[HN Gopher] The case for unique email addresses (2020)
___________________________________________________________________
The case for unique email addresses (2020)
Author : ivanvas
Score : 49 points
Date : 2022-06-20 15:14 UTC (7 hours ago)
(HTM) web link (musings.tychi.me)
(TXT) w3m dump (musings.tychi.me)
| focusedone wrote:
| I've done this for some time. <companyname>@<mydomain>.com makes
| it easy to see who sold my address, easy to make a filter for
| that inbound address if needed.
|
| Maybe there are security benefits? If every site has both a
| unique email and PW I figure automated attacks are a bit less
| likely. Could someone figure my clever email scheme out? Easily.
|
| My thinking is it's like being chased by a bear when out hiking
| with friends. You don't have to outrun the bear, just one of your
| friends. I'm probably not willing to achieve perfect security,
| but if I can be slightly more difficult to figure out than <next
| person on the list> maybe that helps?
| quirino wrote:
| I do something similar with my passwords, where I include the
| name of the website in there in some manner. Definitely not
| very secure, but probably better than simply using the same
| password everywhere.
| tut-urut-utut wrote:
| Back in the time when email was important, I considered doing
| something similar. Now, I just use one personal mail address that
| I share only with real-world friends, and one other for all my
| online accounts.
|
| At this point, I don't even bother whether I receive spam on that
| email or not, since it's just something I'm probably not going to
| read. I mean, who cares about LinkedIn notification or Amazon
| receipts, if I need them, I know where to find them. The default
| spam filter of my mail provider and a few custom filters based on
| from domain names are enough to keep my inbox manageable.
|
| And even private mail is not that important anymore, given that
| most of the communication with real people is now done through
| various messengers.
| wizofaus wrote:
| Except typically when you _do_ receive an email, it 's a more
| important message and is more likely to contain important
| attachments or other information you need to retain vs messages
| via social media/ online messaging services, even if it's from
| friends/family. Worse, not scanning your junk email regularly
| can lead to missing key information that you've been sent. The
| current situation in general with how messaging is done online
| seems far from ideal, but it's hard to see too many good ways
| forward. Logically though if there were a reliable way to track
| _who_ you 've given out your details too, it should be possible
| to simply block messages that aren't from such sources.
| tut-urut-utut wrote:
| Important email just doesn't come suddenly anymore. Nowadays
| people will just message me to check my email address before
| sending an important email, although it didn't change for
| years. And then, they'll message me to ask if I actually
| received an email. So no important private mail gets lost ;)
|
| Or I just receive booking confirmation minutes after booking.
| Even if I don't read it or save immediately, it's still there
| in inbox ready to be searched for and found if needed.
|
| The only exception is business mail, but there I usually
| communicate only with people from my company or my address
| book, so there's no spam problem there.
| wizofaus wrote:
| I can easily give 5-10 examples of personal emails I
| received recently which had critical info I had to act on,
| and/or documents I need to retain for future reference,
| none of which were anticipated. One was an airline
| canceling a flight!
| [deleted]
| brunes wrote:
| I have been doing this for ~ 10 years or more. It is trivial to
| do if you own your own email domain, and only slightly more
| difficult with GMail.
|
| There are other benefits that the article author does not cover,
| that become clear when you think about how threat actors analyze
| breach data.
| lowwave wrote:
| or install https://wildduck.email or mail in the box type of
| server, just host it yourself. Wildduck web interface allows you
| to make unlimited alias already.
| pvg wrote:
| Previously:
|
| Oct 2020, 19 comments
| https://news.ycombinator.com/item?id=24814029
|
| Related recent quasi-dupeversation:
|
| _Using a catch-all domain is a mistake_ , 18 days ago, 296
| comments https://news.ycombinator.com/item?id=31585463
| hansword wrote:
| The email address I give out to companies is
| theircompanyname@myserver.com - this has most of the privacy
| benefits the author describes. But frankly, I did it just to find
| out who sells my personal info to spammers. Turns out quite a few
| do, and whenever I get a spam email, i just look at the to-
| address and I know who betrayed me.
