I'm using catch all since forever. I regret nothing.
Two stories:
I don't use mails like facebook@domain uber@domain - that's too obvious. And knowing that may often disclose that I actually have an account registered on given page. I don't want that, so I go full random, using few words I have in mind, current few words from the song I'm listening too, etc. So password manager helps me with e-mails too.
But Sometimes when a website annoys me (stupid rules for passwords, crippled UX for forms, because re-writing a select component in javascript is such a brilliant idea, etc) I tend to insult the company I'm registering with using my e-mail or password, I mean mail: [email protected] and pass: goDieInPain1312323$$$$. Once I registered account for a supermarket loyality card with some very little insult towards the supermarket. Later I got some huge amount of the points collected and their system crashed and I had to contact the support (the bonus was too high for me to give up on that). First via e-mail then via phone, when they were confirming my address. They helped me and said nothing about the name I was using.
Another story:
When I started with catch-all I was actually using mails like companyname@mydomain, and when I once contacted them via phone the person talking with me was not very into tech I think and were accusing me of... I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.
I have been using a catchall domain since 2004 and it has been a lifesaver.
The sad part is when your email leaks from big companies, you definitely know. I started getting viagra spam delivered to [email protected] back in 2007, long before their "big data breach", so it was only a matter of time before that companies pattern of poor security caught up with them.
Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
Panicked phone call from a jeweller who wanted to know how and why '[their] domain was in my email address'; think he sort of understood once I explained, but still said something like 'can't be too careful in this business' - well sure ok but what am I going to do with.. oh nevermind!
Password lockout/reset over the phone, reading my 100ch 'memorable phrase' as generated by pass... Gave the guy a good chuckle, and no he was not willing to concede by the umpteenth 'upper case A' or 'backward slash' that I obviously 'knew' the phrase and could surely be relieved from reciting the entire thing... I use shorter ones now.
> I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.
I can't tell you how many non-techy people think I'm part of their company because I have yourcompany@mydomain. Sigh. Big companies have ruined the internet by having everyone have @gmail or @hotmail or something.
Another no regrets catch-all user. Looking into my rules, I have 4 "to" addresses that get sent to spam.
Two stories as well:
a) After contacting a company, I got a mail from their legal department asking me to explain why I’m using their trademarked name in my email
b) Using an online-shop that requires emailing the owner for your order (so he can send you a PayPal invoice and then snail-mail you the music CDs you ordered…) I got a personal message attached of him asking why his label’s name is in my email address.
In both cases, a short explanation was sufficient, though.
I too have been using a catchall email address since some time in the last century, and it's been cool, although the post is right when they say
> The truth is no one really sells your email
The reason I started doing this was to monitor if someone would transfer my address, and it's never happened. You also get more spam because every firstname@yourdomain works.
But the weird interactions are good! Last year I wanted to get my kid in a somewhat selective middle school (in France) and the fact that the email I was registered with was name_of_school@mydomain helped, because the principal was convinced I was and always had been a huge fan of the school, to have my email named after them...
People simply don't understand you can have more than one email address -- let alone a million. That's kind of fun.
I actually got a call from a company I bought something from, direct from their website. I had bought it using the email $company@$mydomain. Got a call (in the days before most of my calls were not spam and I answered the phone!) from a marketing person and the guy tried to bully me into ... not sure what. I couldn't even tell, like you, what he was accusing me of... I'll say, it felt really good to school him about the internet and how it worked.
The phone thing has veered into outright fraud. Twitter just paid a $150,000,000 fine to the (US) FTC for letting advertisers match on telephone numbers provided for 2FA.
I am really tired of people selling my burner phone to the credit people; and no, I don't own that phone number. Prove I do.
Take my local credit union. Please. Jackasses let someone have access to my checking account. I don't bank online with them either, or I didn't, but last summer was trying to talk to them about a refi and I had to register online and they wanted a phone for 2FA. So of course instead of calling the land line, which is clearly and incontrovertibly mine, they called the burner. Several times.
Eventually I answered it with "fuck you you frauds" and they were "oooh sir, call me back on my direct line" so I tried... from my land line in the same area code, you get the idea... and their system won't route the call to their fraud department. So I ignored them for a couple of weeks.
Seriously they were so incompetent that when the actual fraudsters were probing, the first transaction was a /deposit/. When they were finally trying to clean their mess up, they /credited/ me the same amount. I'm the one who figured it out and told them well you gave me 2x their original deposit, when you really should have debited the amount in the first place.
People like that are not going to safeguard your information.
When someone tries to call into a provider and impersonate you, to take over your account… they would fail because they don’t know your login even!
Whereas, for most people, they’d sweet talk the person on the other line into resetting the password. Happened to me with GoDaddy, they almost rerouted my @mydomain.com email and then it would have been really bad
I use myname-shortbusinessname@mydomain and once the delivery person for a pizza place i ordered from fairly regularly asked if i worked for the store somehow. I changed the email i used with them to one that was less obvious after that.
