[HN Gopher] Tell HN: After 10 years of experiments, custom usern...
___________________________________________________________________
Tell HN: After 10 years of experiments, custom username emails
receive no spam
For 10 years I've been using a custom email for every retailer I
shop at that asks for an email address, always in the form of
"company@mydomain.com". I did not keep track of how many custom
emails I used (hundreds, easily), but I have received spam from
exactly zero of these accounts. The only account that I received
is one I used on my public website as a "mailto:" link. 100% of my
spam comes from this address. I host on runbox.com. Is the fear of
"people selling your email to spammers" a modern myth, or are spam
filters that good? I would argue the former since I still get 30
spam emails a day from my website email address, and zero from
companies that ask for them.
Author : sbf501
Score : 256 points
Date : 2022-08-15 15:07 UTC (7 hours ago)
| TonyTrapp wrote:
| Where I'm getting (or rather was getting) spam, apart from my
| main address:
|
| - My Kickstarter address (well-known leak).
|
| - My Paypal address (probably leaked through a web shop).
|
| Both email addresses have been blocked since then. I also got a
| spam mail through one address I used for a forum, though the
| forum owner denied that they were ever hacked, and it stayed at
| that one single mail, so... not sure what happened there. So
| yeah, it does happen, and when it happens it's nice being able to
| just block that address completely within seconds and use a new
| one.
| patio11 wrote:
| As an additional datapoint, my main email address is publicly
| available (I obfuscate it when typing out of anti-spam research
| force-of-habit but it's all over the Internet, public records,
| people's inboxes, company customer lists, etc etc), in continuous
| use for 15+ years, and I receive less than a handful of spam per
| week, almost all of the "Hello owner of $DOMAIN would you like
| you buy our SEO/etc services" genre rather than garden-variety
| spam.
|
| Possible confounding factor: I try to keep my personal and
| professional lives ~separate and so the retailers/etc most likely
| to be compromised get a personal email address (whose inbox is
| virtually unusable due to amount of commercial email it receives,
| though relatively little of that is spam per se).
| js2 wrote:
| Just don't ever donate to a non-profit or political campaign.
| There is no unsubscribing, ever. I mean, they have unsubscribe
| links, but those don't actually do anything AFAICT.
|
| You also can't stop them from sending you postal mail.
|
| Fortunately non-profits and politicians are lazy and they all use
| just a few emailers which you can identify via the headers, so a
| couple Fastmail rules catch most of it. NGP VAN is the worst
| offender on the Democratic side, and can be identified by
| "Return-Path:" contains "bounce.myngp.com".
| TheBozzCL wrote:
| I use the same strategy. Same as you, the only email address I
| get spammed on is `contact@domain.com` because I link to it
| directly in my personal site. I would prefer to use randomly
| generated UUIDs instead, but keeping track of which service is
| what would be a huge headache.
|
| That being said, this alone seems to work great! I've always been
| curious about how many tracking companies have sophisticated-
| enough logic that they can tell two email addresses from the same
| domain belong to the same person. Probably not many, since it's
| such a niche solution.
|
| Now I need to get better at using random names instead of my own,
| when possible.
| spiffytech wrote:
| > Is the fear of "people selling your email to spammers" a modern
| myth, or are spam filters that good?
|
| A decade ago I worked for a service that let you send bulk
| emails.
|
| Any time we thought a customer was using a purchased email list,
| we came down on them hard or booted them off the platform. Same
| for other forms of spamming, not including an unsubscribe link,
| etc.
|
| This wasn't necessarily altruistic: if their emails were marked
| as spam it would poison the reputation of our sending IPs and
| threaten the business.
|
| It's clearly imperfect, but the industry's incentives seem to
| help.
| jack_riminton wrote:
| A simpler way to do this is to append the company name to
| whatever gmail you're using e.g. if my email is bob@gmail.com you
| could use bob+amazon@gmail.com. No matter what you put after the
| '+' it'll still get sent to you
| kibwen wrote:
| The problem is that plenty of poorly-coded signup forms reject
| the plus character as invalid within an email address.
| WithinReason wrote:
| It's also easy to strip with a regex
| pengaru wrote:
| I've done the same for decades, and I definitely receive spam
| from some of them.
|
| The most spammy of them has been equifax, but that one was so
| publicly hacked that I didn't need spam to know about it.
| Confirmation has its value I guess. It'd be nice to know if
| equifax sold the information _and_ got hacked, that 's entirely
| ambiguous and now equifax has plausible deniability thanks to the
| hack. Le sigh.
| jedberg wrote:
| > Is the fear of "people selling your email to spammers" a modern
| myth, or are spam filters that good?
|
| I've been using custom email for a couple of decades. Definitely
| get spam on a bunch of them, including recently.
|
| The worst though is the email I registered with the county clerk
| for voting. That one gets a _ton_ of spam.
| joelesler wrote:
| my email address is very guessable. I've been using iCloud's
| anonymous email feature since it rolled out a couple versions of
| MacOS ago, and my spam has decreased dramatically.
| gpm wrote:
| Maybe not 3rd party spam, but definitely first party spam.
|
| I gave a custom username email to a in-person store (big chain)
| with a rewards program because they were offering a huge discount
| if you did. Since then they've sent at least 1 email a day, with
| an average of about two (I've redirected all their emails to a
| folder I never look at). Which is a particularly remarkably
| obnoxious rate of sending emails...
|
| I've also split my email addresses in to a public one (displayed
| in my profile here, on github, on a website, etc) and a private
| one. The public one gets a spam email or two a week.
|
| Incidentally, I was surprised to discover that pinterest forbids
| you from having the word pinterest in your email (or did when I
| signed up).
| sbf501 wrote:
| I wasn't counting 1st party spam as spam because in many cases
| I like the information I get (usually sales on things I buy). I
| should have pointed that out in my post. Thanks for making the
| distinction.
| fckgw wrote:
| So just unsubscribe from the mailing list then?
|
| Why are you setting up these custom filters instead of just
| clicking the link and opting out?
| happyopossum wrote:
| > So just unsubscribe from the mailing list then?
|
| I've encountered many companies that let you unsubscribe,
| then add you to a 'new' mailing list a few months later. You
| can usually identify these companies because when you click
| to unsubscribe they take you to a page with a dozen or more
| 'newsletters' that you have to uncheck to remove yourself
| from if you can't find the 'all' link.
| Groxx wrote:
| Unsubscribe also frequently doesn't carry over when a
| company is sold to another, who then harvests every email
| ever mentioned anywhere to send new spam to.
| gpm wrote:
| Because it's faster to set up a custom filter than search in
| the email for a link... I couldn't even tell you if there is
| an unsubscribe link (I mean I suppose I could go look, but I
| definitely never did).
|
| Also after getting home and already having multiple marketing
| emails I was sort of curious about just how many they were
| going to send, which is why it's in its own folder.
| dhosek wrote:
| My biggest spam vector is an email address that is old enough
| that I used it on usenet back in the day. Pretty much any email
| that was used on email ended up in _every_ spam mailing list.
| codezero wrote:
| I do the same, and so far I've had two leak through:
|
| 1. keen.io when they sold to a PE firm 2. 1password - we're not
| sure why this one happened, 1password's security team worked with
| me to dig into it and it's likely that the name I used was just
| too generic and landed on a keyword list.
| lucb1e wrote:
| Catch-alls are fun. Sometimes when I delete and purge an account
| somewhere (digitalocean for example, the checkbox is literally
| called 'purge'), all they do is change the user part of the email
| address:
|
| me@example.org -> _me@example.org. "Yup now the account is
| deleted, we hope to see you again soon!"
|
| It's too bad the GDPR authority in the Netherlands is much too
| swamped to care about a literal purge option doing literally
| nothing. In both instances, I was still able to login to the
| account with the original password (clearly not information
| necessary for tax record reasons, or whatever excuse they might
| come up with). I don't always check the developer console for the
| API response that might hint at this, and don't delete accounts
| that often to begin with, so it wouldn't even surprise me if a
| majority of services turned out to do something similar under the
| hood.
|
| Screenshot: https://snipboard.io/Y2MpbU.jpg (DigitalOcean's
| account deletion page, this is the option I checked but was still
| able to log in. The other offender, I don't want to even give the
| benefit of free negative publicity.)
|
| ---
|
| Catch-alls are fun. Sometimes when I email a company, like
| Contoso@mydomain.example.org, I will subsequently receive
| business email from their vendor (helpdesk or IT or whatever
| service they provide that made my email end up in the
| autocomplete) that was intended for their contact person at
| Contoso. I've always let them know but it feels rather awkward
| and they never reply to me :)
| andersonmvd wrote:
| Usually event organizers keep selling your e-mail address after
| you gave it to them. Some events are explicit about it, others
| not really. It's not like they really ask you, it's more or less
| a condition to join the event in most cases.
| throwaway787544 wrote:
| I don't care if someone sells my data, I care if some company
| gets compromised and doesn't tell me. And it makes it harder for
| bots to crack the same account at multiple places.
| aspyct wrote:
| I also use email aliases to identify companies who sell my data.