|
| Edit: multiple typos
| davchana wrote:
| I too do it, although occasionally an hickup occurs. Last week,
| I signed up for something, and their system was unable to send
| an account activation email at theirCompanyName@myDomain.com I
| spent about 30 minutes with customer service on chat, and they
| were like, no, it's impossible to have them@my domain email. If
| I have, I should send them an email. I did it, sent email, and
| they were still not believing it.
| nazca wrote:
| I do the same. In addition to the security and privacy
| benefits, the traceability have been helpful. Years ago my
| Netflix account was hacked, and they refused to believe it was
| on their end. They were sure someone had accessed my email. I
| was not able to convince them that netflix@myserver.com was not
| a thing you could log into. But having a unique email was one
| of the clues that led me to be confident that my email had not
| been hacked, and it must have been something purely on the
| netflix side.
| kolinko wrote:
| Playing devil's advocate - it could've been your Netflix
| password that was compromised, or someone you shared your
| Netflix password with (if you do it).
| phyzome wrote:
| I'm not sure I've ever found any indication of someone
| _selling_ my address, but I 've discovered multiple services
| that have been hacked.
|
| One of them, Avvo, has yet to admit it... but it's quite clear.
| LinuxBender wrote:
| I used to keep it that simple but some companies are catching
| on and blocking the account in the name of "fraud" but really
| they are just upset. Instead I use a realistic looking canary
| that maps to their company without their company name being in
| the email address.
| indymike wrote:
| Companies that do not respect RFC email addresses are simply
| breaking the internet. Email addresses are not unilaterally
| specified by your marketing department, they are at this
| point, internet infrastructure.
|
| https://datatracker.ietf.org/doc/html/rfc5322
| LinuxBender wrote:
| Agreed but I don't think they care about RFC's. Rather they
| want to be able to track people and be able to sell _or
| leak, but really sell_ your email address and email
| canaries put a stop to that behavior and they don 't like
| it.
| kevin_thibedeau wrote:
| I spell their name backwards to thwart this filtering.
| philipwhiuk wrote:
| It's not much better than "Your.Full.Name+company@example.com"
| in practice tho.
| pandemicsoul wrote:
| Lots of company don't allow you to enter the + symbol in
| their signup field.
| anonymousiam wrote:
| I do this too, and lots of companies also don't allow you
| to use _THEIR_ company name in the email address that you
| give them.
|
| Sometimes their front-end is not aware of this restriction
| and will let you register, but then you'll have
| unresolvable issues. I've spent some time on tech support
| phone calls with companies that have this issue.
|
| Occasionally a company will implement blocking their own
| name in a user-provided email after the user is already
| registered. I've had this happen a few times too. Suddenly
| the account will disappear without explanation.
| forgotpwd16 wrote:
| A spammer can just filter the +company bit out.
| prash_ant wrote:
| Yes, but the fraction of users using the +company part
| would be similar to the fraction of linux desktop users on
| the internet.
|
| The way we don't see most software companies supporting
| linux desktop users simply because it is not profitable, we
| can hypothesize that the spammers won't spend time-energy-
| money on getting the +company filtered out.
| indymike wrote:
| Removing the +company is not cool. When I give you
| myname+yourcompany@mydomain.something, I'm authorizing you to
| mail to that address, not myname@mydomain.something. If you
| don't respect the recipient, you'll be rewarded with
| unsubscribes, at best, and spam reports at worst.
| core-utility wrote:
| But we're talking about the same companies who will sell
| your data for a fraction of a cent. I don't think they care
| about being "not cool"
| paulryanrogers wrote:
| IME some may accept the plus address at sign up then break it
| at sign in or substitute for another character. A major US
| insurance company did this, which could have allowed
| hijacking if one had registered the address with the plus
| replaced with their substitute character.
| samschooler wrote:
| I'd say its one level beyond. Since "+" is so widely used, as
| talked about in the article, its trivial to remove. However
| with a non-standard domain and inconsistent username its not
| as easy to remove. These are some of the formats I use, they
| all offer exactly what I need (uniqueness, hard to
| programmatically attach to another, and culpability):
|
| lyft@account.example.com
|
| liftcarshare@example.com
|
| email@lyft.com.example.com
|
| example.com@com.lyft.example.com
| anonporridge wrote:
| I would personally go one level further.