Not as exciting as getting accused of trademark infringement, but it’s interesting how people interpret these things.
regarding 'copyright infringement,' you gotta love it when people get aggressive about IP without knowing what they are talking about; the relevant law would be trademark, not copyright
I've been doing this for close to a decade and sometimes salespeople and customer service people will ask to confirm, but that takes 5 seconds and isn't awkward (in my opinion.)
It has more benefits than knowing who leaked your email, it lets you easily filter your incoming email by who you gave the email to, and when your email is leaked it lets you shut off that email address. Of course you can also filter your email by the sender's domain, but that isn't as consistent, and doesn't help at all when your email address has been leaked.
It's true that you do have to set it up so that you can send email from the addresses to avoid not being able to reply by email, and you will want a password-manager or something to remember exactly what email you used, for convenience.
Personally I'm glad I've done this, it's made it much easier to organize my emails.
I couldn't agree more. I've been using a catch-all for probably 12 years now. Sure, sometimes you get a second look when you give an email that has the business's name in it, but who cares?
I get the benefit of blocking mail coming to me forever, doing fast sorts and searches, never have to worry if the company doesn't like a + in my email address.
I use 33mail.com (33m.co) for this which gives you a personal subdomain for free, or a private domain on the paid plan. I'm on the (super cheap) paid plan due to mail volume, but haven't found the need for using a personal domain.
I find it zero effort having a unique email address per site, and when combined with unique (algorithmic) password gives effectively a unique identity per site (cookie sharing aside, but there are solutions for that.)
As a result, I have been able to call out a couple of sites for data breaches, and continue to see npm spam in particular. Worst offender so far is Pipedream, an absolute embarrassment for their CEO who appears to have initiated the data scrape. I won't be surprised to see them sued out of existence, which is a shame, as I like the service in general.
> you do have to set it up so that you can send email from the addresses
Fastmail's webmail allows you to specify the sending email address for a catch-all mailbox in the message composition page, so there is no additional setup there.
I have a single address, [email protected] that I use as a throwaway and then route it to a folder to review about once a week. It draws a chuckle from salespeople when they ask for it or see it pop up in their system.
Eh, I did it for a while and while I think the OP overstated the "awkwardness," I didn't find that the effort was worthwhile. I only caught one entity selling or otherwise divulging my address: the Atlanta Journal-Constitution newspaper, oddly enough.
Oh, and someone did hack some FAA database and mine it for addresses.
But that's all I netted in several years. Beyond my main address at my own domain, I keep a Gmail address for mailing lists and other low-grade traffic.
I've been doing this for over 20 years, and it hasn't really been a problem. During the occasional real-life interaction that requires someone to confirm my address and they express surprise, I just tell them that it's correct and I have advanced email needs. It never takes more than a few seconds -- nobody has ever said "please tell me all about your advanced email needs!" :)
> I use a password manager for passwords but I also need to use it to remember the associated emails.
I do this, too. It never occurred to me that you might not populate the email/username field -- it's kind of the password manager's job to keep track of that. :)
> The truth is no one really sells your email – at least no legitimate companies.
I think that on the whole, this is true. However, I have had a number of these addresses start receiving spam over the years. I think this is due to the companies' databases being compromised due to poor security. At the end of the day, the cause of the leak isn't greatly important, and I'm glad I can simply turn off those particular addresses.
For weeks our Shopify app was getting rejected because "you cannot use the Shopify name or trademark in your app". It wasn't... repeated requests for clarification just got back the same form response.
After a several frustrating back-and-forths, finally someone at Shopify said "check your email address".
The developer contact email address we had submitted, which was only used for shopify<->us communication and no customer would ever see, was [email protected].
You'd think anyone competent in tech would instantly recognise that for what it was. Using an email like that for a specific purpose shouldn't be that uncommon. And they should recognise that it was an internal address. Crazy.
Title says that using a catch all domain (whatever that is) is a mistake, but the bulk of the article about it being a mistake to use the other party's company name as the local part of a throwaway e-mail address which you use for communicating with that party. There is nothing about the catch all aspect being a mistake. You don't have to give a Hilton hotel an address like [email protected]; it could be [email protected], right?
I use a throwaway e-mail system whose generated addresses look like this: [email protected]. The dashes can be replaced by underscores or periods: all are recognized, but not mixtures of them: basically three versions of the every alias is installed. (Why? I ran into a situation where I had to enter my e-mail address into a point-of-sale system that didn't accept dashes.)
There is no "catch all" mechanism at play. Each address is explicitly created, using a web-UI application that I wrote. The moment you create it, it goes live, as a local alias recognized by the mail server.