| A few did it, and keep doing it, despite my many complaints.
| Definitely will continue doing so.
| cornstalks wrote:
| Most recently Chatbooks sold my email to some T-shirt companies.
| Or maybe they were pwnd. Either way, I wouldn't call this a
| "modern myth." You're fortunate to be so spam-free.
| mehlmao wrote:
| After Robinhood's data breach, I get tons of cryptocurrency-
| related phishing emails sent to "robinhood@mydomain.com". I've
| had a few other vendors sell / lose my email, such as an escape
| room in another city.
| dhosek wrote:
| Having your email in a mailto: link is no longer the spam vector
| that it used to be. I've had my writing email posted as such on
| my website for over a decade and it gets no more than one spam
| per week and those are all caught by the gmail filter.
| georgyo wrote:
| This is not my experience, I too have been doing this for 10
| years.
|
| In my experience, I got tons of spam, especially after a leak.
|
| By far, the _most_ spam I get to is get to government agencies
| and medical facilities. I started getting male enhancement
| messages to my parknyc (NYC parking meters) address in under a
| week after registering.
|
| Since my addresses are never used for more than one service, I
| can be reasonable sure they had a leak of some sort, but it is
| also not suffice evidence to actually report it.
| seanp2k2 wrote:
| I've had CCs stolen because DMV + FasTrak required CC info and
| can't use PayPal. PayPal / Shop are great because they don't
| share your actual CC info with the merchant, only a one-time
| token for that specific transaction. All credit cards should
| work this way, where you'd log into your bank or 2FA with your
| bank (or Visa / MasterCard) and they'd provide the merchant
| with an auth code or something just for that transaction for
| that invoice to that merchant, instead of giving them the keys
| to the actual card.
|
| They even do have something called "Visa Secure" and
| "Mastercard Identity Check" ( see
| https://stripe.com/guides/3d-secure-2 ) but I've never seen
| this come up in practice. I guess it's easier for them to just
| let merchants assume the fraud risk. We need some laws that put
| the burden on the card issuers to get them to actually care
| about CC fraud, but obviously the ones benefiting from the
| current system are very well-funded and have lots of sway with
| lawmakers.
| muttled wrote:
| My Capital One card has virtual card numbers you can generate
| and you can kill them whenever you need to (or have them only
| work once). I use them any time I'm buying something outside
| the major markets like Amazon.
| spxd wrote:
| All European credit and debit cards have a 2FA enabled. You
| cannot pay online without authorization from (bank) app.
| lathiat wrote:
| Depends if they get breached haveibeenpwned.com style. I
| definitely and clearly get spam from several breaches. Some is
| generic (it's on some big spam list) and some of it is targeted -
| like crowd funding campaigns spamming the hacked list of
| kickstarter accounts - which I am surprised how much of I get
| given how community driven such things often but I guess are not
| always.
|
| Some of these addresses were the unique style you mentioned.
|
| So I guess you're just lucky.
| __david__ wrote:
| I've been doing a similar thing and I _do_ occasionally see
| things. I 've recently been getting spam from my Mackie email,
| for instance--They were either compromised or sold off their
| email list.
|
| More often I've had to directly block companies whose unsubscribe
| links just wouldn't work. I have a very low tolerance for that--
| If I unsubscribe I mean it.
| vinay_ys wrote:
| Email is a lot less valuable these days, exactly because of how
| good the spam/categorization filters have become - huge kudos to
| gmail for this.
|
| Phone number on the other hand - it is a nightmare - how every
| service (office front desk, apartment front desk, car wash,
| restaurant, barbershop etc) takes your phone number and uploads
| it to some spam database and then you get so many spam sms and
| calls.
| numbers wrote:
| can I ask how you did the custom emails, did you use a password
| manager to keep track? I have been doing this recently (in the
| last year) and I'm very happy to see a post about this!
| TheChaplain wrote:
| I have. Signed up at MyFitnessPal with a unique handcrafted
| address (alias), ended up getting spam a few months later (and
| still do, several years later).
|
| Confronted them about it and got accused of being sloppy and
| hacked... I am certainly not the smartest person alive, but I'm
| not a complete clown.
| leephillips wrote:
| I use a catchall as well and can confirm your experience. No spam
| from one-off addresses given to companies.
| bravetraveler wrote:
| Meanwhile I do basically the same thing (different provider)
|
| I could (and should) shame at least a dozen decently well-known
| organizations, just ridiculously low on my list to go digging
| again.
|
| Surely partly due to filters, but also our activities/circles -
| and the _control_ over their data. A lot of compromises lead to
| leaked lists of addresses to both spam and target for gaining
| access
| jen729w wrote:
| There's a single reason that I gave up on this method: having to
| send outbound mail to these companies.
|
| You sign up for a health plan using healthplan@example.com.
| Great, until you need to send them a document. You send it from
| myrealaddress@example.com, and they write back and say hey,
| that's not the account on file, etc.
|
| So now you have to set up healthplan@example.com, configure it in
| your mail client, etc. And now you have this long list of special
| addresses to remember to have to send from, depending on the
| situation.
|
| Email is already something I loathe. Why would I make it harder
| on myself?
| Normal_gaussian wrote:
| Fastmail allows sending from any address, the client supports
| it easily. There is also a few self-hostable mail clients that
| allow it.
|
| Historically I used a more convoluted method. When I used to
| use migadu (dont use them) I had a little script that would
| check the first line of any email I sent myself for a target
| email and resend it from the receive address. It was janky but
| worked.
| josephb wrote:
| > (dont use them)
|
| Are you able to share what made you stop using them? I've
| been contemplating trying them out :-)
| cdubzzz wrote:
| Depends on your setup I suppose. I use FastMail for this
| purpose and it both automatically sets the `From` based on the
| `To` of the email I'm responding to and allows me to click in
| to the `From` email and type in whatever I want for the local
| part before sending.
| jen729w wrote:
| Ah that's cool. I don't think it did that when I used them,
| and I use Mail.app anyway.
| mikeiz404 wrote:
| Email alias services can make this process a little easier,
| though certainly not painless, by letting you create reverse
| sending email addresses [1].
|
| 1: https://simplelogin.io/docs/getting-started/reverse-alias/
| kccqzy wrote:
| That's absolutely not my experience. I _still_ receive spam sent
| to adobe@ <my custom domain>, following their data breach in
| 2013.
|
| It's not exactly Adobe selling my email to a spammer, but a data
| breach, and then marketers decided that would be a good target to
| blast their marketing emails.
| avnigo wrote:
| It's not just companies selling your email address to third
| parties, it's also companies that keep your email on file and
| then get compromised.
|
| Most of the spam/phishing I get is from companies that stored my
| personal details and then got hacked.
|
| I would say it's likely you just got lucky.
| core-utility wrote:
| I definitely get spam at special addresses. Minted (data breach)
| is one, and another company sold my info for similar interests.
| JoeAltmaier wrote:
| Maybe its the spammers' filters that explain this?
| company@mydomain.com might be stripped from their mailing list
| because lots of folks do this. Me for instance.
| snowwrestler wrote:
| Very few legitimate companies will sell lists of raw email
| addresses, to anyone. There's very little money in it (email
| lists are cheap) and the potential upside of keeping the email
| addresses is way bigger, particularly when your email address is
| married up with behavioral data like what you bought, what pages
| you visited, what bank you use, etc.
|
| Retailers make money from your email address by trying to use it
| to get you to spend more money with them. That can be as simple
| as sending you marketing emails--which many people consider spam!
| So when you hear people complain about "spam" from retailers,
| it's often this: real marketing emails that they are mad about
| getting.
|
| Companies can also use customer email addresses as tokens for
| targeting in ad networks. In doing so, they may upload your email
| address to the ad platform. In that case they are sharing it with
| another company, but it won't result in spam. It will result in
| greater correlation between the otherwise separate tracking of
| your behavior across companies. In this case, using company-
| specific email addresses may actually be an advantage in terms of
| foiling such correlation.
| dickfickling wrote:
| I've been doing the same (also for about 10 years). A quick scan
| of my spam folder from the last few days shows drizly@,
| eventbrite@, homechef@, and sunany@ were all leaked at some
| point.
| Elof wrote:
| What email service are you using?
| OrangeMonkey wrote:
| I'm glad you had a good experience. I had a different one.
|
| I've ran my own domain for longer than you have, and many emails
| have been compromised.
|
| Some are 100% from companies selling the emails to sister
| companies.
|
| The majority, though, is from a company itself being compromised
| by hackers / database access / etc. LinkedIn, Neopets,
| ProFlowers, TeeSpring, etc. I can go on.
| zndr wrote:
| Seconding this.
|
| And to compound this after doing a half ass job of what OP has
| done, I recently moved my custom google apps free domain to
| have a second reception domain i use JUST for this with a
| `.email` TLD (side note: the amount of tools that don't see
| modern TLD's as valid is enraging)>
|
| I made the (maybe poor) choice of donating to political
| campaigns before the last US election using these emails
|
| - `Biden-campaign@` - `democrats@` - `<specific local race@`
|
| All of those I've had to unsubscribe from about 2-3 dozen total
| OTHER email lists as those emails are literally sold/given out
| to other campaigns. the biden one being the worst.