|
| Generate random email addresses so you can't easily guess
| what others I might have given out. Then keep track of the
| mapping.
|
| A service like simplelogin.io makes this easy.
| bosie wrote:
| icloud and also fastmail do this for you
| turboponyy wrote:
| What I usually do is servicename + 6 to 10 random
| numbers. This way I can see the intended recipient whilst
| avoiding people being able to check where I've signed up.
| ZetaZero wrote:
| FastMail does something like this. Their Masked Emails
| are two random words plus a four digit number.
| caust1c wrote:
| Been using this feature since they introduced it and can
| say that I'm very pleased with it so far in combination
| with it's 1password integration.
|
| When creating an account somewhere, fastmail
| automatically generates a new email for the site via an
| API in one click.
|
| Highly recommend.
| sereguze wrote:
| What about base58 encoding their company name.
| core-utility wrote:
| Same here. It's fun getting doctors offices coming back and
| asking me "Do we have your email right?"
| samschooler wrote:
| This is what I do as well, and its real nice to be able to
| black hole a specific to email address vs trying to unsubscribe
| from every piece of spam email sent to your one email address.
| MarkSweep wrote:
| The article talks a lot about imagining how Facebook can track
| you with your email. You don't have to imagine, just go to "Off
| Facebook activity" in the settings. You will see a list of
| companies that have uploaded your email address to Facebook so
| that they can target ads at you.
| philipwhiuk wrote:
| This is the worst written article I've seen in a while. It gets
| very lost in the weeds, struggles to make any points, just sort
| of wanders about.
|
| There's no actual discussion of what a unique email should be. Or
| how that could possibly work and be practical given that any
| payment related site will also need your real name and address.
| t0astbread wrote:
| I disagree. This article is about the authors thoughts and
| experiences related to privacy and working in the information
| sector. It's not primarily about email. Criticizing the title
| is fair I think.
| zippergz wrote:
| I did similar things for many years, but at the end of the day I
| found that I was just adding friction for myself and not getting
| any real benefit. Yeah, I can see who has sold (or inadvertently
| leaked) my information, but then what? Don't do business with
| them again? Fine, but it's too late. And so many companies have
| problems like this that if you refuse to do business with any of
| them, you're going to find yourself very limited.
|
| In a broader sense, as I learned to grow out of my 1990s-era rage
| about spam, I've found that my online life has gotten a lot less
| stressful. No, I still do not like commercial email in my inbox.
| But constantly being angry about it and trying to fight it did
| not result in me getting any less of it. All it did was made me a
| bitter person. Something something accept the things I cannot
| change...
| ebrewste wrote:
| If you are committed to using the leaker, change your email for
| them from company@myserver.com to company2@myserver.com and
| block company@myserver.com. It gets the benefit of spam
| blocking and leaker traceability in one easy step.
| johnklos wrote:
| Honestly, I can't help but be suspicious about postings like
| this because they are way too common. They introduce no real
| new information and only serve to offer, "it's too much work,
| so just accept it".
|
| It's completely disingenuous to say that you can't do anything
| with the information gained from learning who is selling,
| sharing or otherwise allowing email address lists to be
| compromised. It's almost maliciously disingenuous.
|
| You can do infinitely more with this information than you can
| about any other kind of spam:
|
| 1) you can demand to know how and why your address was shared
| with third parties
|
| 2) you can insist on disclosure, particularly if you live in a
| state or country that mandates it, for any breach they may
| blame it on
|
| 3) if they ignore you, you can publicly shame them on social
| media and inform others
|
| 4) most importantly, you can STOP accepting email at that
| unique address, and stop any future spam.
|
| I really wonder these naysayers want. They clearly want the
| rest of us to not expend the tiniest bit of energy to maintain
| any agency in the control of our own email, but why? I really
| wish I knew. They're not helping people by telling them to save
| - what? - minutes of time per month? I'm so curious.
| Beltalowda wrote:
| > They clearly want the rest of us to not expend the tiniest
| bit of energy to maintain any agency in the control of our
| own email, but why?
|
| No one is telling _you_ what to do, they 're just saying that
| they didn't find it valuable for them personally. My
| experiences are similar.
