I self-host my own email server (against The Greater Internet's better judgement, it feels) and one of the neat things I can do with Postfix is set any arbitrary character as a username/junk separator.
Gmail has supported this for a long time with the '+' character, but this has some major problems. Many things that accept email addresses don't recognize '+' as a valid email username character and won't let you submit the form. I hypothesize that some of this is poor awareness of what constitutes a valid email address, and some of it is intentional to force users to input their "real" email address. I have also run across a few systems that stripped off the '+' suffix off my gmail address.
My solution is to use the '.' as the separator because 'firstname.lastname' is a VERY common email username and I'm happy to not allow it in a "real" username on my tiny mail host.
So every new site or company I interact with gets user.acme@example.com instead of my "real" email address. I can filter incoming emails based on the To header. And I even have a list of companies (a couple well-known) that have leaked or sold my email address to spammers. Some day I'll write a blog post about that.
I do this too. It's worth noting that you don't need to host your own email server to do this. I personally use Migadu as an email host for my own domains which lets me define arbitrary wildcard redirects. I'm sure most of its competitors will let you do the same.
Not quite, it's not a separator, you can't add arbitrary content after the dot. Dots are just ignored in Gmail, so you need to keep a map of dot placement and quantity to service, vastly less convenient.
I do something similar except I make up a custom email every time. (No plus addressing at all, everything without a valid destination goes to the default account) It's rare something doesn't like it, most automated systems use the reply to header. Email lists are usually the ones least tolerant.
I use canaries. I point a dozen domains to fastmail and another dozen to my self hosted email servers. Each have aliases that are mapped to vendors but do not have the vendor name as some vendors are getting upset at this practice and calling it fraud. If I start getting garbage on that alias, I notify the vendor. In most cases they will give me a boiler plate response and then I delete the alias. If they are snarky I create a reject rule with my own snark that also explains the emails for that vendor have been either sold or compromised. This is to let people buying email addresses know they bought a dirty list as some of the modern bots have some telemetry.
I'm not GP, but I've had transitions denied while attempting to purchase something because the retailer's code flagged my email address as suspicious because it contained their name in it.
Haven't had that happen to me, but I did get asked by a clueless support rep from $VERY_BIG_MULTINATIONAL_CORPORATION whether I was also an employee due to their company name appearing in my email address. (Coincidentally I used to consult for that company.) Long story short I set them straight rather than trying to parlay their ignorance to my advantage.
The most shocking thing was that I was calling them regarding an issue in which they required me to prove my identity, and yet the person I spoke with didn't seem to be well versed in security measures.
Also: I use a separate alias for every company (and sometimes individual) I deal with. In the 25 or so years I've been doing this, so far I'm up to over 1,000 aliases.
I would venture a guess that there is an equal proportion of company executives who would think that creating and using an email address like 'CompanyCeo@gmail.com' was completely fine - an awareness of internet scams is not correlated with business acumen!
I run my own IT. I host my own email, authoritative DNS, web, etc. I use wireguard for a lot of stuff. I put stuff behind cloudflare. I'm sneaky when I need to be, but mostly I'm just a control freak. I also know way more than the average person about email and email authentication. Or lack thereof.
Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.
edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.
edit 2 employ dmarc if you want to see who is trying really game
I care. I use a generated email address at my domain for every account/service/website.
I store the account info in keepass, they all have generated passwords too.
I can see when email comes in who abused the email, was compromised, or sold it.
If an email starts getting spam, i block receiving to that address. if desired, I update the account to have another generated email, but usually if I'm getting spam to that email I don't want to do business with them again.
- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)
- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.
- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.
- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.
- I rented a car from hertz and had to give an email address. and then they sold it to other companies.
- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.
"I can be pretty certain it is my bank contacting me."
This is a neat advantage of this approach. I usually get phishing emails on a "wrong" email address, which makes them trivial to identify. So I know what to look out for should they ever manage to target the correct email address.
I generate a "username" on Bitwarden for every new address I need which is effectively the same approach (using my domain). Do you mean though that you generate an email address with your mail server, or do you just use a catch-all? I do the latter and I've never considered "turning off" an address before and now I wonder if I have that option.
I do not. I have three mail boxes, for trashy, job-y and personal things. And a couple of technical (apple id, etc).
Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.
Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.
Same. I used to run my own email servers and do all the per domain things. It was just way too exhausting. Switched to Gmail and haven't looked back. Don't even worry about email at all now. I just wish I had jumped on Gmail earlier to have a better username.
I've seen quite a few people here reccomending the use of . and + from gmail, but I don't think its a good idea at all.