|
| Also if you have your own business you'll start getting
| solicitations, LOTS of solicitations. And god forbid your email
| is on an old resume, or somewhere else.
|
| Now, is any of this "technically" spam? Maybe but not really.
| Do I consider it worthless? yes.
|
| But to site your last specific one. I did a search for an
| address I know was on a compromised product. Specifically a
| game Heroes of Newerth. They were hacked in I believe 2015 and
| the list was sold. My email was my old method
| `name+hon@email.domain`. I get like 20~ emails to that a year
| and all of them go to spam or are flagged as spam
| automatically.
| archi42 wrote:
| Yeah, HoN was the first of my catch-alls to receive spam.
| Idiots didn't even acknowledge that they have been
| compromised and insisted that obviously I did use
| hon@mail.mydomain.tld somewhere else. These days I'd use the
| opportunity to check how well GDPR works in practice.
| bagels wrote:
| Had the same experience when TD Ameritrade had an employee
| selling email addresses. My scheme is company+10 random digits,
| it was clearly not guessed.
| akira2501 wrote:
| I've noticed a lot of "mid size" compromises.
|
| The pizza place down the street uses a third party digital
| order system, that was compromised. One of the first emails I
| actually had to blackhole due to the insane volume of spam and
| attacks that started coming to it.
|
| Also.. my previous landlord. His computer or account got
| compromised at some point, and that was another email I had to
| blackhole due to the insane volume of porn spam that started
| coming to it.
| pavon wrote:
| I have a similar experience. I've been using this system for
| about 15 years, and have to block one or two address a year due
| to spam. A couple were due to first party spam that I could not
| manage to unsubscribe from (Cooks Illustrated, I'm looking at
| you), and a few scraped from forums (didn't realize the email
| would be public when signing up). The rest appeared to be due
| to an account compromise (based on breadth of low quality spam)
| - oh and less than 1/4 of those sites notified me of a
| compromise. I don't think I've ever received spam from what
| appears to be a "legitimate" "business partner" which is what I
| would expect from emails that were sold.
|
| I also get a handful of spams a month from default addresses
| (hostmaster, etc), all of which come from Chinese IPs. I don't
| have any email address posted on my websites to scrape from
| (mailto: or otherwise), so I don't get any spam from that.
|
| The end result is pretty much no spam. I assumed when I first
| setup my domain I'd have to configure spam assassin at some
| point, but that point has never come, thankfully.
| saxonww wrote:
| The worst offender for me is an email address I used to get a
| fishing license from the state fish and wildlife group. As soon
| as I did that, I started getting advertisements from some
| outfitter/prepper type places. Not sure if they bought the
| address or if licensee info is public in my state.
| brightball wrote:
| I made the mistake of using my primary address when I decided
| to get my real estate license years ago.
|
| It's on another level now.
| sokoloff wrote:
| Similar here. I don't recall when I started doing it, but it's
| been at least 20 years. I get a fair amount of spam from "well,
| what did you expect?" addresses (social sites, mostly) and some
| from addresses that are hard to pin down (paypal address might
| be shared to a seller; amazon address is _definitely_ shared to
| sellers).
|
| The most surprising one is ongoing spam (and semi-legitimate
| contacts from recruiters) to an address that I only
| (intentionally) used at O'reilly. I just checked HIBP and that
| address was exposed in the July 2018 Apollo exposure.
| Brian_K_White wrote:
| I'd love a wall of shame that collected all these bad
| examples.
|
| It would have to somehow be protected against bad actors
| scrubbing themselves by any other means than no longer being
| bad actors.
| bombcar wrote:
| Compromises are 99% of those I see (similar setup) - the last
| 1% is acquired companies that have pivoted/do something else.
|
| It's not quite spam, it's not quite illegitimate, but it's not
| what I signed up for.
| ziddoap wrote:
| > _It 's not quite spam, it's not quite illegitimate, but
| it's not what I signed up for._
|
| If it's not what you signed up for, isn't that pretty much
| the definition of spam?
| bombcar wrote:
| You usually sign up for "company updates" or some such
| nomenclature, but after Bob's Discount Swords pivots to
| Improved Plowshares(tm), it's not _really_ relevant
| anymore.
|
| Then again, I actually fill out that little question after
| unsubscribing. The above I consider "legit" as long as
| unsubscribe works.
| thewebcount wrote:
| In my experience, you don't sign up for anything, but are
| automatically added to mailing lists against your will
| just for the sin of purchasing something. I _never_ want
| to get emails from any company just because I purchased 1
| item from them. Most people I know tell me they feel the
| same way, but instead of unsubscribing, they just mark it
| as spam and eventually it stops showing up in their
| inbox.
|
| If I want emails from you, I will explicitly ask to be
| added to your mailing list. Anything else is spam as far
| as I'm concerned.
| denton-scratch wrote:
| > just for the sin of purchasing something
|
| Ah: prior commercial relationship. That's not spam,
| unless they ignore your unsubscribe request.
|
| I hope you're not notifying the world that your preferred
| supplier of [X] is a spammer. I like to stay on good
| terms with my preferred suppliers.
| aendruk wrote:
| illegal spam [?] spam
|
| If I didn't ask for it, it's spam, regardless of whatever
| holes the US has punched in its definition to keep
| business owners happy.
| denton-scratch wrote:
| No,I don't think so. If you signed up to receive email,
| then it's going to be hard to show that you received email
| that's different from what you signed-up for. And if it's
| not Bulk, then it's simply email - not bulk, and not
| unsolicited.
|
| That's why it's important that spam continues to be defined
| as Unsolicited Bulk Email.
| closewith wrote:
| >If you signed up to receive email, then it's going to be
| hard to show that you received email that's different
| from what you signed-up for.
|
| At least in the EU, if you make a complaint, it falls on
| the sender to assert the legal basis for sending the
| email, so it's on them to prove informed consent (if
| that's the basis they're relying on).
|
| > That's why it's important that spam continues to be
| defined as Unsolicited Bulk Email.
|
| I'm not sure you've made the case that's important. In
| the EU, spam has been long defined as unsolicited
| commercial communications (since the E-privacy Directive
| in 2002) - no requirement for it to be in bulk.
| jawns wrote:
| I've seen a shift. Between 2005-2010, I used
| [company]@[mydomain.com], and I noticed that I would get spam
| in the form of [gibberish]@[mydomain.com], presumably from
| spammers who were just targeting email addresses with a
| catch-call filter. In fact, around that time, my hosting
| provider, Dreamhost, started restricting email catch-alls to
| deal with this problem.
|
| But then from around 2010 onward, that type of spam became
| much less common, and nowadays it's as you say. The vast
| majority, probably 90%, come from compromised accounts, like
| linkedin@[mydomain.com]. The rest hit the unique email
| addresses I have submitted in domain registration forms.
|
| That's even more surprising considering that I've since
| shifted to using [username]+[company]@[mydomain.com].
| Spammers could pretty easily strip off the `+[company]`, but
| I haven't seen that happen much.
| stormbrew wrote:
| The gibberish name ones may be targeting backscatter. They
| might have a reply-to with the address they're really
| targeting.
|
| And that may have dropped off because there was a concerted
| effort to make it harder to do that around then. In
| particular, that's kind of what killed qmail as an in-vogue
| MTA, because it wasn't being updated and you had to use
| awkward patches to stop backscatter.
| bombcar wrote:
| We've successfully pushed spam down hard enough that the
| only people spamming are people who _never_ even see your
| email address; it 's all computerized and they just don't
| care at all to try to do anything to clean up the lists.
| moontear wrote:
| Exactly my experience. The leaked emails are pretty much always
| related to hacks/leaks of said companies.
|
| I have a couple of addresses that look to have been sold (e.g.
| addresses used in cheap kickstarter campaigns), but that is
| more rare.
| ryanlitalien wrote:
| I use an alternate spam filter process. I use a "+" sign in my
| gmail address. So I would subscribe to a promotion/giveaway with
| username+company@gmail.com. This is a great way to catch which
| promotion/company sells your email address to unwanted companies.
|
| Caveat, sometimes an unsubscribe website can't handle the "+"
| symbol in an email and you'll continue to get spam. So, just add
| a filter for that "TO" email to forward to the spam/trash folder.
| btkthrowaway1 wrote:
| What's stopping websites from just removing '+company' from
| 'username+company@gmail.com' and emailing you at
| 'username@gmail.com'?
|
| Even if the website you provide it to doesn't do that. Anyone
| who buys it can.
|
| I'm guessing the answer is, "Most companies are too lazy", but
| that seems like a weak behavior to depend on.
| ryanlitalien wrote:
| From having experience in email marketing, I highly doubt
| companies are editing email addresses before send. But you
| are right though, I have had signups that denied the "+" via
| JS.
| denton-scratch wrote:
| My guess is that they're too dumb to send marketing emails to
| people who are obviously taking trouble to NOT receicve
| marketing emails.