Each such address is associated with its creation date, and a memo field. If the memo field contains URL's, they get rendered into navigable form. They are editable. The memo field is what tells me who/what the address is associated with. I have a regex search box to filter the entries (quite a lot have accumulated).
The UI is like Web 1.5: you can checkbox these items and do bulk operations on them, like bulk delete, move to top, move to bottom and such.
When I delete an address, it immediately stops working. THAT is why "catch all" would be a bad idea; if you have a rule which routes any nonexistent local part to your inbox then you don't have any easy way to turn off an address which is being abused, other than going into the mail server rules and writing a rule to reject that address. That's not a fun UX, compared to a nice throwaway address management dashboard.
This system is called TAMARIND: Throw Away Mail Alias Randomization Is Not Defeatable. :) :)
That code you see there does evrerything, using the raw HTTPS stream and environment variables from the server. There are no libraries, no web framework, nothing.
Sure, but then it's impossible to remember, or use for classification of incoming mail. Password managers can help with the first problem but not the second one.
iCloud+ has something like this as well. So far I've only used it with Sign In with Apple, or whatever it's called. Your comment led me to go check out the iOS Settings and it looks one-off random emails aliases can be made in there.
Of course at this point my email is so many places it almost seems like a lost cause. What I wouldn't give to have a reset button for the entire internet. I would be much more careful with my address than I was 20 years ago.
I used to have one of my domains configured to accept all mail, after spam filtering. The result was amusing. I had the domain in .com, and a school in the UK had the same domain name in .co.uk. So I'd get some misaddressed mail, usually at the beginning of the school term. Not that much.
One day I got a message "I am going to kill you tonight". It was from someone at the school, intended for someone else at the school. I wasn't sure what to do, especially since it was the middle of the night in the UK. Call the cops in the UK? Finally I found an emergency number on the school's web site, and ended up reaching the headmistress. She was at first annoyed at being awakened. Then she was fully awake and annoyed. Once she heard the name of the sender, she said "He's only 12". Some kid was in for a major chewing out, but the situation did not require police.
If that had happened in the US, there would be a SWAT team callout.
I strongly disagree. I've also been using a catch-all domain for more than a decade and giving each sign-up it's own [email protected]. I can remember one small issue. Otherwise it's never been a problem. The problem has been getting marked as spam for running my own mailserver. But it's all worth it in the end.
I've had some of the same experiences as the author. "Do you work for..." or "You must be a big fan..." And plenty of "How do you... "
A few sites actually check for and prevent you from putting their domain name in as email (probably something about having employees sign up... ?) so that's a bit annoying.
I think it's worth it. Among other things, if any one alias becomes tainted enough, I'll throw it on a burner account so those emails go into a black hole, instead of my spam folder. And I'm always using a password manager on a computer, rather than trying to remember email when I visit a retailer. (Often, these days, if I'm in person, I just make up some kind of abbreviation - instead of "Ollies@", "olbgo@" because I don't care too much and even if I forget where it came from, it's not a big deal.)
And there's a slight security benefit if one email + password leaks, though these days every password is unique too (was not always the case... ah the naivety of my internet youth.) I don't think email addresses get sold "a lot" but they sure do get breached a lot and end up in the hands of spammers. Cadillac@ actually got sold or breached quite quickly after I signed up for a free car brochure, about a decade ago.
With my current host (NameCheap) and Thunderbird, it's very easy to change my from address - it just works without any hassle.
Been using a catch all email domain since 2005. I've not had any major issues with it.
The entire "calling up and having to explain the username" thing is few and far between. Had that conversation in person and over the phone dozens of times, at most I get a little ask to verify I spoke correctly. Customer support doesn't care. They have people calling them up with an email address of "420hotcock69 at something dot tld". The entire "your company name at silly domain dot tld" generally doesn't phase them.
Mispelled accounts? Rarely happens. Copy and paste the domain. Use a password manager. The only time I have trouble logging in is when I can't remember if I used social auth or created an account.
As for getting email accounts purged? Don't bother. Stop using it for whatever legit reason. Then set a filter to mark all email to that user@ to be sent to spam/deleted. Problem solved.
The ONL time I've had issues was a few random systems that had funky rules for verifying fake email addresses. Oddly they sometimes look for their own domain name in the email address. So I can't use the exact domain name at those.
I try to disguise it a little to avoid the awkwardness, and also put the recipient into the subdomain instead of sender name. For example for grubhub I'd do:
No need to remember anything because it's all in a password manager. I've found this worthwhile, already blocked a couple spammers.
You could also go with something fully random, you still get the same benefit. It's easy to look in your email history and see what you originally used the email address for. Password manager obviously required though.
