Ask HN: Do you track how your email address is used?

bityard|1 year ago

I self-host my own email server (against The Greater Internet's better judgement, it feels) and one of the neat things I can do with Postfix is set any arbitrary character as a username/junk separator.

Gmail has supported this for a long time with the '+' character, but this has some major problems. Many things that accept email addresses don't recognize '+' as a valid email username character and won't let you submit the form. I hypothesize that some of this is poor awareness of what constitutes a valid email address, and some of it is intentional to force users to input their "real" email address. I have also run across a few systems that stripped off the '+' suffix off my gmail address.

My solution is to use the '.' as the separator because 'firstname.lastname' is a VERY common email username and I'm happy to not allow it in a "real" username on my tiny mail host.

So every new site or company I interact with gets user.acme@example.com instead of my "real" email address. I can filter incoming emails based on the To header. And I even have a list of companies (a couple well-known) that have leaked or sold my email address to spammers. Some day I'll write a blog post about that.

meew0|1 year ago

I do this too. It's worth noting that you don't need to host your own email server to do this. I personally use Migadu as an email host for my own domains which lets me define arbitrary wildcard redirects. I'm sure most of its competitors will let you do the same.

taftster|1 year ago

Note that Gmail also supports dots as well (similar to your postfix solution).

https://support.google.com/mail/answer/7436150?hl=en

AH4oFVbPT4f8|1 year ago

Do you ever have issues sending messages using user.acme@example.com as the from address?

Some companies want you to respond from the email address on file when you interact with them.

LinuxBender|1 year ago

I use canaries. I point a dozen domains to fastmail and another dozen to my self hosted email servers. Each have aliases that are mapped to vendors but do not have the vendor name as some vendors are getting upset at this practice and calling it fraud. If I start getting garbage on that alias, I notify the vendor. In most cases they will give me a boiler plate response and then I delete the alias. If they are snarky I create a reject rule with my own snark that also explains the emails for that vendor have been either sold or compromised. This is to let people buying email addresses know they bought a dirty list as some of the modern bots have some telemetry.

unsnap_biceps|1 year ago

woah, what do you mean by calling it fraud? Have you actually had companies come after you legally due to an email alias?

freetanga|1 year ago

I do this too (3 domains, Fastmail)

For specific vendors where I am at the shop, I just make up an alias email with their name in it.

For apps, services, I configured bitwarden to create email aliases on Fastmail, so they are linked to a service.

ntw1103|1 year ago

I care. I use a generated email address at my domain for every account/service/website. I store the account info in keepass, they all have generated passwords too. I can see when email comes in who abused the email, was compromised, or sold it. If an email starts getting spam, i block receiving to that address. if desired, I update the account to have another generated email, but usually if I'm getting spam to that email I don't want to do business with them again.

m463|1 year ago

I do the exact same thing.

It gives you quite a bit of insight and control.

some examples:

- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)

- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.

- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.

- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.

- I rented a car from hertz and had to give an email address. and then they sold it to other companies.

- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.

It goes on and on. More people should do this.

digging|1 year ago

I generate a "username" on Bitwarden for every new address I need which is effectively the same approach (using my domain). Do you mean though that you generate an email address with your mail server, or do you just use a catch-all? I do the latter and I've never considered "turning off" an address before and now I wonder if I have that option.

wruza|1 year ago

Does that work? I mean if I had that rule, I wouldn’t do business with almost anyone again. How does that help even?

unknown|1 year ago

[deleted]

ortusdux|1 year ago

I do this as well. Unique emails for every account along with unique passwords, password manager. Works great so far.

spl757|1 year ago

I run my own IT. I host my own email, authoritative DNS, web, etc. I use wireguard for a lot of stuff. I put stuff behind cloudflare. I'm sneaky when I need to be, but mostly I'm just a control freak. I also know way more than the average person about email and email authentication. Or lack thereof.

Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.

edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.

edit 2 employ dmarc if you want to see who is trying really game

alexander2002|1 year ago

Hi, Can you guide on how to do a similar setup.I would love if you could possbily share any relveant resources.

wruza|1 year ago

I do not. I have three mail boxes, for trashy, job-y and personal things. And a couple of technical (apple id, etc).

Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.

Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.

mattw2121|1 year ago

Same. I used to run my own email servers and do all the per domain things. It was just way too exhausting. Switched to Gmail and haven't looked back. Don't even worry about email at all now. I just wish I had jumped on Gmail earlier to have a better username.

fragmede|1 year ago

The important detail is to add random nonce/salt to the generated email, like _jri68, so that it's not guessable, so it's provable that the database was compromised. Guessing bestbuy@example.com is believable, but guessing bestbuy_jri68@example.com, is not.

meowster|1 year ago

Yes.