|
| Sending emails to everyone on the planet is one thing; but
| taking pains to send emails to people who are clearly trying
| to dodge them seems terminally stupid, and I'd fire anyone
| who was trying to spend my money on an effort like that.
| megous wrote:
| I never had any spam come to my _=@domain_ email address, despite
| being scrapeable on the web. ;)
| borishn wrote:
| I am doing the same exact thing with my domain and getting spam
| to accounts such as ParkNYC (NYC parking payment app) and other
| companies that should be safe.
| baobabKoodaa wrote:
| I've also used company@mydomain type emails for about 6 years and
| my experience is different. I've had to close down several
| addresses due to spam. The worst offenders have been PartyPoker
| and Skrill, which appear to frequently sell my email address to
| unrelated gambling spammers.
| JadoJodo wrote:
| I've been doing this for a few years (first manually, now via
| FastMail's MaskedEmail feature) with good success. The only
| issues I've had are when one service gives the address allocated
| to them to another, related service. An example of this that
| recently occurred was when a service I wanted to use only offered
| GitHub SSO. That service was then handed my GitHub-only email
| address. I've had the same thing happen at Kickstarter. Overall a
| win, but still annoying.
| modeless wrote:
| Are people really inconvenienced by email spam anymore? My email
| is posted publicly all over the internet, it's been used to make
| hundreds of accounts for various other companies, it's been in
| innumerable data breaches, and I haven't changed addresses since
| GMail launched in 2004. In a bad week I might get two spam
| messages in my inbox. Each one is dealt with in probably around
| three seconds. On average I get less, probably around one per
| month.
|
| I really enjoy that the spam filter catches borderline messages
| like promotional newsletters from companies I do business with
| that I didn't intend to sign up for. And I can count on one hand
| the number of times since 2004 that an email that actually
| mattered was sent to my spam folder by mistake.
|
| Every form of communication I use has spam and most are much
| worse than email. I get SMS spam, phone call spam, snail mail
| spam, WhatsApp spam, phone notification spam. In most cases the
| spam is harder to deal with and a larger percentage of the total.
| Phone call spam and snail mail spam in particular are way above
| 50% for me. Even after doing all the marketing opt-outs I can
| find.
| powerhour wrote:
| > And I can count on one hand the number of times since 2004
| that an email that actually mattered was sent to my spam folder
| by mistake.
|
| How often do you check? I see a few false positives a week.
| modeless wrote:
| Not often, but when I do check I don't find any so I don't
| see a need to check more often. And I don't later discover
| that I missed anything either.
| bjourne wrote:
| Given your results it certainly seems so. However, I know of
| quite a few companies who required people to sign up with their
| email addresses to play their free games and then sold their
| addresses to marketers. Perhaps you wouldn't count that as spam
| since the emails sent had some substance? Or perhaps you only
| reveal your email to trustworthy sites and not to free gaming
| sites and such?
| throwaway67743 wrote:
| This happens time and time again, enumeration, outright breaches
| etc - I've used aliases for as long as I can remember (2 decades
| maybe) and it's always the people you least expect - probably the
| most annoying one is where an azure specific alias was somehow
| enumerated and gets nonsense daily, mailgun also had an
| unacknowledged problem where you could enumerate domains during
| verification.
|
| These days I'm moving to a completely randomized not human
| memorable model, because often the obvious aliases are also
| tried.
|
| Incidentally I don't think I've ever had aliases shared they're
| typically just harvested as part of breaches or incompetence.
| cassianoleal wrote:
| I've been doing this for 2-3 years. Probably also in the hundreds
| of emails given. I have had one such email used for spam.
|
| Edit to add: I have no spam filters on those accounts.
| asdff wrote:
| I'm legitmately baffled by this but thats because its not an
| actual experiment. You've limited your sample collection to
| retailers you in particular shop at. They could genuinely be good
| companies that aren't uncrupulous with your email. Meanwhile, I
| have no public website and no mailto: links for robots to crawl,
| yet I get plenty of spam I have no reason to ever receive. For
| example just looking at my gmail junk mail now I have a message
| from "ADT security" but coming from this email address which is
| obviously not their domain:
| adt45444@vne6bziks1jt25.w1123-4293.norelaut.us
| MrPatan wrote:
| Similar experience here, although I have only been doing it for
| about a year or two.
|
| I have received exactly one spam email where I could identify who
| sold the db (or maybe it was leaked and they haven't owned up
| yet).
|
| Most of the spam I receive is to an address I used before that
| leaked in some hack a while ago, so that one is truly for sale
| everywhere at this point.
| taway2022-08-15 wrote:
| I use [company]@[mydomain] when signing up for things. So far the
| only offender is a porn site I paid for for a while. I was
| getting weird scam emails sent to that address daily, with text
| like "Hi [name of site], How are things? Is this your new
| email?". Surprisingly, when I cancelled my subscription, the scam
| emails stopped.
| greenail wrote:
| The problem is not bad intentions or selling your information.
|
| The problem is that they copy it into a DB and it is a globally
| unique identifier. Once this happens you have lost control. You
| can never ungive that GUID. Your only recourse becomes spam
| filtering or migrating to another email GUID and waiting until
| the new one gets leaked all over the intarwebs and then doing it
| again. Phone numbers are even worse.
|
| The solution is fairly simple, as discovered by the OP. Don't
| give out the same GUIDs when you sign up for an online
| "relationship".
|
| It is a shame this pattern exists, people should stop designing
| accounts like this.
| Normal_gaussian wrote:
| People that have sold my account immediately:
|
| - my last lettings agency. Lettings agencies are scum.
|
| People that have been compromised:
|
| - an aws account (!) - local city council
|
| I use a <service>.<date>.<nonce>@<domain> setup, the nonce has
| only protected from various colleagues being major PITAs.
| user3939382 wrote:
| I've been doing the same thing for 5 years and the only problem
| I've had is people scraping my email from LinkedIn.
| brianbreslin wrote:
| So has anyone discovered a simple way to track all your canary
| emails in a tool like haveIbeenPwned ? That's been the only
| reason I don't 100% of the time generate an email per site.
|
| I've also found burnermail to be a super useful tool, they have a
| chrome extension which lets you generate a site/day specific
| alias and have it forward to your inbox, you can block them in
| their site too.
| pavon wrote:
| If you own your own domain, haveibeenpwned can show all
| compromised addresses for the entire domain. I don't know if it
| supports wildcard/pattern emails for things like gmail's plus
| addressing feature.
| jonathankoren wrote:
| Ironically, my "spam-magnet" email doesn't get spam, but my
| "official" email gets tons of spam. It started out with people
| that bought my email address specifically to spam a different
| person with my name. Now I also get generic spam, probably as a
| result of scraping it from my pdf resume.
| bergenty wrote:
| I have no spam on my gmail account. All I do is every time some
| new spam shows up I immediately unsubscribe. I might get new spam
| maybe once a month but that's easy to unsubscribe from.
| swyx wrote:
| i think the last time this discussion came up on HN, the
| conclusion was similar:
| https://news.ycombinator.com/item?id=30491518
|
| they're not really spam sources but the other criticisms of email
| tracking/cross marketing apply.
| tolmasky wrote:
| Do any password managers support you having your own email domain
| and automatically creating an email address when you create a new
| account (ideally not just using the company's name but something
| random perhaps to not give this away)? Like in a sign up form it
| could generate "helloworld99@domain.com" as well as a password.
| throwaway67743 wrote:
| This is a good idea and something I've been looking into, it
| should be easy enough to do but I'm not sure you can hook
| things like auto fill in browsers and I'd imagine it could be
| easily abused (that is, trigger on another extensions auto
| fill)
|
| I actually have a service in the works that has a simple API to
| create aliases etc, with hosted imap though not forwarding
| because forwarding is stupid. The main issue though is by
| itself it's not useful, it needs browser integration etc
| cimnine wrote:
| Afaik 1password together with Fastmail, see
| https://1password.com/fastmail/ or
| https://www.fastmail.com/1password/, respectively.
| xwowsersx wrote:
| I use fastmail and I have created many aliases. Some in order to
| avoid spam, others to help organize my inbox.
|
| One of my aliases was clearly compromised and it is now sent a
| lot of spam.
|
| Do I simply delete the alias and retire it and update my email
| with whatever services I care to hear from?
|
| As an aside, I have found the spam filter on Fastmail to be
| pretty bad. Anyone else have this experience?
| rascul wrote:
| > others to help organize my inbox
|
| This is a big one for me. Some companies will send me mails
| from a bunch of different email addresses, sometimes with
| different domains. So much easier to have one rule for one of
| my email addresses than a bunch of rules for a bunch of theirs
| that I don't even know of yet.
| xwowsersx wrote:
| Right, exactly. Aliases are unlimited so I err on the side of
| creating too many rather than having too few.
| danieldk wrote:
| _As an aside, I have found the spam filter on Fastmail to be
| pretty bad. Anyone else have this experience?_
|
| Same. I love Fastmail, but even after almost a decade of
| training, spam filtering is quite bad compared to eg. Google
| Mail.