Most people who work in the 'email marketing' space know about this feature. So it's common to see people recommending clients to 'clear' their email list before sending unsolicited emails. And some services even offer this as a feature in the platform.
And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain.
I used to use a catch-all with a custom e-mail for every website I used. I had amazon@mydomain, newegg@mydomain, etc.
I found that despite what people think, your e-mail address isn't being sold. At least, not by any vendors with a remotely decent reputation. I never got spam to any of those e-mail addresses.
That is my experience as well. I have heaps of 'Masked Email' aliases for my Fastmail email account and the only significant offender I've come across is various Kickstarter projects (as I understand Kickstarter passes on my email address when a project is successfully funded) and various Bitcoin sites from back when I dabbled in Bitcoins. All other reputable companies have actually not sold any of my email addresses (including some I've noticed elsewhere in this thread accused of doing so, which I find quite interesting). I am now at the point where I'm considering migrating back the majority of my aliases back to firstname@lastname.TLD address for most things. It is more hassle than it's worth as I often forget I had a Masked Email and end up creating a second account. Also in-store if I need to provide my address it is awkward giving out what sounds to store staff like a dodgy address. Also when I reinstall my computer/phone/etc it's a hassle figuring out what login address I used for each site/app I have accounts with. I may use Masked Email only if there is a higher level of risk.
I ran a catch-all for two decades, including during my IBEW apprenticeship. They were unabashed on sending their own (and others') SPAM daily – direct-to-trash.
I do, I use Fastmail and create aliases for every service. It's interesting to see how fast companies will "lose" or sell your email address.
I've seen it as fast as 24 hours my unique email address is being used by others even though their privacy policy says that they will never share your info.
Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?
I also do this. There are some bad sellers that keep my email address and create a new email list for every promotion, so the Unsubscribe link in their emails always says something like “Unsubscribed from Promotion-2024-October” instead of “Unsubscribed from AnnoyingSeller”. Those get sinkholed.
I also once helped a seller discover that their contractor had stolen and resold their customer contact list when I started getting unrelated spam at that address and complained lol
Honestly, using a username generator in Bitwarden, it's so easy to do this that it basically "pays" for itself the first time you get a "true" spam email and it's effortless to identify who sold you out. I originally tried doing this manually but that was too much effort; now it's as simple and natural as generating a password for a new login. I see no reason to ever stop.
Of course, the vast majority of spam I get is marketing emails from companies I've actually done business with. Few if any even have an opt-in checkbox on their checkout form and those that do hardly ever honor it. There's simply nothing to be done about that except unsubscribe after the first time they spam you - and this is where having unique emails also helps, because those "unsubscribe" links are obviously riddled with tracking as well.
I do the exact same thing and I don't live in the US so suing a party that sells my shit isn't an option, but it's nice to be able to blackhole an alias so that the corporation in question doesn't get to bother me with their bullshit. It's only happened once or twice.
The important detail is to add random nonce/salt to the generated email, like _jri68, so that it's not guessable, so it's provable that the database was compromised. Guessing bestbuy@example.com is believable, but guessing bestbuy_jri68@example.com, is not.
My strategy is to use a few alias for sources with spam risk like forum, sign up on “free” offers etc., some for newsletters. When I’m suspicious but not sure, I quickly add the +. Only for very few official transactions, I would use my real addresses.
In general, Gmail deals very well with spammers. For the rest, when an alias is spoiled, I simply discard it and create a new one.
Occasional use of plus addressing but I find a lot of signup forms now actively block this. Also have a secondary crappy gmail address that I use for low value stuff that is sus. (That’s full of spam and has multiple hits on have I been pwned)
Beyond that I don’t worry about this too much.
As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above
Fastmail offers per-service generated addresses. I think it's kind of fascinating to watch my email address that went solely to my local credit union start sending me spam somewhat related to my employer.
Fastmail allows for aliasing too - username@domain.tld -> bank@username.domain.tld, retailer@username.domain.tld, etc. Pretty convenient. I use that feature pretty often and I can only recall one instance which seemed to indicate my address was sold to spammers. It’s more useful for organizing incoming mail, like plus-aliasing in gmail.
I also have an @ alias on my domains, and give unique addreses to companies/services which identifies them. I'm only had a couple accusations of "fraud", but they were easily dispelled by asking them to explain what "fraud" I was committing (they couldn't) and explaining why I do this.
Addresses which have been lost/stolen and start receiving spam become spam traps, and I change the email address with the company/service to a new alias so their legitimate mail is delivered normally.
In some of the few cases where the loss/theft was identified, it didn't happen at company/service directly, but with one of their suppliers, for example, a breach at the marketing email provider they used.
