso. I've always let them know but it feels rather awkward and they never reply to me :)
Interestingly Gary Johnson (the Libertarian candidate for president) sold my email to Scott Walker (the right-wing Wisconsin governor). That shows you something. Also my United Airlines email got out there in the spam world. I think there were a few others. I finally stopped doing it out of laziness.