| xwowsersx wrote:
| Totally, I think I forgot how big of a deal Gmail's spam
| filtering was especially when it first came on the scene. I
| remember now :)
| MerelyMortal wrote:
| I have Fastmail fetch email from my Gmail inbox. Spam that
| clears Gmail's filter and lands in my inbox, that Fastmail
| then retreives, ends up in my Fastmail spam folder.
|
| Fastmail catches what Gmail does not in my case. Though the
| reverse has not been tested.
| frou_dh wrote:
| that_guy_iain wrote:
| I did the same thing. I noticed that every now and then some
| dodgy site would sell on the email and I would get spam from
| those for a year or so. Then they would stop emailing those
| emails.
| dima55 wrote:
| It happens sometimes. Most recently, an email address I supplied
| for a dog-dna testing service I used almost 10 years ago
| (https://www.wisdompanel.com/) received spam about some unrelated
| service called "okta"
| EVa5I7bHFq9mnYK wrote:
| Not a myth. 20 years on, still receiving spam to an email address
| I used to order a male enhancement product.
| reaperducer wrote:
| _still receiving spam to an email address I used to order a
| male enhancement product_
|
| Encyclopedia Britannica?
| EVa5I7bHFq9mnYK wrote:
| Those were sold in physical form, no email required)
| luminousbit wrote:
| I too have done this for almost years and it's magical. So easy
| to see who has been compromised. Also a great protection against
| phishing because "You need to update your Capital One password"
| that isn't addressed to "capitalone@mydomain.com" is an instant
| red flag.
| bdamm wrote:
| I've been doing it for 20 years. Yes, or conversely, seeing
| "You need to update your Capital One password" being sent to my
| custom addresses for AAA, Telecom, Linkedin, etc.
| bambax wrote:
| I do the same and it's true that those receive little spam. Not
| zero however; I just received minutes ago spam that was sent to
| britishairways@<mycompany> for example.
|
| The bigest spam magnet is the email address one leaves with a
| registrar; that is horrible.
|
| Then come contact@, webmaster@, and other generic accounts that
| spammers can guess for each domain.
| wiredfool wrote:
| I've definitely had spam to some of mine -- Especially t-mobile
| after they had a compromize some years back.
| Minor49er wrote:
| Same here. What's funny is that T-Mobile announced that they
| were going to use a McAfee anti-phishing solution to compensate
| for the breach. So the thieves who got a hold of the customer
| data have been using that to target customers with their real
| names through email, giving them fake invoices for "McAfee
| services" and links to where they can make payments
| bennyp101 wrote:
| I've noticed the same, I wonder if they filter out emails that
| contain the company name when selling lists?
|
| I do often get asked if I work for said company when giving it in
| person or over the phone, and I just say it's so I know if it
| gets sold or leaked I know where it came from.
|
| I seem to remember a few years ago I couldn't sign up to a
| service with the company name in the email, but that's the only
| time I came across that.
| byteflip wrote:
| Been using Hide My Email from Apple's iCloud and I've been really
| loving it!
|
| Semi permanent fake addresses ending in @icloud.com that forward
| to my gmail address. Apple is also one of the few companies I'd
| probably trust to the task.
|
| Wish it was a standalone app rather than buried in the settings
| menu.
| josephb wrote:
| I also wish they had a standalone app to help manage the
| addresses. Like so many of their good features, eg password
| management, it can be a bit too hidden for those up us who want
| some control!
| butz wrote:
| One sure way to start getting spam with ANY email, is to publish
| an application on Google Play Store. You'll start getting emails
| not only from advertising offers, shady SDKs, or Android
| development, but event for unrelated products from China.
| eganist wrote:
| I've received spam to seven different addresses, all of which
| followed breaches which were previously or later publicized.
|
| Just adding a sample.
| darkerside wrote:
| Spam is just any unwanted email, and I'm sure you're receiving
| plenty of those. I assume what you haven't received are phishing
| emails with malicious links?
| kloch wrote:
| Another thing guaranteed to attract spam is a public contact
| email on a domain name.
| [deleted]
| LinuxBender wrote:
| _Is the fear of "people selling your email to spammers" a modern
| myth, or are spam filters that good?_
|
| Email databases for sale are not always for spam or malware. They
| are often used for tracking and cross marketing calculations.
| Placing a companies name in the address will signal a canary and
| they may likely filter your contact out of their database or at
| least flag it and treat it differently.
|
| I've been using email canaries for decades but recently had to
| adjust my canaries to be less obvious. A few vendors got upset
| that I had their name in the address and one even accused me of
| fraud and canceled my $500 gift card. That was the Tractor Supply
| Company.
|
| Either way I will continue using canaries and multiple domains as
| it is a good way to be filtered out of some cross marketing
| databases and to avoid some behavioral tracking and some machine
| learning. It is also useful to find companies that get upset.
| This is an indicator to me they lack integrity and should be
| avoided. Canaries are also a good indicator to detect if a
| company has been compromised.
| simondotau wrote:
| > _A few vendors got upset that I had their name in the
| address_
|
| A few years ago I created an account with a freemium publisher
| with the email address _their.domain@my.domain_ and as soon as
| I logged into my account I had full unlimited access to all
| content.
|
| I suspect their system had a routine that detected staff
| accounts based on a string search for their domain.
| buu700 wrote:
| I had a funny interaction with a financial institution about
| this at one point. They were having a lot of trouble
| understanding that company@mydomain.com was the correct email
| address.
|
| Eventually the conversation went like:
|
| "So you're saying you created a new email address just to use
| with us?"
|
| "Sure, yeah."
|
| "...That's weird."
| masklinn wrote:
| The weirdest of these i had were support agents who thought I
| was a colleague because I usually use
| <theirdomain>@<mydomain>
| ejb999 wrote:
| I did that for one of my amazon accounts a few years back
| when i registered at an amazon conference (probably aws
| reinvent)- i.e. amazon@mydomain.com - and for about 6
| months I got onto some internal email list at amazon/aws,
| definitely not intended for the public, likely because
| someone queried for all email address that had 'amazon' in
| the address from this registration list - thought it was
| pretty funny, but eventually they stopped - someone
| probably figured out what they did wrong.
|
| Also have one for thifty@mydomain.com (the car rental
| company) - when they saw my email address at the counter
| they gave me the employee discount rate - I didn't correct
| them :)
| nibbleshifter wrote:
| > A few vendors got upset that I had their name in the address
|
| I have had this happen a few times.
|
| > Canaries are also a good indicator to detect if a company has
| been compromised.
|
| Yep, this is a fantastic use case.
| encryptluks2 wrote:
| I used this to determine that Xfinity was compromise, yet
| still no acknowledgement despite reporting the issue to them
| and they went through some spiel about how I received the
| email by mistake and continue to receive emails by mistake at
| <randomword>_<randomword>@<customdomain>. The only person I
| shared that email with was them, and never had the issue with
| another provider.
| adamfeldman wrote:
| This is exactly my use-case and experience after many years
| of custom catch-all'ing.
|
| I've noticed a couple breaches, and also a few unexpected
| transfers of my email address between semi-related parties.
|
| Just once it appeared an address was sold via a marketing
| list, after filling out a lead-form for a free online
| conference hosted by multiple companies that you've seen on
| HN.
|
| Surprisingly, unsubscribing tends to stop emails from
| everyone.
| f4c39012 wrote:
| Slightly easier* than running a domain, i've had luck with
| myemail+CompanyX@gmail.com when signing up to CompanyX.
| Gmail handles the '+' transparently (in the same way as it
| ignores '.') and delivers the email to myemail@gmail.com.
|
| It is fun to receive a survey about "an anonymous company
| you have used in the past"... sent to
| myemail+uber@gmail.com.
|
| *yet less reliable, '+' in email addresses isn't always
| accepted, and when it is sometimes only partly, e.g. signup
| works but password reset doesn't
| nibbleshifter wrote:
| Tbh with GSuite + a 5$ domain I get catch alls for
| minimal effort.
|
| I used to use + addressing schemes, but abandoned it for
| the reasons you mentioned (websites breaking horribly).
| adamfeldman wrote:
| Exactly. Catch-all setup on Google Workspace/G Suite/too-
| many-renames is usually obtuse but it's a one-time
| tutorial effort.
| nibbleshifter wrote:
| I wonder if there's a way to script setting it up to be
| honest, I end up about an hour deep in help docs each
| time I set up a new domain+email trying to work out how
| to make a catch all and how to configure the thing so
| replies come from the right email.
| adamfeldman wrote:
| Oh, I've never realized replies could be made to come
| from the right email. I manually add addresses as-needed
| (once a month or so).
|
| I think there's an unofficial Terraform provider but I
| haven't looked recently.
| jdmichal wrote:
| Sometimes it's only partly supported, in the sense that
| the website will just break if your email has a `+`. I'm
| pretty sure I encountered that one with both Disney and
| Royal Caribbean reservation workflows just flat out
| breaking.
| remus wrote:
| > I'm pretty sure I encountered that one with both Disney
| and Royal Caribbean reservation workflows just flat out
| breaking.