I've used spamgourmet.com for many years (Literally decades, my first entry was 2003-08-07) to create disposable email address. You just make up the address "tempsite.4.username@spamgourmet.com" to create an email address for tempsite that expires after 4 uses. You can always remove this limit later.
My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.
The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..
Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.
Fastmail let's you set a wildcard when you bring your own domain. Same outcome as other's mention - usernamespotify@domain.com is my spotify email address. I make it up during login creation and it just works. I've used this technique for every login but not once has it resulted in traceable spam. Logins are all tracked in keepass.
This one time a restaurant owner was demanding email addresses when creating a reservation. I provided the email created using the above technique and explained why.
"if I create an account with Target called target@domain.com and I start seeing emails from Walmart sent to target@ then I know Target sold my data."
His eyes got really big and he changed the subject.
I self-host so that I can set the addresses to whatever I want it to be. I use the ISP's server for sending and my own server for receiving (this can be configured with Exim).
Then, if I receive some spam messages, I can delete an alias that I don't want, in order to avoid receiving any messages.
(When someone sends to an invalid alias, the SMTP server gives them a 550 error.)
(I use Heirloom-mailx for reading, managing, and sending email messages.)
I care but don't have time or the resources. What I have made a habit of tho is registering to any new website or service using example any.name@gmail.com → register using a.nyname@gmail.com. I then take note of which variant / which service.
I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.
Not any more. Dark web rollups include just about everything you could ever want to know about anyone. Using a unique address per service just makes it easier to identify which services you use.
My friend Ward was doing sub-addressing back in the 1970s, with made up apartment/box numbers, and eventually the xmodem.com domain. He learned quite a few things about it.
For instance, if you look at the article he wrote about CBBS[1], you'll see he's listed at apartment #3D.
I never took up the practice, though I suppose I could having the warot.com domain to play with, and a single family residence to make up PO boxes, apartments, etc.
I do not regularly track, but I do reflexively create throwaway emails at a domain I bought for that purpose, so that I can /dev/null them if/when someone sells that email address to a list.
Yes, I’ve done this for years. And to be honest, I don’t think I’ve ever “caught” a business sharing a service when they shouldn’t have.
Makes me question why continue to do it.
I've been doing this for years, as well. I've also found that the majority of companies I give an email address to are actually surprisingly good stewards of that information. However, I have found a number of email leaks. It looks like my block list is up to 31 addresses. Most of those are leaks that led to spam. (Although one was a smoothie chain that insisted on sending me email every single day, and their unsubscribe page always seemed to be "malfunctioning".)
I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.
When I learned about public git commits "leaking" my email address it was already too late. Now I'll probably use that email for this particular task. And another sad thing, is that many spammers are picking up "support" email address from Google Play Store.
Still waiting for a email service which would charge each spammer several dollars for "successful delivery", or plain "waste of time".
I have addresses like somename-ex-someservice@mydomain.com directed to my email, which I use to register myself in "someservice". This is how I know where email was leaked and needs to be disabled. I use Protonmail basic subscription to attach my domain. Before that I was using rewriting rules in Postfix.
I have a public address and a private address. Gmail does well enough with spam filtering. I check it monthly and find some false positives. Nothing important though.
I can’t imagine spending more time on this, though.
I used to, but it basically showed that no one ever gave away my email address to spammers, or at least if they did, the spam filter caught it. It's not worth it.
If an email is truly unsolicited (didn't come from an entity you didn't give your address to), it's not wise to click on an unsubscribe link anyway, as it sends a strong signal to the spammers that not only was the email delivered to a real person, but they also read it. In their eyes, you just went from a random string of letters to a hot sales lead.
Catchall for 25 years :) (on domainfactory - df.eu) each company/service gets their own email prefix, so I can determine spam and also filter unsolicited emails.
I use Proton's email aliases for throwaway accounts, and I have a catch-all on my own domain and use custom email addresses (think apple.com-randomstring@example.com) for accounts that I intend to keep until I die.
I do something like this with Proton and my own domain as well. However, I made the mistake of buying a .io domain, thinking England would be pretty stable. Now I need to figure out what I’m doing.
A lot of services don't accept the '+' sign in an email address, even though it's perfectly valid according to RFCs. Part of this is ignorance of standards but I suspect part of it is deliberate. (To get the users' "real" addresses.)
The worst examples are services that accept + when creating an account but does not accept + for logins. Believe it or not this has happened to me several times, and with large companies too. When companies started blocking + address specifically and/or being clever with removing the + part, I decided it was not worth using + addresses anymore.