|
| You can do whatever you want with your email (...except send
| me spam...)
| wrboyce wrote:
| > Don't do business with them again? Fine, but it's too late.
|
| Well no, not if you have assigned them a unique address. That
| is the whole point of the exercise, no? Stop doing business
| with them _and_ block their unique address.
| Beltalowda wrote:
| "Stop doing business with them" is not always a feasible
| option, or the cost is very high (more than many are willing
| to pay); that's the problem.
| sbf501 wrote:
| I've been doing this since 2013 and the only spam I ever get is
| from the one email I put on my websites.
|
| Spam filters are so good that the spam never sees my inbox (I use
| RunBox.com email because of their extreme privacy).
|
| The only downside: I have to keep this domain FOREVER. If I sell
| it, and someone else connects it to a mail service, they will
| have access to all of my email addresses.
| dannysu wrote:
| I always use unique email as well. Just recently I started
| getting spam at newrelic@domain.com. It was easy to see where
| spam came from and add New Relic to the list of companies I'd not
| do business with.
| mebazaa wrote:
| There are a couple of websites that let you do this without
| running your own email server.
|
| https://33mail.com is one, for instance (disclaimer: happy
| customer here.)
| phyzome wrote:
| The best approach is to buy a domain name and set up your mail
| host with a catchall address. For example, I use Fastmail for
| mail hosting, and they support this at a reasonable priced tier
| -- but I can switch to another mail host if I want, and keep
| all my addresses. With 33mail it sounds like you'd be locked
| in.
| lowwave wrote:
| Hmm, just try to send an email to their support email. and
| found this:
|
| >>SMTP Error (450): Failed to add recipient
| "support@33mail.com" (4.1.8 <xxx@xxx.com>: Sender address
| rejected: Domain not found).
|
| Hmmm don't even know how to contact them.
| all2 wrote:
| I'll toss in a mention of yggdrasil [0], which would put every
| computer on the network at a unique address.
|
| [0] https://yggdrasil-network.github.io/
| t0astbread wrote:
| My email provider limits the amount of aliases I can register
| with them but they let me have a catchall and Sieve filters. So I
| wrote a script that generates "normal-looking" email aliases,
| then builds a Sieve filter out of that. Everything that goes to
| an existing alias reaches my inbox, everything else goes straight
| to the Junk folder.
|
| I've uploaded it to my GitHub:
| https://github.com/t0astbread/sievegen
|
| Of course that's not a perfect approach in terms of privacy but
| for most purposes, it strikes the right balance between privacy
| and "hard to accidentally lose control of" for me.
| vandyswa wrote:
| I wrote about these concepts, and have lived with my system since
| 2004:
|
| https://www.vsta.org/spam/Traveler.html
|
| (Ancient formatting, use reader mode if you're in Firefox.)
|
| tl;dr Mail is broken because there's no authorization. Make your
| address act as an authorization token which is (1) transitive,
| and (2) revocable.
| fmajid wrote:
| I've been doing this for 20 years now, and Apple or DuckDuckGo
| have made it accessible to normal people. The day I started
| receiving pornographic spam addressed to dell@majid.fm (no longer
| the domain I use, BTW), I knew Dell's security was worthless and
| they had been breached.
|
| BTW I build a simple spreadsheet-like GUI for Postfix to manage
| the list, as it's grown quite large:
|
| https://github.com/fazalmajid/postmapweb
| encryptluks2 wrote:
| I don't really think that getting an email at dell@domain.com
| means that a provider's security has been compromised. Not only
| do you need to use unique email addresses but they should be
| uncommon. Otherwise it doesn't really do a lot to address the
| issue. Might I also suggest using subdomains as well.
| anonymousiam wrote:
| I disagree. I've been doing this for decades and occasionally
| I'll get spam/porn to one of the unique addresses I've
| created. In the past, I would notify the entity of their
| breach, but they almost never take me seriously so now I just
| delete their email address.
| encryptluks2 wrote:
| Yeah, they don't take you seriously if you wonder why you
| might be getting spam at obvious@domain.com
___________________________________________________________________
(page generated 2022-06-20 23:01 UTC)