I use a catch-all. I can accept (whatever)@mydomain.tld

Anytime a new company wants my email address, I just randomly give them one.

So far I only get spam to the email addresses other people posted on a website as contacts for organizations I volunteer with.

(I get spam from web scraping, not from company hacks/sharing etc.)

itake|1 year ago

JW, why?

Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?

nzach|1 year ago

I've seen quite a few people here reccomending the use of . and + from gmail, but I don't think its a good idea at all.

Most people who work in the 'email marketing' space know about this feature. So it's common to see people recommending clients to 'clear' their email list before sending unsolicited emails. And some services even offer this as a feature in the platform.

And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain.

maeil|1 year ago

> And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain

Curious why this matters? Let's say you know abc@foo.com is hosted on gmail, so what?

kkfx|1 year ago

Lightly and calmly, meaning I have many aliases on my addresses on personal domains and I try to always give unique aliases (keeping some spare on purpose), but not always-always because I'm not enough disciplined and the track is very informal, when (very rarely) I see spam I know it's time to rotate the alias. That's is.

Of course if unknown@spammer.net write to my amazon-cx1@mypersonaldomain.tld I could try to locate who have sold/leaked my address but it's still vague, since Amazon, eBay, PayPal, have a gazillion of third party. If it's to JoeIKnowNothingAboutIT@maypersonaldomain.tld it's likely he was cracked and so on.

Sohcahtoa82|1 year ago

I used to use a catch-all with a custom e-mail for every website I used. I had amazon@mydomain, newegg@mydomain, etc.

I found that despite what people think, your e-mail address isn't being sold. At least, not by any vendors with a remotely decent reputation. I never got spam to any of those e-mail addresses.

kiwijamo|1 year ago

That is my experience as well. I have heaps of 'Masked Email' aliases for my Fastmail email account and the only significant offender I've come across is various Kickstarter projects (as I understand Kickstarter passes on my email address when a project is successfully funded) and various Bitcoin sites from back when I dabbled in Bitcoins. All other reputable companies have actually not sold any of my email addresses (including some I've noticed elsewhere in this thread accused of doing so, which I find quite interesting). I am now at the point where I'm considering migrating back the majority of my aliases back to firstname@lastname.TLD address for most things. It is more hassle than it's worth as I often forget I had a Masked Email and end up creating a second account. Also in-store if I need to provide my address it is awkward giving out what sounds to store staff like a dodgy address. Also when I reinstall my computer/phone/etc it's a hassle figuring out what login address I used for each site/app I have accounts with. I may use Masked Email only if there is a higher level of risk.

ProllyInfamous|1 year ago

I ran a catch-all for two decades, including during my IBEW apprenticeship. They were unabashed on sending their own (and others') SPAM daily – direct-to-trash.

helmsb|1 year ago

I do, I use Fastmail and create aliases for every service. It's interesting to see how fast companies will "lose" or sell your email address.

I've seen it as fast as 24 hours my unique email address is being used by others even though their privacy policy says that they will never share your info.

heartag|1 year ago

Fastmail offers per-service generated addresses. I think it's kind of fascinating to watch my email address that went solely to my local credit union start sending me spam somewhat related to my employer.

agarren|1 year ago

Fastmail allows for aliasing too - username@domain.tld -> bank@username.domain.tld, retailer@username.domain.tld, etc. Pretty convenient. I use that feature pretty often and I can only recall one instance which seemed to indicate my address was sold to spammers. It’s more useful for organizing incoming mail, like plus-aliasing in gmail.

Havoc|1 year ago

Occasional use of plus addressing but I find a lot of signup forms now actively block this. Also have a secondary crappy gmail address that I use for low value stuff that is sus. (That’s full of spam and has multiple hits on have I been pwned)

Beyond that I don’t worry about this too much.

As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above

gabrielrdz|1 year ago

while they might block the plus, they likely do not block the dot. It's not exactly the same but can help for at least a few scenarios.

mikedelfino|1 year ago

I don't care. Even if I get to know for sure the culprit who sold or shared my email address, then what?

unknown|1 year ago

[deleted]

larrybud|1 year ago

Yes, I’ve done this for years. And to be honest, I don’t think I’ve ever “caught” a business sharing a service when they shouldn’t have. Makes me question why continue to do it.

simmons|1 year ago

I've been doing this for years, as well. I've also found that the majority of companies I give an email address to are actually surprisingly good stewards of that information. However, I have found a number of email leaks. It looks like my block list is up to 31 addresses. Most of those are leaks that led to spam. (Although one was a smoothie chain that insisted on sending me email every single day, and their unsubscribe page always seemed to be "malfunctioning".)