I use iCloud’s Hide my Email feature. So I have dozen email addresses and I receive email in the same inbox. I don’t care how my email addresses are used. The moment I see too much spam, I remove the email address.
I love this feature in Apple’s ecosystem so much. The newer iOS and iPadOS releases when autofilling a sign-up form even give an option to generate a new hide my email address. It’s effortless to not use your real email. If you pay for an iCloud subscription, hide my email is included. Apple tracks what site you used hide my email on when signing up and allows you to toggle forwarding of emails to your inbox on and off.
for general purpose website signup not directly linked to my identity, I use Simplelogin. For real life personal stuff I just have a gmail. There is another dedicated email for open source work, plus a few historical email addresses which aren't actively used but still occasionally receives stuff.
I have a catch-all domain but I don’t bother to setup unique emails for each service. It’s too much of a headache and you have to ask yourself:
If I find out someone sold/shared/leaked my email what am I going to do?
Here the possible responses as I see it:
* Stop doing business with them - This is way easier said than done
* Be mad - ok, great, now what?
* Send a strongly worded email - again, so what?
* Sue them? - Good luck
Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.
There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.
Lightly and calmly, meaning I have many aliases on my addresses on personal domains and I try to always give unique aliases (keeping some spare on purpose), but not always-always because I'm not enough disciplined and the track is very informal, when (very rarely) I see spam I know it's time to rotate the alias. That's is.
Of course if unknown@spammer.net write to my amazon-cx1@mypersonaldomain.tld I could try to locate who have sold/leaked my address but it's still vague, since Amazon, eBay, PayPal, have a gazillion of third party. If it's to JoeIKnowNothingAboutIT@maypersonaldomain.tld it's likely he was cracked and so on.
I can't remember which company now, but one time I called into customer support and gave them the unique email address that I used for that account. It had their company name in it. Something like bityard.acme@example.com, for instance. The person on the other end paused for several seconds as if looking over their shoulder and whispered, "wait... do you work here or something?"
I use Hey.com's "catch all" inbox for this but it's a bit janky. If you set up a "custom domain" Hey account, you can actually email `[anything]@yourdomain.com` and it'll arrive in the catch all inbox. (Not unique to hey obviously) It has the benefit that it's impossible to block, but Hey obviously doesn't really want me doing that since they charge per-email-address.
I do this too, with namecheap.com's email servers... I pay for a few email domains on namecheap, but one is specifically for spam, and I use their "catch all" as well.
So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.
I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.
been running my own email for 25 years or so. been using "plus" addressing (actually hyphen) for approximately as much. got only few cases when email got sold/shared. biggest issue was linkedin email address leak a bunch of years ago, so i got a lot of spam to -linkedin@ alias . changed email on linkedin to something different, and old emails go to spam
I self-host my own email server (against The Greater Internet's better judgement, it feels) and one of the neat things I can do with Postfix is set any arbitrary character as a username/junk separator.
Gmail has supported this for a long time with the '+' character, but this has some major problems. Many things that accept email addresses don't recognize '+' as a valid email username character and won't let you submit the form. I hypothesize that some of this is poor awareness of what constitutes a valid email address, and some of it is intentional to force users to input their "real" email address. I have also run across a few systems that stripped off the '+' suffix off my gmail address.
My solution is to use the '.' as the separator because 'firstname.lastname' is a VERY common email username and I'm happy to not allow it in a "real" username on my tiny mail host.
So every new site or company I interact with gets user.acme@example.com instead of my "real" email address. I can filter incoming emails based on the To header. And I even have a list of companies (a couple well-known) that have leaked or sold my email address to spammers. Some day I'll write a blog post about that.
I do this too. It's worth noting that you don't need to host your own email server to do this. I personally use Migadu as an email host for my own domains which lets me define arbitrary wildcard redirects. I'm sure most of its competitors will let you do the same.
Note that Gmail also supports dots as well (similar to your postfix solution).
https://support.google.com/mail/answer/7436150?hl=en
Not quite, it's not a separator, you can't add arbitrary content after the dot. Dots are just ignored in Gmail, so you need to keep a map of dot placement and quantity to service, vastly less convenient.
Do you ever have issues sending messages using user.acme@example.com as the from address?
Some companies want you to respond from the email address on file when you interact with them.
I do something similar except I make up a custom email every time. (No plus addressing at all, everything without a valid destination goes to the default account) It's rare something doesn't like it, most automated systems use the reply to header. Email lists are usually the ones least tolerant.