Before Cloudflare, I built a company around this called Unspam. It wasn’t commercially very successful, but it allowed you a ton of power around routing/filtering emails on a per-email basis (e.g., require senders to certain emails to pass a Turing test, add a header to others, turn up or down spam filtering by the address). I haven’t had the problem the author references, but mostly because I preface conversations with: “This is going to sound weird, but my email is…”
There’s a security benefit in making your email not-the-same across services. Yes, perhaps many of mine are guessable if you know the pattern I use. But it defeats non-targeted scanning. People target me (I was just sanctioned by Russia along with Mark Zuckerberg and Marc Benioff! Woot!!) yet exactly zero people have targeted me this way.
I’m still one of the few remaining Unspam users. Works great to this day. (Impressive given I wrote the PERL that powers it.) Actually think someone could spend a week with Cloudflare + Workers + Email Routing + Area1 and replicate the functionality+++. I’d gladly pay $5/mo for that. Wouldn’t be a big business. But an example of a bootstrappable lifestyle business that could easily cash flow enough to healthily sustain a couple developers.
I'm going to mirror most of the other commenters in saying - I've been doing this for nearly a decade and have basically never had an issue with it and have absolutely prevented some spam because of it. The "social awkwardness" problem of using "[email protected]" can be solved by using "[email protected]" instead or random characters or my personal favorite throwaway "[Company][email protected]". Yea, you might have to use a password manager to know which random string of nouns is tied to what account - but no more "social awkwardness" of using the company name in your email (can't say I've ever had that experience either...)
In fact the only issues I've ever had with a "non-standard" email address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of my domains is a .ru address and even before the modern-day issues surrounding Russia .ru addresses get blocked in many places. My fallback email is an email hosted by https://cock.li which being chan-adjacent also gets blocked so occasionally I simply have to accept that I am not wanted as a user because my email isn't good enough.
I've had sales and customer service ask me about this a handful of times and I simply said: 'It's a unique email address so that you guys can't sell my details or get hacked and lose my email.'
The only interaction that stick in my mind regarding this when one of the sales people asked me how they might set up their own version of catch-all domain. That's about it.
I agree with a lot of the other comments here. I've been using a catch-all for years without significant problems. I think the closest to an awkward moment was when a small web comic artist wrote to me a bit confused. I had used the name of her comic to subscribe to her newsletter. I explained what it was and we had a laugh - if anything it perhaps increased a bit of human connection between us that otherwise wouldn't have existed.
I feel as though the author is throwing away a lot of advantages because of some minor social awkwardness that can be worked through, or completely avoided by using a different naming pattern.
We're even starting to see one-off emails created for you automatically (iOS can do this) because of the number of advantages.
I have not encountered the author's 2nd issue because I use a password manager.
I have encountered their 1st issue (awkward encounters) and consider it a feature. I guess this depends on certain extro/intro-vert-ish human preferences, but it can be a nice talking point if you approach it right.
The author's argument can be generalised to an appeal to normativity - doing ANYTHING that isn't common practice will garner awkward interactions. It's also a necessary early-adopter stage of anything eventually becoming common practice (and catch-all domains are becoming an automatically supported feature in many services now so here's hoping it does).
I don't buy it. The number of people on HN that say, "it takes non-zero effort, and it was hell to exert that little bit of effort, so you shouldn't do it."
That might be a worthwhile message for a hardware hacker site where putting effort in to email configurations might be different enough from the meat of what most people are doing, but for this site? No. Don't try to sell "hacking is slightly hard, so don't do it" to hackers, please and thanks.
I've been doing individual email addresses for ages, and I've forced more than one company to disclose breaches because I was able to show with certainty that an address couldn't have been lost any other possible way.
I agree that using per-company email address to sign up is not a good idea but I love my catch-all email address.
When I'm testing my software (professional or personal) I can "create" emails on the fly for new user accounts. Yes, with Gmail, you can do the [email protected] trick but with my setup I never need to rely on that (or worry someone might block it), I just use [email protected] and I'm good to go.
Same for my LLC, I have a catchall so I can setup things like [email protected] and get all those emails to my main [email protected] email address and then in the future if I need to turn that into a group or it's own email address it's super easy and forward compatible. Just like [email protected], right now I'm the only one that handles that but I can hand that off in the future if I need to without any issues at all.
Tangentially related: getting your own name as your domain name is really nice in more ways than you might think. Giving my email over the phone is a cake walk, I've normally just given them my name, then I just say "josh at joshstrange dot com" and I never have to worry about spelling or them hearing me perfectly since it's just a combination of the info I just gave them (my name). I get comments about it from time to time but buying that domain in high school was the best decision I ever made when it comes to tech/email. It's stayed the same for well over a decade and I never had to give out an embarrassing email or worry about "what email did I use to sign up for that account?".