|
| My favourite is services that let you sign up with a + in
| the address but then break when you try and login or
| reset your password.
| zimpenfish wrote:
| I switched to '-' instead of '+' which was a trivial
| change in exim.conf and saved my sanity because there was
| just too many places which either break on '+' or refuse
| to accept it in the first place.
| ryantgtg wrote:
| Wouldn't it trivial for them to strip out all values from
| + to @ prior to selling your address?
| f4c39012 wrote:
| it should be trivial, i don't know if many do it - iirc
| haveibeenpwned.com doesn't
| [deleted]
| nibbleshifter wrote:
| Yes. I've written code that does this for parsing leaked
| email lists before as part of a normalizing step.
| archi42 wrote:
| Not sure why this is downvoted. I can imagine non-
| nefarious reasons to collect these lists.
| kevinmgranger wrote:
| I used to do this, until I had to reply to an automated
| email for some customer support system. It rejected all
| my replies because the From: didn't match.
| seanp2k2 wrote:
| If I have to provide an address to get a download link, that
| address will be either postmaster@aol.com or abuse@domain-of-
| the-company . EMailing the link to the provided address will
| probably just make me seek out different software. Make
| software that users want to sign up to hear more about; don't
| force them to opt in to marketing just to try something. It's
| the first impression and sets the tone with your company.
| koliber wrote:
| I was offered a few employee discounts by front line associate
| because of using an email address with a company name. I
| declined but found it awkward to explain the details.
| YetAnotherNick wrote:
| > A few vendors got upset that I had their name in the address
|
| rot13 FTW
| seanp2k2 wrote:
| too much work to remember each time for logins if it's
| something frequently used. The iCloud way of generating
| emails is great but only works well on my iDevices. I used to
| use endjunk.com for everything, and it was the same kind of
| "anything@you.endjunk.com" setup, but one day they just
| disappeared with no warning and I lost a few accounts because
| of that. Learned my lesson and just switched to GMail.
| KMnO4 wrote:
| I'm not sure what encoding this is, but sometimes I do QWERTY
| shifts.
|
| Google becomes hpphar.
|
| Easy to [en/de]code on the fly by looking at your keyboard.
| david_draco wrote:
| Someone should sign up for all the mailing lists with a email
| address used nowhere else and track the cross-mailings. Maybe a
| bubble babble hash of the company name as the email prefix, and
| a big mailer like gmail or protonmail as the server. When the
| email is leaked and the company does not inform the user,
| report the company via GDPR.
| jader201 wrote:
| > _Someone should sign up for all the mailing lists with a
| email address used nowhere else and track the cross-
| mailings._
|
| I may be misreading your comment, but if not, it sounds like
| the OP (of this Tell HN) did exactly that.
| sbf501 wrote:
| > Placing a companies name in the address will signal a canary
| and they may likely filter
|
| Oh, good point. I guess I may have invalidated all my research!
| :|
| registeredcorn wrote:
| If you're interested in getting "true" results, perhaps you
| could do something like this:
|
| name1@website.com
|
| name2@website.com
|
| etc.
|
| In a spreadsheet, you have one column with the number, and
| another with the company name. You might want to change this
| up, putting the identifier in different parts of the email
| address, to avoid similar "canary" signals.
|
| Personally, I use BitWarden to generate usernames for each
| website, to help keep my fingerprint (somewhat) scrambled.
| LastPass also has a good username generator. [1] I would just
| avoid using complete non-sense words, since there might be
| some amount of human review.
|
| [1] https://www.lastpass.com/features/username-generator
| seanp2k2 wrote:
| Reading these over the phone to dinosaur financial
| institutions is pretty unfun though. I was doing something
| similar with generated usernames, had to call in to reset
| my password because some places operate like it's still
| 1983, and the person helping me probably thought I was nuts
| with my 30+chr random username.
| reaperducer wrote:
| Sounds like you use Bank of America, too!
|
| I had to read my e-mail address to someone there just
| last week.
| bencollier49 wrote:
| Just writing their name in reverse would probably work, and
| be less time consuming.
| slowmovintarget wrote:
| Only if you actually want to receive their spam for
| research purposes.
| TheJoeMan wrote:
| But you've stumbled on an even better solution! Now you are
| spam free + tracking free.
| aspyct wrote:
| On the other hand, your address is being filtered out, so...
| win? :D
| [deleted]
| mkl wrote:
| > A few vendors got upset that I had their name in the address
|
| I've had more confused than upset, but Samsung straight-up
| refuses to accept email addresses with "samsung" in them. I'm
| not sure what they think they're accomplishing.
|
| I think I get more spam from hacked/leaked email databases than
| sold ones. Dropbox is the worst (signed up and used it briefly
| over a decade ago, and now suffer an eternity of spam).
| rotten wrote:
| Fastmail offers a masked email feature for one-time email
| addresses: https://www.fastmail.help/hc/en-
| us/articles/4406536368911-Ma...
| seanp2k2 wrote:
| I've seen sites that disallow auto-generated addresses, super
| lame and makes me not want to use them, not sure how common
| that is today.
| ezfe wrote:
| How do they disallow it?
| reaperducer wrote:
| _I 've seen sites that disallow auto-generated addresses,
| super lame and makes me not want to use them, not sure how
| common that is today._
|
| Expect this to change, if Apple's anonymous e-mail
| forwarding becomes popular.
|
| Just like when IT departments (including the one at my
| company) insisted that everyone use Blackberries because
| iPhones weren't suitable for a corporate environment.
|
| Once enough C-levels start using any feature, it spreads
| like wildfire.
| dlyons wrote:
| Yes, and they recently enabled one time emails with your own
| custom domain, which really helps get around folks trying to
| identify and prevent this.
|
| This is a killer feature, I love Fastmail.
| atmosx wrote:
| The 1Password integration doesn't work for me. Not sure why
| :-(
| withinboredom wrote:
| Works fine for me. Maybe you have some conflicting settings
| enabled?
| raverbashing wrote:
| > A few vendors got upset that I had their name in the address
|
| Kinda annoying of then, maybe I would go for an opaque (or
| maybe just a simplified) canary. Like the initials or
| abbreviation
| csdvrx wrote:
| > A few vendors got upset that I had their name in the address
|
| When it happens, I say "this is because your company is so
| important to me that it has its own mailbox to be prioritized
| accordingly"
|
| It worked every single time :)
| dspillett wrote:
| Same, though go with "I use the incoming address name to file
| things into the right folder, so work things, banking things,
| shopping, and such, are separated" - I don't butter them up
| by making them sound important enough that I created a mail
| inbox just for them.
|
| If they still object then I don't sign up. I've had web form
| refuse to accept an email address with their company name in,
| so that sale went elsewhere, and one physical retail store
| wouldn't let me sign up to their prize draw with such an
| address, so I didn't. In neither case do I suspect anything
| of value was lost by myself!
| PebblesRox wrote:
| I guess ROT13 could also be a last resort if signing up is
| important enough.
| nbk_2000 wrote:
| Slightly mangling the name (e.g. target => trget) is
| another way.
| croes wrote:
| I do the same and on some I get spam
| asciimov wrote:
| The vast majority of my spam comes from the bad old days of
| desktop pc viruses and people using outlook express (say 15+
| years ago).
|
| Back then, my college required us to forward our university email
| to a personal account. That's fine as our personal addresses were
| hidden and not public.
|
| What was not fine was one day the IT department changed
| everyone's public email address to their private address. They
| also changed mailing lists from BCC to CC so that you got to see
| everyone's email who received the email.
|
| A few hours later after these changes, the spam started rolling
| in. At first it was a moderate amount of spam, a few messages a
| day, but it quickly increased. At one point it was up to 200-300
| spam messages a day and stayed that way for several years. In any
| given month my gmail spam count sat between 3,000 to 6,000.
|
| Over the past 10 years, as botnets have been taken down, those
| numbers have come down an order of magnitude. I still get between
| 20 - 30 spam messages a day on that account.
| dspillett wrote:
| I've been doing this for about two decades, and I've had to block
| a fair few addresses for spam over that time.
|
| In almost all cases with companies of any significant
| size/reputation it was entities that either publicly admitted or
| were publicly called out as having been hacked - so incompetence
| or the bad luck rather than deliberately selling my details on.
|
| In a few of cases (a couple of hosting providers, a physical-
| store electronics retailer) it has been a business that had
| failed before the spam started, so presumably their contacts were
| sold as an asset as part of the winding down.
|
| I give different addresses to any online forum too -- they have
| seen a much higher rate of addresses needing to be dropped due to
| spam.
|
| If you use a catch-all address rather than setting up each alias
| individually then you _may_ get "dictionary" attacks at some
| point. Early on when I used <varies-by-company-or-
| other>@domain.tld I saw that a few times, with someone sending to
| alan@, alana@, alvin@, ... Since moving over to <varies-by-
| company-or-other>@sub.domain.tld (where "sub" is a static sub
| domain operating as catch-all, with only a whitelist of addresses
| on the main domain now accepted) I've not seen this again. I
| don't know if that is because name dictionary attacks like that
| are simply rare, are not attempted on more complex addresses, or
| never really worked so spammers don't use the technique at all
| any more.