I use canaries. I point a dozen domains to fastmail and another dozen to my self hosted email servers. Each have aliases that are mapped to vendors but do not have the vendor name as some vendors are getting upset at this practice and calling it fraud. If I start getting garbage on that alias, I notify the vendor. In most cases they will give me a boiler plate response and then I delete the alias. If they are snarky I create a reject rule with my own snark that also explains the emails for that vendor have been either sold or compromised. This is to let people buying email addresses know they bought a dirty list as some of the modern bots have some telemetry.
woah, what do you mean by calling it fraud? Have you actually had companies come after you legally due to an email alias?
I'm not GP, but I've had transitions denied while attempting to purchase something because the retailer's code flagged my email address as suspicious because it contained their name in it.
Haven't had that happen to me, but I did get asked by a clueless support rep from $VERY_BIG_MULTINATIONAL_CORPORATION whether I was also an employee due to their company name appearing in my email address. (Coincidentally I used to consult for that company.) Long story short I set them straight rather than trying to parlay their ignorance to my advantage.
The most shocking thing was that I was calling them regarding an issue in which they required me to prove my identity, and yet the person I spoke with didn't seem to be well versed in security measures.
Also: I use a separate alias for every company (and sometimes individual) I deal with. In the 25 or so years I've been doing this, so far I'm up to over 1,000 aliases.
I've always knew at least some companies would do that so I just use slight variations on their names. Never had an issue.
I had this happen as well. I responded with a long rant, which apparently proved my humanity.
Linode did this to me.
Just another data point, I've had the same issue with some vendors.
Conversations caused by the odd looking email address can often get very nasty.
This is why I also like how iCloud does with their hide my mail feature; there’s nothing suspicious about the email you give out.
It only has to be unique. It's easy to find out who you gave it to by looking at the very first email.
ROT13 or the date in base36 (to keep it short) might help when you need to spell your email address over the phone. Today is oaf@example.com.
Unix epoch `date +%s` still only requires 6 characters. I really like your idea.
Hiding information behind a non-standard encoding is a really smart idea.
I will update my technique to use incorporate this method, thanks!
I have not had anyone accuse me of fraud yet, but I have had email addresses rejected because they too obviously contained the company name in them.
Samsung does this for example! You can't register a Samsung account if your email contains the word "Samsung"...
I think this might be a lazy attempt to protect users from scammers trying to impersonate the company.
There are people that will read an email from "SamsungCeo@gmail.com" and think it's actually from the owner of the company...
I would venture a guess that there is an equal proportion of company executives who would think that creating and using an email address like 'CompanyCeo@gmail.com' was completely fine - an awareness of internet scams is not correlated with business acumen!
I do this too (3 domains, Fastmail)
For specific vendors where I am at the shop, I just make up an alias email with their name in it.
For apps, services, I configured bitwarden to create email aliases on Fastmail, so they are linked to a service.
I run my own IT. I host my own email, authoritative DNS, web, etc. I use wireguard for a lot of stuff. I put stuff behind cloudflare. I'm sneaky when I need to be, but mostly I'm just a control freak. I also know way more than the average person about email and email authentication. Or lack thereof.
Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.
edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.
edit 2 employ dmarc if you want to see who is trying really game
Hi, Can you guide on how to do a similar setup.I would love if you could possbily share any relveant resources.
I care. I use a generated email address at my domain for every account/service/website. I store the account info in keepass, they all have generated passwords too. I can see when email comes in who abused the email, was compromised, or sold it. If an email starts getting spam, i block receiving to that address. if desired, I update the account to have another generated email, but usually if I'm getting spam to that email I don't want to do business with them again.
I do the exact same thing.
It gives you quite a bit of insight and control.
some examples:
- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)
- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.
- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.
- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.
- I rented a car from hertz and had to give an email address. and then they sold it to other companies.
- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.
It goes on and on. More people should do this.
"I can be pretty certain it is my bank contacting me."
This is a neat advantage of this approach. I usually get phishing emails on a "wrong" email address, which makes them trivial to identify. So I know what to look out for should they ever manage to target the correct email address.
I generate a "username" on Bitwarden for every new address I need which is effectively the same approach (using my domain). Do you mean though that you generate an email address with your mail server, or do you just use a catch-all? I do the latter and I've never considered "turning off" an address before and now I wonder if I have that option.
Does that work? I mean if I had that rule, I wouldn’t do business with almost anyone again. How does that help even?
I do this as well. Unique emails for every account along with unique passwords, password manager. Works great so far.
I do not. I have three mail boxes, for trashy, job-y and personal things. And a couple of technical (apple id, etc).
Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.
Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.
Same. I used to run my own email servers and do all the per domain things. It was just way too exhausting. Switched to Gmail and haven't looked back. Don't even worry about email at all now. I just wish I had jumped on Gmail earlier to have a better username.