One problem I have with catchall is passing my emailadresses between "rings of trust". Example: say I have an email for close friends and family: [email protected]. Everywhere else I use spam<random_number>@example.com. All's well, until some well wishing family member decides to give me a gift in a form of subscription, or something like that, and uses my email they know: [email protected]. And just like that the whole carefully built house of card collapses.
> The truth is no one really sells your email – at least no legitimate companies. The one outlier is political campaigns: they'll share your email till the end of time. No matter what I do I can't get bernie@ purged from any lists. Every level of government has that email and they share it as widely as they can. I'm pretty sure I only gave him $20 a decade ago.
Interestingly, when I was in Texas this never happened. I voted, I attended rallies, etc... The Democratic and Libertarian parties there just never sold my information; moreover, they never added me to lists or texting campaigns.
Then, I moved to California and the flood gates opened. I was getting back to back text messages from "campaign organizers". Later, I found out these are just normal people texting me from a burner phone because I angrily replied to one of the texts. Why, in this day and age, the Democratic party would entrust my name and phone number (and who knows what else) to some random "volunteer" or "advocate" is beyond me. You don't need to spend more than five minutes on the internet to understand many people who use that title do so with misaligned intentions.
Nowadays, I report their numbers to Google and they automatically go to spam.
I think they are mostly using a tool that proxies the SMS communications between you and the volunteer. But I don't know what tool or what its privacy or security features might look like.
Here in California the campaigns can get copies of the contact info on everyone's voter registrations: "pursuant to Elections Code §2188 and §2194, voter registration information is available for electoral, scholarly, journalistic and political purposes, as well as governmental purposes, as determined by the California Secretary of State."
[+] [-] dzek69|3 years ago|reply
Two stories:
I don't use mails like facebook@domain uber@domain - that's too obvious. And knowing that may often disclose that I actually have an account registered on given page. I don't want that, so I go full random, using few words I have in mind, current few words from the song I'm listening too, etc. So password manager helps me with e-mails too.
But Sometimes when a website annoys me (stupid rules for passwords, crippled UX for forms, because re-writing a select component in javascript is such a brilliant idea, etc) I tend to insult the company I'm registering with using my e-mail or password, I mean mail: [email protected] and pass: goDieInPain1312323$$$$. Once I registered account for a supermarket loyality card with some very little insult towards the supermarket. Later I got some huge amount of the points collected and their system crashed and I had to contact the support (the bonus was too high for me to give up on that). First via e-mail then via phone, when they were confirming my address. They helped me and said nothing about the name I was using.
Another story:
When I started with catch-all I was actually using mails like companyname@mydomain, and when I once contacted them via phone the person talking with me was not very into tech I think and were accusing me of... I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.
[+] [-] mixologic|3 years ago|reply
The sad part is when your email leaks from big companies, you definitely know. I started getting viagra spam delivered to [email protected] back in 2007, long before their "big data breach", so it was only a matter of time before that companies pattern of poor security caught up with them.
Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
[+] [-] OJFord|3 years ago|reply
Panicked phone call from a jeweller who wanted to know how and why '[their] domain was in my email address'; think he sort of understood once I explained, but still said something like 'can't be too careful in this business' - well sure ok but what am I going to do with.. oh nevermind!
Password lockout/reset over the phone, reading my 100ch 'memorable phrase' as generated by pass... Gave the guy a good chuckle, and no he was not willing to concede by the umpteenth 'upper case A' or 'backward slash' that I obviously 'knew' the phrase and could surely be relieved from reciting the entire thing... I use shorter ones now.
[+] [-] inetknght|3 years ago|reply
I can't tell you how many non-techy people think I'm part of their company because I have yourcompany@mydomain. Sigh. Big companies have ruined the internet by having everyone have @gmail or @hotmail or something.
[+] [-] Semaphor|3 years ago|reply
Two stories as well:
a) After contacting a company, I got a mail from their legal department asking me to explain why I’m using their trademarked name in my email
b) Using an online-shop that requires emailing the owner for your order (so he can send you a PayPal invoice and then snail-mail you the music CDs you ordered…) I got a personal message attached of him asking why his label’s name is in my email address.
In both cases, a short explanation was sufficient, though.
[+] [-] bambax|3 years ago|reply
> The truth is no one really sells your email
The reason I started doing this was to monitor if someone would transfer my address, and it's never happened. You also get more spam because every firstname@yourdomain works.
But the weird interactions are good! Last year I wanted to get my kid in a somewhat selective middle school (in France) and the fact that the email I was registered with was name_of_school@mydomain helped, because the principal was convinced I was and always had been a huge fan of the school, to have my email named after them...
People simply don't understand you can have more than one email address -- let alone a million. That's kind of fun.
[+] [-] e40|3 years ago|reply
[+] [-] mulmen|3 years ago|reply
I missed out on a dentist appointment because of this. They thought I was a robot. I blame gmail.