|
| Where an address ends in a number, I've seen guesses that
| increment that number - so as well as getting junk to
| somecompany2@sub.domain.tld I get junk to
| somecompany3@sub.domain.tld and so on. I assume this is an
| address farmer bulking out their database.
|
| One place where passing on of your email address seems rife is
| kickstarter and indigogo projects. I'm on several mailing lists
| I've never subscribed to on those addresses, and another appears
| every couple of months -- I don't know if it is the projects
| themselves or the survey management third parties that are to
| blame, I suppose I could test that by cycling the address but I'm
| not been bothered enough to make that effort. I have messages
| from those lists auto-filed into a folder, and if I'm tempted to
| support a project I search that folder first - if they have been
| carried by one of the spammy mailing lists I won't be giving them
| any of my money. I've saved money on three projects thus far with
| this. A petty victory perhaps, but I like my petty little
| victories!
| chrisan wrote:
| > or are spam filters that good?
|
| Do know if you are getting _any_ spam or just that all of your
| spam is marked as such not reaching your inbox?
| mindslight wrote:
| I've done this as well for over two decades, but with no spam
| filter besides mailavenger/greylisting for a time.
|
| I've gotten spam to places that have had their databases leaked
| and widely reported. Off the top of my head, Zynga and
| Consumerist.
|
| I've also gotten spam from individual eBay vendors (etc), to my
| ebay@ and paypal@ address. But there's no way to particularly
| stop that, beyond knowing that ebay and paypal leak my email
| address.
|
| I get a lot of spam to an admin@ address on a domain I bought
| that was evidently in use previously.
|
| I also get spam from companies I used quite a while ago, and were
| either acquired and renamed, or are still in business. I haven't
| purchased or even signed into the website of "PCB Fab Express" in
| over 15 years, but they still see fit to email me.
|
| In general I don't find it that much of a hassle to hit 'd' on
| spam, hence not particularly caring about a spam filter, or not
| setting up a procmail recipe that bounces the spammy businesses.
|
| FWIW I actually don't get much spam any more to the first
| category of email leaks. I'm sure it goes in waves with whatever
| lists are in vogue.
|
| I still do find the custom email addresses nice for creating a
| small impediment to cross-referencing surveillance data, and
| don't see any reason to stop them. If the saying "YourCompany@"
| to a Your Company rep was really that awkward, I'd switch to
| opaque shorter handles, but it hasn't been a problem. Sometimes
| I'll just own it and say I do this so I know when companies sell
| my email address to spammers.
|
| Also, I read my email with mutt in a terminal, possibly passing
| it through lynx when I need to. If my client loaded image bugs or
| other html nonsense, my experience might be much different.
| giancarlostoro wrote:
| What does your email setup look like stack wise btw? Always
| curious to hear from people who are hosting their own email
| server.
| vultour wrote:
| I get spam on three emails: public one listed on a website
| (obfuscated by JS), one that got accidentally published on a
| WHOIS record, and the one I use for recruiters & career websites.
| nuker wrote:
| Disabling "Load Remote Content" setting in email clients seems to
| reduce spam too.
| db48x wrote:
| Email spam is the bottom of the barrel compared to tracking
| people on Facebook.
| orev wrote:
| I've been doing this for over 20 years, and have the same
| results. The only spam I get is to a few addresses where there
| was a data breach (LinkedIn). I have another account where I
| don't do this, and it gets around a dozen messages per day from
| the completely illegal spammers (no opt-out, etc).
|
| However, it's entirely possible I'm not seeing many messages that
| are getting blocked by spam controls (gmail), so I hesitate to
| draw any sweeping conclusions about it.
|
| I'm also very cautious about what I sign up for. I can say that
| from what I've seen with others, the amount of spam and phishing
| is very dependent on what you do. For example marketing people
| need to go widely distribute their addresses as part of their
| job, and I definitely see them receiving far more spam/phishing
| than others.
| withzombies wrote:
| I wrote a blog post[1] about my experiences with custom usernames
| and how I regret it. It was previously covered on HN here[2].
|
| I came to the same conclusion as you, but additionally decided it
| has been a major waste of time and I'm slowly trying to undo it
|
| [1] https://www.notcheckmark.com/2022/06/catch-all-domain/ [2]
| https://news.ycombinator.com/item?id=31585463
| sbf501 wrote:
| This is exactly my experience. Had I seen your HN post I
| wouldn't have bothered, because you've summed it up nicely.
| Especially the looks of disbelief I get when I say my email is
| their company name. Did it at a pet store recently and the
| cashier said to me: "You don't have to give me a fake email,
| just say you don't want to give me your email."
|
| There's no real need to undo it now, however. It is more of
| after thought.
|
| (I also didn't realize that I now must own this domain FOREVER
| because if I sell it, the next owner will have all of my email
| addresses for password resets.)
| johnklos wrote:
| Let's consider a few things:
|
| 1) Just because it hasn't happened to you, that doesn't mean it
| doesn't happen. I have quite a few examples of companies selling
| or otherwise sharing, whether intentionally or through
| compromise, my email addresses.
|
| 2) If someone (some company) is going to sell email addresses,
| it's not unreasonable to imagine that they'd want to remove any
| addresses that would directly link those addresses to their
| source, so a quick search to remove any address with the word
| "adobe" in it when selling Adobe mailing lists would not be
| unexpected in the least.
|
| Years ago I set out to learn more about the "missing sock"
| problem (https://en.wikipedia.org/wiki/Missing_sock). I bought a
| dozen pair of brand new socks and I ironed on labels identifying
| each and every sock. Guess what? The labeled socks never went
| missing. The act of labeling the socks dramatically affected the
| experiment.
|
| Perhaps using companies' names in our email addresses is
| affecting our results.
| [deleted]
| infogulch wrote:
| > remove any address with the word "adobe" in it when selling
| Adobe mailing lists
|
| That's a good explanation.
| wildrhythms wrote:
| I wonder if OP's custom domain is making it "not valuable" for
| sale. Consider a buyer only interested in collecting Gmail
| addresses.
| conor_f wrote:
| For point 2, at least it's a form of personal protection?
| Sufficient a reason for me to use it if I'd be excluded from
| leaks.
| trepatudo wrote:
| I actually also do this and get into funny episodes because
| people think I work for the company when giving out the email
| address in physical stores.
|
| One time I actually got my phone fixed faster because the
| receptionist thought I was Samsung worker (samsung@m.....pt) and
| their store were Samsung partners.
|
| Anyway, I also do not receive any spam on the custom ones.
| bondolo wrote:
| I do the same but regularly get spam. I just got a spam email
| today for automobile insurance and the source was an automotive
| buying company I used about a month ago. The businesses don't
| appear to be related in any way.
|
| The strangest one ever was an email address given to a boutique
| spa hotel in Oregon showing up on spam announcing a new
| production from a local California community musical theatre. I
| must have given the hotel my zipcode as well so the email was
| sold based upon my location.
| kevinmgranger wrote:
| I get spam to a certain company email. I can only assume it was
| due to a breach.
| btrettel wrote:
| I think spam to email addresses found in data breaches is more
| likely.
|
| An address I used only for Comcast Xfinity gets a surprisingly
| large amount of spam. (I'm no longer a customer and have disabled
| the address.) I'm not the only one to suspect they've had a data
| breach:
|
| https://news.ycombinator.com/item?id=30062511
|
| https://news.ycombinator.com/item?id=30980625
|
| https://news.ycombinator.com/item?id=31118355
| IanNorris wrote:
| I've been doing this for about 5 years. So far none of my company
| specific email addresses have been leaked, but it has let me
| black hole some emails (eg Intel) because their unsubscribe
| systems are broken.
|
| I wish I'd been more aggressive at switching to it as the one
| account I got the most spam from was Kickstarter when they got
| compromised. I'd say 70% of all my spam came from that one
| breach. That unfortunately was an email address I can't burn.
|
| I use SimpleLogin.io now after hand rolling a solution for a few
| years after I saw it linked from a HN post. The caveat is that my
| family members that hang off one of my domains struggle to
| understand it, despite them only seeing the personal Gmail
| account I created to receive their email to.
| kwanbix wrote:
| I also do this and my emails appeared on DB breaches so I got
| spam there.
| noizz wrote:
| I have similar experiences in general, however I've been unlucky
| enough to be a victim of a couple of leaks like Adobe, Invision
| and Gfycat. Some marketplace retailers also leaked my email and
| couple of smaller stores too. Totally worth to know this. That
| said - my general info@ email that's semi publicly (simple js
| obfuscation) available on the website is orders of magnitude more
| spammed than those leaked ones.
| groffee wrote:
| If they do sell the emails it'd be a simple job to clean them
| first (i.e remove any that explicitly mention their company name)
| Spammers are a pain in the ass, but not stupid.
| huhtenberg wrote:
| I've been doing this for over 10 years, but I _do_ get spam on
| some of them.
|
| It comes in two forms.