I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.

sans_souse|1 year ago

I care but don't have time or the resources. What I have made a habit of tho is registering to any new website or service using example any.name@gmail.com → register using a.nyname@gmail.com. I then take note of which variant / which service.

I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.

buildsjets|1 year ago

I've used spamgourmet.com for many years (Literally decades, my first entry was 2003-08-07) to create disposable email address. You just make up the address "tempsite.4.username@spamgourmet.com" to create an email address for tempsite that expires after 4 uses. You can always remove this limit later.

My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.

The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..

Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.

TZubiri|1 year ago

what do you mean yahoo. As in you made a yahoo account with your domain?

Because yahoo also hosted @yahoo addresses, it would have been pretty noticeable if they sold the addresses of their own users.

"EDIT:which probably correlates to the overall death of email, which is for old people, so I am told."

Still alive and kicking as the de facto passport of the internet.

marssaxman|1 year ago

Sure do - though I have my own domain, so I don't need subaddressing. If some address gets compromised, I just set it to bounce.

t0k0l0sh|1 year ago

I also have an @ alias on my domains, and give unique addreses to companies/services which identifies them. I'm only had a couple accusations of "fraud", but they were easily dispelled by asking them to explain what "fraud" I was committing (they couldn't) and explaining why I do this.

Addresses which have been lost/stolen and start receiving spam become spam traps, and I change the email address with the company/service to a new alias so their legitimate mail is delivered normally.

In some of the few cases where the loss/theft was identified, it didn't happen at company/service directly, but with one of their suppliers, for example, a breach at the marketing email provider they used.

mikewarot|1 year ago

My friend Ward was doing sub-addressing back in the 1970s, with made up apartment/box numbers, and eventually the xmodem.com domain. He learned quite a few things about it.

For instance, if you look at the article he wrote about CBBS[1], you'll see he's listed at apartment #3D.

I never took up the practice, though I suppose I could having the warot.com domain to play with, and a single family residence to make up PO boxes, apartments, etc.

[1] https://vintagecomputer.net/cisc367/byte%20nov%201978%20comp...

rootusrootus|1 year ago

I do not regularly track, but I do reflexively create throwaway emails at a domain I bought for that purpose, so that I can /dev/null them if/when someone sells that email address to a list.

barryrandall|1 year ago

Not any more. Dark web rollups include just about everything you could ever want to know about anyone. Using a unique address per service just makes it easier to identify which services you use.

butz|1 year ago

When I learned about public git commits "leaking" my email address it was already too late. Now I'll probably use that email for this particular task. And another sad thing, is that many spammers are picking up "support" email address from Google Play Store. Still waiting for a email service which would charge each spammer several dollars for "successful delivery", or plain "waste of time".

zzo38computer|1 year ago

I self-host so that I can set the addresses to whatever I want it to be. I use the ISP's server for sending and my own server for receiving (this can be configured with Exim).

Then, if I receive some spam messages, I can delete an alias that I don't want, in order to avoid receiving any messages.

(When someone sends to an invalid alias, the SMTP server gives them a 550 error.)

(I use Heirloom-mailx for reading, managing, and sending email messages.)

sinuhe69|1 year ago

My strategy is to use a few alias for sources with spam risk like forum, sign up on “free” offers etc., some for newsletters. When I’m suspicious but not sure, I quickly add the +. Only for very few official transactions, I would use my real addresses. In general, Gmail deals very well with spammers. For the rest, when an alias is spoiled, I simply discard it and create a new one.

tguvot|1 year ago

been running my own email for 25 years or so. been using "plus" addressing (actually hyphen) for approximately as much. got only few cases when email got sold/shared. biggest issue was linkedin email address leak a bunch of years ago, so i got a lot of spam to -linkedin@ alias . changed email on linkedin to something different, and old emails go to spam

speakspokespok|1 year ago

Fastmail let's you set a wildcard when you bring your own domain. Same outcome as other's mention - usernamespotify@domain.com is my spotify email address. I make it up during login creation and it just works. I've used this technique for every login but not once has it resulted in traceable spam. Logins are all tracked in keepass.

speakspokespok|1 year ago

This one time a restaurant owner was demanding email addresses when creating a reservation. I provided the email created using the above technique and explained why.

"if I create an account with Target called target@domain.com and I start seeing emails from Walmart sent to target@ then I know Target sold my data."

His eyes got really big and he changed the subject.