I've seen quite a few people here reccomending the use of . and + from gmail, but I don't think its a good idea at all.
Most people who work in the 'email marketing' space know about this feature. So it's common to see people recommending clients to 'clear' their email list before sending unsolicited emails. And some services even offer this as a feature in the platform.
And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain.
> And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain
Curious why this matters? Let's say you know abc@foo.com is hosted on gmail, so what?
I used to use a catch-all with a custom e-mail for every website I used. I had amazon@mydomain, newegg@mydomain, etc.
I found that despite what people think, your e-mail address isn't being sold. At least, not by any vendors with a remotely decent reputation. I never got spam to any of those e-mail addresses.
That is my experience as well. I have heaps of 'Masked Email' aliases for my Fastmail email account and the only significant offender I've come across is various Kickstarter projects (as I understand Kickstarter passes on my email address when a project is successfully funded) and various Bitcoin sites from back when I dabbled in Bitcoins. All other reputable companies have actually not sold any of my email addresses (including some I've noticed elsewhere in this thread accused of doing so, which I find quite interesting). I am now at the point where I'm considering migrating back the majority of my aliases back to firstname@lastname.TLD address for most things. It is more hassle than it's worth as I often forget I had a Masked Email and end up creating a second account. Also in-store if I need to provide my address it is awkward giving out what sounds to store staff like a dodgy address. Also when I reinstall my computer/phone/etc it's a hassle figuring out what login address I used for each site/app I have accounts with. I may use Masked Email only if there is a higher level of risk.
I ran a catch-all for two decades, including during my IBEW apprenticeship. They were unabashed on sending their own (and others') SPAM daily – direct-to-trash.
I do, I use Fastmail and create aliases for every service. It's interesting to see how fast companies will "lose" or sell your email address.
I've seen it as fast as 24 hours my unique email address is being used by others even though their privacy policy says that they will never share your info.
Yes.
I use a catch-all. I can accept (whatever)@mydomain.tld
Anytime a new company wants my email address, I just randomly give them one.
So far I only get spam to the email addresses other people posted on a website as contacts for organizations I volunteer with.
(I get spam from web scraping, not from company hacks/sharing etc.)
JW, why?
Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?
Before this, when just using a single email address, I had no idea where the spam was coming from.
Now I know where the spam (I get) comes from.
I haven't had to ban any addresses yet.
I also do this. There are some bad sellers that keep my email address and create a new email list for every promotion, so the Unsubscribe link in their emails always says something like “Unsubscribed from Promotion-2024-October” instead of “Unsubscribed from AnnoyingSeller”. Those get sinkholed.
I also once helped a seller discover that their contractor had stolen and resold their customer contact list when I started getting unrelated spam at that address and complained lol
Honestly, using a username generator in Bitwarden, it's so easy to do this that it basically "pays" for itself the first time you get a "true" spam email and it's effortless to identify who sold you out. I originally tried doing this manually but that was too much effort; now it's as simple and natural as generating a password for a new login. I see no reason to ever stop.
Of course, the vast majority of spam I get is marketing emails from companies I've actually done business with. Few if any even have an opt-in checkbox on their checkout form and those that do hardly ever honor it. There's simply nothing to be done about that except unsubscribe after the first time they spam you - and this is where having unique emails also helps, because those "unsubscribe" links are obviously riddled with tracking as well.
I do the exact same thing and I don't live in the US so suing a party that sells my shit isn't an option, but it's nice to be able to blackhole an alias so that the corporation in question doesn't get to bother me with their bullshit. It's only happened once or twice.
The important detail is to add random nonce/salt to the generated email, like _jri68, so that it's not guessable, so it's provable that the database was compromised. Guessing bestbuy@example.com is believable, but guessing bestbuy_jri68@example.com, is not.
My strategy is to use a few alias for sources with spam risk like forum, sign up on “free” offers etc., some for newsletters. When I’m suspicious but not sure, I quickly add the +. Only for very few official transactions, I would use my real addresses. In general, Gmail deals very well with spammers. For the rest, when an alias is spoiled, I simply discard it and create a new one.
I don't care. Even if I get to know for sure the culprit who sold or shared my email address, then what?
Occasional use of plus addressing but I find a lot of signup forms now actively block this. Also have a secondary crappy gmail address that I use for low value stuff that is sus. (That’s full of spam and has multiple hits on have I been pwned)
Beyond that I don’t worry about this too much.
As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above
while they might block the plus, they likely do not block the dot. It's not exactly the same but can help for at least a few scenarios.
Fastmail offers per-service generated addresses. I think it's kind of fascinating to watch my email address that went solely to my local credit union start sending me spam somewhat related to my employer.