[+] [-] m3047|3 years ago|reply
I am really tired of people selling my burner phone to the credit people; and no, I don't own that phone number. Prove I do.
Take my local credit union. Please. Jackasses let someone have access to my checking account. I don't bank online with them either, or I didn't, but last summer was trying to talk to them about a refi and I had to register online and they wanted a phone for 2FA. So of course instead of calling the land line, which is clearly and incontrovertibly mine, they called the burner. Several times.
Eventually I answered it with "fuck you you frauds" and they were "oooh sir, call me back on my direct line" so I tried... from my land line in the same area code, you get the idea... and their system won't route the call to their fraud department. So I ignored them for a couple of weeks.
Seriously they were so incompetent that when the actual fraudsters were probing, the first transaction was a /deposit/. When they were finally trying to clean their mess up, they /credited/ me the same amount. I'm the one who figured it out and told them well you gave me 2x their original deposit, when you really should have debited the amount in the first place.
People like that are not going to safeguard your information.
Ob relevance: I have my own reasons for not wildcarding domains and use this instead: https://github.com/m3047/trualias
[+] [-] lupire|3 years ago|reply
https://www.theregister.com/2008/08/28/lloyds_passwords/
[+] [-] EGreg|3 years ago|reply
When someone tries to call into a provider and impersonate you, to take over your account… they would fail because they don’t know your login even!
Whereas, for most people, they’d sweet talk the person on the other line into resetting the password. Happened to me with GoDaddy, they almost rerouted my @mydomain.com email and then it would have been really bad
[+] [-] cube00|3 years ago|reply
Some businesses freak out that "that's our domain name, we own it, you can't possibly use it".
To placate them I'll spell it backwards or give a related name that I can still work out the source. eg. fleet2022@ if I'm renting a car
[+] [-] stormbrew|3 years ago|reply
Not as exciting as getting accused of trademark infringement, but it’s interesting how people interpret these things.
[+] [-] alanh|3 years ago|reply
[+] [-] C4K3|3 years ago|reply
It has more benefits than knowing who leaked your email, it lets you easily filter your incoming email by who you gave the email to, and when your email is leaked it lets you shut off that email address. Of course you can also filter your email by the sender's domain, but that isn't as consistent, and doesn't help at all when your email address has been leaked.
It's true that you do have to set it up so that you can send email from the addresses to avoid not being able to reply by email, and you will want a password-manager or something to remember exactly what email you used, for convenience.
Personally I'm glad I've done this, it's made it much easier to organize my emails.
[+] [-] gowld|3 years ago|reply
This part:
> Especially since all these companies ask for and verify your cell phone number
is true, though.
and
> The one outlier is political campaigns: they'll share your email till the end of time.
Because politicians exempted themselved from anti-spam laws, as they do with most laws.
[+] [-] willk|3 years ago|reply
I get the benefit of blocking mail coming to me forever, doing fast sorts and searches, never have to worry if the company doesn't like a + in my email address.
[+] [-] scoot|3 years ago|reply
I find it zero effort having a unique email address per site, and when combined with unique (algorithmic) password gives effectively a unique identity per site (cookie sharing aside, but there are solutions for that.)
As a result, I have been able to call out a couple of sites for data breaches, and continue to see npm spam in particular. Worst offender so far is Pipedream, an absolute embarrassment for their CEO who appears to have initiated the data scrape. I won't be surprised to see them sued out of existence, which is a shame, as I like the service in general.
[+] [-] couchand|3 years ago|reply
Fastmail's webmail allows you to specify the sending email address for a catch-all mailbox in the message composition page, so there is no additional setup there.
[+] [-] brewdad|3 years ago|reply
[+] [-] NonNefarious|3 years ago|reply
Oh, and someone did hack some FAA database and mine it for addresses.
But that's all I netted in several years. Beyond my main address at my own domain, I keep a Gmail address for mailing lists and other low-grade traffic.
[+] [-] Brian_K_White|3 years ago|reply
Life without it is worse than life with it.
[+] [-] kornhole|3 years ago|reply
[+] [-] simmons|3 years ago|reply
> I use a password manager for passwords but I also need to use it to remember the associated emails.
I do this, too. It never occurred to me that you might not populate the email/username field -- it's kind of the password manager's job to keep track of that. :)
> The truth is no one really sells your email – at least no legitimate companies.
I think that on the whole, this is true. However, I have had a number of these addresses start receiving spam over the years. I think this is due to the companies' databases being compromised due to poor security. At the end of the day, the cause of the leak isn't greatly important, and I'm glad I can simply turn off those particular addresses.
[+] [-] stickfigure|3 years ago|reply
After a several frustrating back-and-forths, finally someone at Shopify said "check your email address".
The developer contact email address we had submitted, which was only used for shopify<->us communication and no customer would ever see, was [email protected].