|
| One is that companies subscribe to the marketing emails without
| asking. When this happens, they tend to re-offend on
| unsubscription, so they had to be blocked by blacklisting.
|
| The second form is that they do in fact share my email address
| with others. Not two months ago booked a hotel in Europe and got
| a spam from some other company _before_ I got a booking
| confirmation. So this happens.
|
| That all said, the point of using per-company emails is less
| about spam and more about denying them an option of collating my
| online activity. The fact that you don't get spam doesn't mean
| your email address (+ relevant personal details) aren't getting
| resold, shared and otherwise vacuumed by the data collectors.
| That's _them_ I more worried about than an occasional spam.
| [deleted]
| happyopossum wrote:
| I've been doing the same for so long I can't even remember when I
| started. Yes, I do get spam to some of those emails, and yes, it
| is nice to block them. That said, the thing that's kept me doing
| this so long is this: on two occasions, an address given to a
| financial institution started getting spam - clearly they were
| hacked or had an internal user selling emails (I remember when
| that was worth good money - I doubt it is anymore).
|
| It was an early warning for me to change my password at that bank
| (this was pre-2fa), so the practice has kinda stuck with me.
| purpleblue wrote:
| I signed up for a magazine subscription, and was added to a ton
| of spam email offers. So maybe not retailers but there are plenty
| of businesses that will sell your email. Charities are another
| good example, they make a lot of their money selling their donor
| lists.
| bityard wrote:
| I have been doing the same thing, for about the same amount of
| time.
|
| The only "actual" spam I ever get are for email addresses where
| the marketplace has shared my email address with the seller.
| Ebay, especially. I have to rotate my ebay email address
| periodically and block the old one in order to keep the spam down
| to a reasonable level.
|
| However, I still use custom email addresses when signing up with
| various companies/services because the trend over the last five
| years has been for every company (large and small) to
| automatically subscribe you to their asinine daily newsletters
| and other marketing crap even when you specifically opted-out on
| signup. Yes, the emails themselves _usually_ have unsubscribe
| links, but those only have a 50% success rate in my experience.
| And this is from otherwise reputable companies. Easiest to just
| block the whole email address and move on with my day.
| henpa wrote:
| I have the same setup since forever but I do occasionally find
| one of the custom emails being used as SPAM (when this happens, I
| either delete it or replace with a new one). So it's very clear
| to me that those companies in specific either sold or had it's
| data stolen somehow.
| waspight wrote:
| Isn't using company@mydomain.com a clear indicator that there is
| a catch all adress on @mydomain.com? Which makes it even harder
| to avoid spam once it is obvious that you can send to whichever
| email you want on that domain?
| threeboy wrote:
| I do the same thing. A few of them (Adobe, linkedin) have gotten
| hacked and spammed to the gills (so I black hole them) them but
| it's often rare and I'm realizing it's not worth the effort to
| micromanage email aliases in this way.
| fxtentacle wrote:
| I did the same. The one I used for my Adobe Creative Cloud
| subscription was drowning in spam.
| legitster wrote:
| I work as an administrator to an email marketing server. I'd like
| to think I can speak on some authority on this subject.
|
| > Is the fear of "people selling your email to spammers" a modern
| myth
|
| 100% absolutely. Your email address itself is not valuable or
| interesting in any way.
|
| I can't imagine there being an internet black market for random
| email addresses, but if I had to guess what they would be worth,
| it would be fractions of a fraction of a cent per email.
| Meanwhile, Mailchimp charges ~$0.02 per month for every email
| contact you hold onto. It makes absolutely no financial sense for
| your average retailer or newsletter to be selling your email
| addresses.
|
| However, your contact information _might_ get sold if it is
| attached to high value sales activities. Like if you signed up
| for a quote on a $50k HVAC system or indicate you are a big donor
| to certain political causes. Your email address /phone number are
| valuable in that they are now attached to some pretty valuable
| purchasing intent. This is where less than scrupulous sites will
| live to harvest your data.
|
| This is still a bit of an outlier activity. If I sell expensive
| HVAC systems, the only people interested in this data would be
| direct competitors. If the information is actually valuable, it
| will be _less_ likely to be widely disseminated.
| mkl95 wrote:
| I have regularly used two gmail accounts for 13+ years. One of
| them receives tons of spam every day and has two dozen
| haveibeenpwned entries. The other one receives little spam and
| has no haveibeenpwned entries.
| TT-392 wrote:
| You should try signing up for a few chinese pcb manifacturers,
| your email will end up all over the place.
| magnat wrote:
| After doing the same since 2003, out of ~200 email addresses used
| 18 are listed on HIBP, ~15 receive dozens of spam emails a day
| (or rather: would receive if I hadn't completely blocked them)
| and ~10 see almost non-stop login attempts from all around the
| world via IMAP and SMTP.
|
| Address linked with "mailto:" on a contact page had to be blocked
| after a few years. Same with WHOIS addresses (published before
| there were sane privacy rules for those). Address with "@" and
| "." replaced with "at" and "dot" receive no spam at all.
|
| Summed up, there are a few hundred inbound messages a day.
| Spamassassin and some basic postfix rules filters almost all of
| them. One or two a month get through.
| indus wrote:
| There is another folder for those custom emails: Promotions.
| Gmail does a pretty good job of categorization.
| suzzer99 wrote:
| I do the same thing. I've received span on a a few.
|
| Interestingly Gary Johnson (the Libertarian candidate for
| president) sold my email to Scott Walker (the right-wing
| Wisconsin governor). That shows you something. Also my United
| Airlines email got out there in the spam world. I think there
| were a few others. I finally stopped doing it out of laziness.
| bitexploder wrote:
| Try having common firstname.lastname@gmail.com and using that
| address for a decade+, the spam is a constant deluge that very
| often gets by the spam filters.
| kuon wrote:
| I think it might be related to the loading of remote image /
| tracking pixel, but since I started using mutt, my spam has been
| reduced by about 30%. I don't think I have changed anything else.
| 1in1010 wrote:
| If you can program rules into your email server, you can easily
| just ignore anything to company@mydomain.com that does not
| originate from something@company.com
| nickhalfasleep wrote:
| Donate to a political candidate or large non-profit. Those are
| where I see the most sharing of addresses. I have been doing the
| same sort of custom emails.
| cheeze wrote:
| Seriously. Donate to planned parenthood once and you basically
| ensure that the company spends more over the next 10 years
| bothering you than your donation was worth.
|
| And I like PP but goddamn, emails coming from a swath of
| domains, a neverending stream of physical mail.
|
| I won't donate to them again because the amount of contact they
| try to have with me is absurd.
| 8organicbits wrote:
| Huh, I donated about a year back and, while I think I did get
| some messages, I unsubscribed and haven't seen any since. How
| long ago was your donation?
| reaperducer wrote:
| _Donate to a political candidate or large non-profit_
|
| Can confirm.
|
| Joined an art museum in a major city.
|
| Within a month, the unique e-mail address was getting spam from
| the aquarium, the science museum, the local PBS television
| station, and some museums I never even knew existed.
| marcinzm wrote:
| Yup, one donation and I get a never ending stream of different
| political campaigns messaging me. Unsubscribe from one and a
| different one emails me the next day.
|
| Marking them all as spam seems to be helping more than
| unsubscribing.
| sbf501 wrote:
| I should have specified that it was only retail, not social
| media or politics.
| gigel82 wrote:
| FWIW, I've been running a similar experiment (granted, for only 2
| years) only instead of specifying the company name I'm using a
| random term (e.g. purplerabbit@domain.com) and found similar
| results. No 3rd party spam thus far (though I found a few
| companies that continue to send marketing materials, etc. even
| after using all available unsubscribe options).
| Raed667 wrote:
| I only have 2 addresses that receive spam:
|
| 1- An address I used for buying an RPi from a french retailer
| (kubii.fr) which seems to have had a data breach
|
| 2- An address I used at Decathlon when I signed up for 4x payment
| plan. They seem to share the address you use with Sofinco which
| keeps spamming me even after unsubscribing.
| mynegation wrote:
| I do this and I definitely get spam to addresses associated with
| e-mails leaked or sold in bulk to the highest bidder. I rarely
| _see_ it as most of the time "unsubscribe" link works (for sold
| e-mail lists, as the buyers usually try to maintain some sort of
| decency) and for those where it is useless (shameless
| "enlargement" type emails, usually from stolen email databases)
| it is usually classified correctly as spam by an e-mail provider
| or e-mail client.
|
| So, I never had to explicitly filter e-mails out by "To:" field,
| but using this system still gives me some sense of control.
| duncan_idaho wrote:
| Another anecdote, but after visiting https://apiworld.co/
| conference I receive a couple spam software sales emails a day. I
| unsubscribed to all of them for awhile but still get them years
| later.
| 1in1010 wrote:
| You can program your email server to simply drop anything to
| company@myDomain.com that does not originate from company.com
| bryankaplan wrote:
| I too do this, yet I occasionally receive evidence that my
| address was sold or stolen. I've confronted one company about the
| problem, and they outright denied that they had any part in it.
___________________________________________________________________
(page generated 2022-08-15 23:01 UTC)