Fastmail allows for aliasing too - username@domain.tld -> bank@username.domain.tld, retailer@username.domain.tld, etc. Pretty convenient. I use that feature pretty often and I can only recall one instance which seemed to indicate my address was sold to spammers. It’s more useful for organizing incoming mail, like plus-aliasing in gmail.
I also have an @ alias on my domains, and give unique addreses to companies/services which identifies them. I'm only had a couple accusations of "fraud", but they were easily dispelled by asking them to explain what "fraud" I was committing (they couldn't) and explaining why I do this.
Addresses which have been lost/stolen and start receiving spam become spam traps, and I change the email address with the company/service to a new alias so their legitimate mail is delivered normally.
In some of the few cases where the loss/theft was identified, it didn't happen at company/service directly, but with one of their suppliers, for example, a breach at the marketing email provider they used.
I've used spamgourmet.com for many years (Literally decades, my first entry was 2003-08-07) to create disposable email address. You just make up the address "tempsite.4.username@spamgourmet.com" to create an email address for tempsite that expires after 4 uses. You can always remove this limit later.
My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.
The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..
Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.
what do you mean yahoo. As in you made a yahoo account with your domain?
Because yahoo also hosted @yahoo addresses, it would have been pretty noticeable if they sold the addresses of their own users.
"EDIT:which probably correlates to the overall death of email, which is for old people, so I am told."
Still alive and kicking as the de facto passport of the internet.
Fastmail let's you set a wildcard when you bring your own domain. Same outcome as other's mention - usernamespotify@domain.com is my spotify email address. I make it up during login creation and it just works. I've used this technique for every login but not once has it resulted in traceable spam. Logins are all tracked in keepass.
This one time a restaurant owner was demanding email addresses when creating a reservation. I provided the email created using the above technique and explained why.
"if I create an account with Target called target@domain.com and I start seeing emails from Walmart sent to target@ then I know Target sold my data."
His eyes got really big and he changed the subject.
I self-host so that I can set the addresses to whatever I want it to be. I use the ISP's server for sending and my own server for receiving (this can be configured with Exim).
Then, if I receive some spam messages, I can delete an alias that I don't want, in order to avoid receiving any messages.
(When someone sends to an invalid alias, the SMTP server gives them a 550 error.)
(I use Heirloom-mailx for reading, managing, and sending email messages.)
I care but don't have time or the resources. What I have made a habit of tho is registering to any new website or service using example any.name@gmail.com → register using a.nyname@gmail.com. I then take note of which variant / which service.
I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.
Not any more. Dark web rollups include just about everything you could ever want to know about anyone. Using a unique address per service just makes it easier to identify which services you use.
My friend Ward was doing sub-addressing back in the 1970s, with made up apartment/box numbers, and eventually the xmodem.com domain. He learned quite a few things about it.
For instance, if you look at the article he wrote about CBBS[1], you'll see he's listed at apartment #3D.
I never took up the practice, though I suppose I could having the warot.com domain to play with, and a single family residence to make up PO boxes, apartments, etc.
[1] https://vintagecomputer.net/cisc367/byte%20nov%201978%20comp...
I do not regularly track, but I do reflexively create throwaway emails at a domain I bought for that purpose, so that I can /dev/null them if/when someone sells that email address to a list.
Yes, I’ve done this for years. And to be honest, I don’t think I’ve ever “caught” a business sharing a service when they shouldn’t have. Makes me question why continue to do it.
I've been doing this for years, as well. I've also found that the majority of companies I give an email address to are actually surprisingly good stewards of that information. However, I have found a number of email leaks. It looks like my block list is up to 31 addresses. Most of those are leaks that led to spam. (Although one was a smoothie chain that insisted on sending me email every single day, and their unsubscribe page always seemed to be "malfunctioning".)
I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.
When I learned about public git commits "leaking" my email address it was already too late. Now I'll probably use that email for this particular task. And another sad thing, is that many spammers are picking up "support" email address from Google Play Store. Still waiting for a email service which would charge each spammer several dollars for "successful delivery", or plain "waste of time".
I have addresses like somename-ex-someservice@mydomain.com directed to my email, which I use to register myself in "someservice". This is how I know where email was leaked and needs to be disabled. I use Protonmail basic subscription to attach my domain. Before that I was using rewriting rules in Postfix.
I have a public address and a private address. Gmail does well enough with spam filtering. I check it monthly and find some false positives. Nothing important though.
I can’t imagine spending more time on this, though.
Sure do - though I have my own domain, so I don't need subaddressing. If some address gets compromised, I just set it to bounce.