<facepalm>
[+] [-] prawn|3 years ago|reply
[+] [-] mro_name|3 years ago|reply
[+] [-] kazinator|3 years ago|reply
I use a throwaway e-mail system whose generated addresses look like this: [email protected]. The dashes can be replaced by underscores or periods: all are recognized, but not mixtures of them: basically three versions of the every alias is installed. (Why? I ran into a situation where I had to enter my e-mail address into a point-of-sale system that didn't accept dashes.)
There is no "catch all" mechanism at play. Each address is explicitly created, using a web-UI application that I wrote. The moment you create it, it goes live, as a local alias recognized by the mail server.
Each such address is associated with its creation date, and a memo field. If the memo field contains URL's, they get rendered into navigable form. They are editable. The memo field is what tells me who/what the address is associated with. I have a regex search box to filter the entries (quite a lot have accumulated).
The UI is like Web 1.5: you can checkbox these items and do bulk operations on them, like bulk delete, move to top, move to bottom and such.
When I delete an address, it immediately stops working. THAT is why "catch all" would be a bad idea; if you have a rule which routes any nonexistent local part to your inbox then you don't have any easy way to turn off an address which is being abused, other than going into the mail server rules and writing a rule to reject that address. That's not a fun UX, compared to a nice throwaway address management dashboard.
This system is called TAMARIND: Throw Away Mail Alias Randomization Is Not Defeatable. :) :)
[+] [-] kazinator|3 years ago|reply
It's a CGI application used with Apache.
That code you see there does evrerything, using the raw HTTPS stream and environment variables from the server. There are no libraries, no web framework, nothing.
- cookie handling / session persistence
- generating HTML responding to requests
- reading/writing e-mail aliases file
- authenticating via IMAP or SASL
[+] [-] bitexploder|3 years ago|reply
[+] [-] bambax|3 years ago|reply
Sure, but then it's impossible to remember, or use for classification of incoming mail. Password managers can help with the first problem but not the second one.
[+] [-] al_borland|3 years ago|reply
Of course at this point my email is so many places it almost seems like a lost cause. What I wouldn't give to have a reset button for the entire internet. I would be much more careful with my address than I was 20 years ago.
[+] [-] Animats|3 years ago|reply
One day I got a message "I am going to kill you tonight". It was from someone at the school, intended for someone else at the school. I wasn't sure what to do, especially since it was the middle of the night in the UK. Call the cops in the UK? Finally I found an emergency number on the school's web site, and ended up reaching the headmistress. She was at first annoyed at being awakened. Then she was fully awake and annoyed. Once she heard the name of the sender, she said "He's only 12". Some kid was in for a major chewing out, but the situation did not require police.
If that had happened in the US, there would be a SWAT team callout.
[+] [-] superkuh|3 years ago|reply
[+] [-] neogodless|3 years ago|reply
A few sites actually check for and prevent you from putting their domain name in as email (probably something about having employees sign up... ?) so that's a bit annoying.
I think it's worth it. Among other things, if any one alias becomes tainted enough, I'll throw it on a burner account so those emails go into a black hole, instead of my spam folder. And I'm always using a password manager on a computer, rather than trying to remember email when I visit a retailer. (Often, these days, if I'm in person, I just make up some kind of abbreviation - instead of "Ollies@", "olbgo@" because I don't care too much and even if I forget where it came from, it's not a big deal.)
And there's a slight security benefit if one email + password leaks, though these days every password is unique too (was not always the case... ah the naivety of my internet youth.) I don't think email addresses get sold "a lot" but they sure do get breached a lot and end up in the hands of spammers. Cadillac@ actually got sold or breached quite quickly after I signed up for a free car brochure, about a decade ago.
With my current host (NameCheap) and Thunderbird, it's very easy to change my from address - it just works without any hassle.
[+] [-] ShakataGaNai|3 years ago|reply
The entire "calling up and having to explain the username" thing is few and far between. Had that conversation in person and over the phone dozens of times, at most I get a little ask to verify I spoke correctly. Customer support doesn't care. They have people calling them up with an email address of "420hotcock69 at something dot tld". The entire "your company name at silly domain dot tld" generally doesn't phase them.
Mispelled accounts? Rarely happens. Copy and paste the domain. Use a password manager. The only time I have trouble logging in is when I can't remember if I used social auth or created an account.
As for getting email accounts purged? Don't bother. Stop using it for whatever legit reason. Then set a filter to mark all email to that user@ to be sent to spam/deleted. Problem solved.
The ONL time I've had issues was a few random systems that had funky rules for verifying fake email addresses. Oddly they sometimes look for their own domain name in the email address. So I can't use the exact domain name at those.
[+] [-] thebean11|3 years ago|reply
[email protected]
No need to remember anything because it's all in a password manager. I've found this worthwhile, already blocked a couple spammers.