Snawoot|1 year ago

I have addresses like somename-ex-someservice@mydomain.com directed to my email, which I use to register myself in "someservice". This is how I know where email was leaked and needs to be disabled. I use Protonmail basic subscription to attach my domain. Before that I was using rewriting rules in Postfix.

apercu|1 year ago

What's especially awesome is how many unsolicited emails don't have unsubscribe links in them.

bityard|1 year ago

If an email is truly unsolicited (didn't come from an entity you didn't give your address to), it's not wise to click on an unsubscribe link anyway, as it sends a strong signal to the spammers that not only was the email delivered to a real person, but they also read it. In their eyes, you just went from a random string of letters to a hot sales lead.

howard941|1 year ago

Also nuts is when they couple them to phony real world locations like "123 Main St., Mytown MA"

InsideOutSanta|1 year ago

I use Proton's email aliases for throwaway accounts, and I have a catch-all on my own domain and use custom email addresses (think apple.com-randomstring@example.com) for accounts that I intend to keep until I die.

al_borland|1 year ago

I do something like this with Proton and my own domain as well. However, I made the mistake of buying a .io domain, thinking England would be pretty stable. Now I need to figure out what I’m doing.

dakiol|1 year ago

I use iCloud’s Hide my Email feature. So I have dozen email addresses and I receive email in the same inbox. I don’t care how my email addresses are used. The moment I see too much spam, I remove the email address.

nknealk|1 year ago

I love this feature in Apple’s ecosystem so much. The newer iOS and iPadOS releases when autofilling a sign-up form even give an option to generate a new hide my email address. It’s effortless to not use your real email. If you pay for an iCloud subscription, hide my email is included. Apple tracks what site you used hide my email on when signing up and allows you to toggle forwarding of emails to your inbox on and off.

browningstreet|1 year ago

I have a public address and a private address. Gmail does well enough with spam filtering. I check it monthly and find some false positives. Nothing important though.

I can’t imagine spending more time on this, though.

running101|1 year ago

Use unique plus addresses for each service that requests email address.

bityard|1 year ago

A lot of services don't accept the '+' sign in an email address, even though it's perfectly valid according to RFCs. Part of this is ignorance of standards but I suspect part of it is deliberate. (To get the users' "real" addresses.)

jryb|1 year ago

I used to, but it basically showed that no one ever gave away my email address to spammers, or at least if they did, the spam filter caught it. It's not worth it.

jexp|1 year ago

Catchall for 25 years :) (on domainfactory - df.eu) each company/service gets their own email prefix, so I can determine spam and also filter unsolicited emails.

0x073|1 year ago

Yes every service gets a custom address.

It's also interesting that some services don't allow COMPANYNAME@mydomain.com for registration. (Can't remember which)

bityard|1 year ago

I can't remember which company now, but one time I called into customer support and gave them the unique email address that I used for that account. It had their company name in it. Something like bityard.acme@example.com, for instance. The person on the other end paused for several seconds as if looking over their shoulder and whispered, "wait... do you work here or something?"

psd1|1 year ago

Aliexpress. I log in there as express.ali@

joshstrange|1 year ago

I have a catch-all domain but I don’t bother to setup unique emails for each service. It’s too much of a headache and you have to ask yourself:

If I find out someone sold/shared/leaked my email what am I going to do?

Here the possible responses as I see it:

* Stop doing business with them - This is way easier said than done

* Be mad - ok, great, now what?

* Send a strongly worded email - again, so what?

* Sue them? - Good luck

Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.

There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.

nixosbestos|1 year ago

No, I absolutely could not care less. Its baffling to me why people do. There's nothing you can do about it, anyway.

alwayslikethis|1 year ago

for general purpose website signup not directly linked to my identity, I use Simplelogin. For real life personal stuff I just have a gmail. There is another dedicated email for open source work, plus a few historical email addresses which aren't actively used but still occasionally receives stuff.

coderatlarge|1 year ago

I care. Maintain a collection of emails per tier of service plus some Apple obfuscation.

graypegg|1 year ago

I use Hey.com's "catch all" inbox for this but it's a bit janky. If you set up a "custom domain" Hey account, you can actually email `[anything]@yourdomain.com` and it'll arrive in the catch all inbox. (Not unique to hey obviously) It has the benefit that it's impossible to block, but Hey obviously doesn't really want me doing that since they charge per-email-address.

leptons|1 year ago

I do this too, with namecheap.com's email servers... I pay for a few email domains on namecheap, but one is specifically for spam, and I use their "catch all" as well.

So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.

I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.

Flemitplo|1 year ago

[deleted]

GavinGruesome|1 year ago

Paid 33mail.com account.

98 comments