I used to, but it basically showed that no one ever gave away my email address to spammers, or at least if they did, the spam filter caught it. It's not worth it.
What's especially awesome is how many unsolicited emails don't have unsubscribe links in them.
If an email is truly unsolicited (didn't come from an entity you didn't give your address to), it's not wise to click on an unsubscribe link anyway, as it sends a strong signal to the spammers that not only was the email delivered to a real person, but they also read it. In their eyes, you just went from a random string of letters to a hot sales lead.
Also nuts is when they couple them to phony real world locations like "123 Main St., Mytown MA"
Catchall for 25 years :) (on domainfactory - df.eu) each company/service gets their own email prefix, so I can determine spam and also filter unsolicited emails.
I use Proton's email aliases for throwaway accounts, and I have a catch-all on my own domain and use custom email addresses (think apple.com-randomstring@example.com) for accounts that I intend to keep until I die.
I do something like this with Proton and my own domain as well. However, I made the mistake of buying a .io domain, thinking England would be pretty stable. Now I need to figure out what I’m doing.
No, I absolutely could not care less. Its baffling to me why people do. There's nothing you can do about it, anyway.
Use unique plus addresses for each service that requests email address.
A lot of services don't accept the '+' sign in an email address, even though it's perfectly valid according to RFCs. Part of this is ignorance of standards but I suspect part of it is deliberate. (To get the users' "real" addresses.)
The worst examples are services that accept + when creating an account but does not accept + for logins. Believe it or not this has happened to me several times, and with large companies too. When companies started blocking + address specifically and/or being clever with removing the + part, I decided it was not worth using + addresses anymore.
I use iCloud’s Hide my Email feature. So I have dozen email addresses and I receive email in the same inbox. I don’t care how my email addresses are used. The moment I see too much spam, I remove the email address.
I love this feature in Apple’s ecosystem so much. The newer iOS and iPadOS releases when autofilling a sign-up form even give an option to generate a new hide my email address. It’s effortless to not use your real email. If you pay for an iCloud subscription, hide my email is included. Apple tracks what site you used hide my email on when signing up and allows you to toggle forwarding of emails to your inbox on and off.
for general purpose website signup not directly linked to my identity, I use Simplelogin. For real life personal stuff I just have a gmail. There is another dedicated email for open source work, plus a few historical email addresses which aren't actively used but still occasionally receives stuff.
I have a catch-all domain but I don’t bother to setup unique emails for each service. It’s too much of a headache and you have to ask yourself:
If I find out someone sold/shared/leaked my email what am I going to do?
Here the possible responses as I see it:
* Stop doing business with them - This is way easier said than done
* Be mad - ok, great, now what?
* Send a strongly worded email - again, so what?
* Sue them? - Good luck
Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.
There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.
Lightly and calmly, meaning I have many aliases on my addresses on personal domains and I try to always give unique aliases (keeping some spare on purpose), but not always-always because I'm not enough disciplined and the track is very informal, when (very rarely) I see spam I know it's time to rotate the alias. That's is.
Of course if unknown@spammer.net write to my amazon-cx1@mypersonaldomain.tld I could try to locate who have sold/leaked my address but it's still vague, since Amazon, eBay, PayPal, have a gazillion of third party. If it's to JoeIKnowNothingAboutIT@maypersonaldomain.tld it's likely he was cracked and so on.
Yes every service gets a custom address.
It's also interesting that some services don't allow COMPANYNAME@mydomain.com for registration. (Can't remember which)
I can't remember which company now, but one time I called into customer support and gave them the unique email address that I used for that account. It had their company name in it. Something like bityard.acme@example.com, for instance. The person on the other end paused for several seconds as if looking over their shoulder and whispered, "wait... do you work here or something?"
Aliexpress. I log in there as express.ali@
I care. Maintain a collection of emails per tier of service plus some Apple obfuscation.
I use Hey.com's "catch all" inbox for this but it's a bit janky. If you set up a "custom domain" Hey account, you can actually email `[anything]@yourdomain.com` and it'll arrive in the catch all inbox. (Not unique to hey obviously) It has the benefit that it's impossible to block, but Hey obviously doesn't really want me doing that since they charge per-email-address.
I do this too, with namecheap.com's email servers... I pay for a few email domains on namecheap, but one is specifically for spam, and I use their "catch all" as well.
So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.
I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.
Paid 33mail.com account.
been running my own email for 25 years or so. been using "plus" addressing (actually hyphen) for approximately as much. got only few cases when email got sold/shared. biggest issue was linkedin email address leak a bunch of years ago, so i got a lot of spam to -linkedin@ alias . changed email on linkedin to something different, and old emails go to spam
[dead]