You could also go with something fully random, you still get the same benefit. It's easy to look in your email history and see what you originally used the email address for. Password manager obviously required though.
[+] [-] eastdakota|3 years ago|reply
There’s a security benefit in making your email not-the-same across services. Yes, perhaps many of mine are guessable if you know the pattern I use. But it defeats non-targeted scanning. People target me (I was just sanctioned by Russia along with Mark Zuckerberg and Marc Benioff! Woot!!) yet exactly zero people have targeted me this way.
I’m still one of the few remaining Unspam users. Works great to this day. (Impressive given I wrote the PERL that powers it.) Actually think someone could spend a week with Cloudflare + Workers + Email Routing + Area1 and replicate the functionality+++. I’d gladly pay $5/mo for that. Wouldn’t be a big business. But an example of a bootstrappable lifestyle business that could easily cash flow enough to healthily sustain a couple developers.
Let me know if you build it:
[email protected]
[+] [-] Nadya|3 years ago|reply
In fact the only issues I've ever had with a "non-standard" email address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of my domains is a .ru address and even before the modern-day issues surrounding Russia .ru addresses get blocked in many places. My fallback email is an email hosted by https://cock.li which being chan-adjacent also gets blocked so occasionally I simply have to accept that I am not wanted as a user because my email isn't good enough.
[+] [-] 5evOX5hTZ9mYa9E|3 years ago|reply
The only interaction that stick in my mind regarding this when one of the sales people asked me how they might set up their own version of catch-all domain. That's about it.
[+] [-] acjacobson|3 years ago|reply
I feel as though the author is throwing away a lot of advantages because of some minor social awkwardness that can be worked through, or completely avoided by using a different naming pattern.
We're even starting to see one-off emails created for you automatically (iOS can do this) because of the number of advantages.
[+] [-] lucideer|3 years ago|reply
I have encountered their 1st issue (awkward encounters) and consider it a feature. I guess this depends on certain extro/intro-vert-ish human preferences, but it can be a nice talking point if you approach it right.
The author's argument can be generalised to an appeal to normativity - doing ANYTHING that isn't common practice will garner awkward interactions. It's also a necessary early-adopter stage of anything eventually becoming common practice (and catch-all domains are becoming an automatically supported feature in many services now so here's hoping it does).
[+] [-] johnklos|3 years ago|reply
That might be a worthwhile message for a hardware hacker site where putting effort in to email configurations might be different enough from the meat of what most people are doing, but for this site? No. Don't try to sell "hacking is slightly hard, so don't do it" to hackers, please and thanks.
I've been doing individual email addresses for ages, and I've forced more than one company to disclose breaches because I was able to show with certainty that an address couldn't have been lost any other possible way.
[+] [-] joshstrange|3 years ago|reply
When I'm testing my software (professional or personal) I can "create" emails on the fly for new user accounts. Yes, with Gmail, you can do the [email protected] trick but with my setup I never need to rely on that (or worry someone might block it), I just use [email protected] and I'm good to go.
Same for my LLC, I have a catchall so I can setup things like [email protected] and get all those emails to my main [email protected] email address and then in the future if I need to turn that into a group or it's own email address it's super easy and forward compatible. Just like [email protected], right now I'm the only one that handles that but I can hand that off in the future if I need to without any issues at all.
Tangentially related: getting your own name as your domain name is really nice in more ways than you might think. Giving my email over the phone is a cake walk, I've normally just given them my name, then I just say "josh at joshstrange dot com" and I never have to worry about spelling or them hearing me perfectly since it's just a combination of the info I just gave them (my name). I get comments about it from time to time but buying that domain in high school was the best decision I ever made when it comes to tech/email. It's stayed the same for well over a decade and I never had to give out an embarrassing email or worry about "what email did I use to sign up for that account?".
[+] [-] rytis|3 years ago|reply
[+] [-] kodah|3 years ago|reply
Interestingly, when I was in Texas this never happened. I voted, I attended rallies, etc... The Democratic and Libertarian parties there just never sold my information; moreover, they never added me to lists or texting campaigns.
Then, I moved to California and the flood gates opened. I was getting back to back text messages from "campaign organizers". Later, I found out these are just normal people texting me from a burner phone because I angrily replied to one of the texts. Why, in this day and age, the Democratic party would entrust my name and phone number (and who knows what else) to some random "volunteer" or "advocate" is beyond me. You don't need to spend more than five minutes on the internet to understand many people who use that title do so with misaligned intentions.
Nowadays, I report their numbers to Google and they automatically go to spam.
[+] [-] schoen|3 years ago|reply
[+] [-] FateOfNations|3 years ago|reply
[+] [-] bpye|3 years ago|reply
[+] [-] mike_hock|3 years ago|reply
Confusing companies by using THEIR name, being completely disorganized with the names and not even saving them in a file, was a mistake.