[HN Gopher] Using a catch-all domain is a mistake ___________________________________________________________________ Using a catch-all domain is a mistake Author : withzombies Score : 92 points Date : 2022-06-01 17:48 UTC (5 hours ago) (HTM) web link (www.notcheckmark.com) (TXT) w3m dump (www.notcheckmark.com) | nokya wrote: | I use catchall domain for... everything. Every account at every | entity has its own unique address, since probably well before | 2010. I have always more than happily accepted to have my address | saved into marketing databases. | | I can share the frustration sometimes with employees turned | sudden internet experts and "teaching" me that my email address | cannot start with their employer's name. I usually retaliate by | withdrawing my consent to be registered into their database. | | And that ends there, I disagree with everything else in the blog | post. | | 1. Catchall facilitates blacklisting when it becomes necessary: | whatever rotating address is used by the sender, I blacklist | myself as the recipient. | | 2. It helps detect who shares databases with whom. This is not | necessarily about "selling" but more often it taught me which | companies operate with which companies under the umbrella of that | "and our partners" statement found in every privacy policy | written by legal consulting firms. | | 3. It's a smoking gun for companies wbo get hacked without even | knowing it. I have been informed several times of a compromise | before the company itself knew it. | | 4. I also use suffixes on my catchall addresses, this allows me | optimize my email filters. | | 5. It makes correlation more difficult across databases and | anything that helps achieving this goal is a win for me. | | 6. I use a password manager, I use both the login and the | password fields. The title of the entry always allowed me to find | the account very efficiently. | | I can probably find other reasons, I'd just conclude that after | more than 10 years using a catchall domain, I still can't imagine | sharing the same identifier across all my interactions. | dzek69 wrote: | 5) Until the tools are smart enough to detect custom domains... | Until you have few domains of course :) | Nadya wrote: | I'm going to mirror most of the other commenters in saying - I've | been doing this for nearly a decade and have basically never had | an issue with it and have absolutely prevented some spam because | of it. The "social awkwardness" problem of using | "Company@example.com" can be solved by using | "PineappleBanana@example.com" instead or random characters or my | personal favorite throwaway "[Company]SentMeSpam@example.com". | Yea, you might have to use a password manager to know which | random string of nouns is tied to what account - but no more | "social awkwardness" of using the company name in your email | (can't say I've ever had that experience either...) | | In fact the only issues I've ever had with a "non-standard" email | address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of | my domains is a .ru address and even before the modern-day issues | surrounding Russia .ru addresses get blocked in many places. My | fallback email is an email hosted by https://cock.li which being | chan-adjacent also gets blocked so occasionally I simply have to | accept that I am not wanted as a user because my email isn't good | enough. | psifertex wrote: | No need to use a password manager. Simply search email history | for the very first usage of the email... | ALittleLight wrote: | I don't understand the part about awkwardness with customer | service people. How often does that really come up? And, if it is | predictable, just spend a minute and think of some satisfying | reply and then use that whenever it does come up. | | "Oh, hilton@notcheckmark.com? You must be a big fan." | | "Yep, cause of the great customer service." | | Done. | | Regarding shooting yourself in the foot by using nonstandard | naming - seems an easy solution is to just use the entire SLD. If | registering in person, I guess that's a bit harder, but either | way make sure you save the login in your password manager. | digianarchist wrote: | I also use custom addresses with the company name as the first | part of the address and it does sometimes (not often) lead me | to explain how email works to a customer support rep. | neogodless wrote: | I've had some of the same experiences as the author. "Do you work | for..." or "You must be a big fan..." And plenty of "How do | you... " | | A few sites actually check for and prevent you from putting their | domain name in as email (probably something about having | employees sign up... ?) so that's a bit annoying. | | I think it's worth it. Among other things, if any one alias | becomes tainted enough, I'll throw it on a burner account so | those emails go into a black hole, instead of my spam folder. And | I'm _always_ using a password manager on a computer, rather than | trying to remember email when I visit a retailer. (Often, these | days, if I 'm in person, I just make up some kind of abbreviation | - instead of "Ollies@", "olbgo@" because I don't care too much | and even if I forget where it came from, it's not a big deal.) | | And there's a slight security benefit if one email + password | leaks, though these days every password is unique too (was not | always the case... ah the naivety of my internet youth.) I don't | think email addresses get sold "a lot" but they sure do get | breached a lot and end up in the hands of spammers. Cadillac@ | actually got sold or breached quite quickly after I signed up for | a free car brochure, about a decade ago. | | With my current host (NameCheap) and Thunderbird, it's very easy | to change my from address - it just works without any hassle. | dzek69 wrote: | I'm using catch all since forever. I regret nothing. | | Two stories: | | I don't use mails like facebook@domain uber@domain - that's too | obvious. And knowing that may often disclose that I actually have | an account registered on given page. I don't want that, so I go | full random, using few words I have in mind, current few words | from the song I'm listening too, etc. So password manager helps | me with e-mails too. | | But Sometimes when a website annoys me (stupid rules for | passwords, crippled UX for forms, because re-writing a select | component in javascript is such a brilliant idea, etc) I tend to | insult the company I'm registering with using my e-mail or | password, I mean mail: this.freaking.store.is.dumb@domain.com and | pass: goDieInPain1312323$$$$. Once I registered account for a | supermarket loyality card with some very little insult towards | the supermarket. Later I got some huge amount of the points | collected and their system crashed and I had to contact the | support (the bonus was too high for me to give up on that). First | via e-mail then via phone, when they were confirming my address. | They helped me and said nothing about the name I was using. | | Another story: | | When I started with catch-all I was actually using mails like | companyname@mydomain, and when I once contacted them via phone | the person talking with me was not very into tech I think and | were accusing me of... I don't really know exactly, but she told | me something about me using their stuff without their acceptance, | when I tried to explain that's my own domain she told me I cannot | use their name, because that's a copyright infringement. Weird. | lucideer wrote: | I have not encountered the author's 2nd issue because I use a | password manager. | | I have encountered their 1st issue (awkward encounters) and | consider it a feature. I guess this depends on certain | extro/intro-vert-ish human preferences, but it can be a nice | talking point if you approach it right. | | The author's argument can be generalised to an appeal to | normativity - doing ANYTHING that isn't common practice will | garner awkward interactions. It's also a necessary early-adopter | stage of anything eventually becoming common practice (and catch- | all domains are becoming an automatically supported feature in | many services now so here's hoping it does). | czx4f4bd wrote: | Just to provide a counterpoint, I've been doing the same thing | for 6 years now and I haven't found the same issues to be a | problem. Even as someone with pretty intense social anxiety, I | haven't encountered any awkwardness, and don't find it | particularly inconvenient to have to look up the correct email in | my password manager. | | The only actual issue I can remember encountering was a weird | glitch with Crashplan that wouldn't let me register with | crashplan@[myfullname].com, so I ended up using backups@ instead. | Also, my full name is tedious to have to spell out, so I switched | to using [firstname].cloud as my email domain instead. | | In my case, while I haven't caught any notable email | sharing/selling, I've still found unique per-service emails | useful for filtering and organizing messages. Many orgs these | days don't bother to use a consistent From email, so if I want to | find everything from XYZ corp, it's easier to search for | everything sent to xyz@name.cloud than everything from no- | reply@xyz.com and orders@xyz.com and info@xyz.net and email- | list-123@xyz.email and so on and so forth. | stimpson_j_cat wrote: | I've had people try to guess my login with Company ABC once they | learned of my CompanyXYZ@mydomain.com address. Avoiding the reuse | of email addresses helps here, the same way avoiding the reuse of | passwords does. | | For blackhats, with catchalls you can create multiple accounts on | sites that try to prevent it by assuming everyone only has 1 | email address. | | For me the biggest drawback is migrating ALL those emails if your | provider decides to end support for catchalls (like Dreamhost). | neogodless wrote: | > For me the biggest drawback is migrating ALL those emails if | your provider decides to end support for catchalls (like | Dreamhost). | | With Gmail for Business / GSuite / Workspace, I had gone | through the trouble of adding aliases through the Gmail.com UI | when I wanted a from address. And I had created a bunch of dead | accounts with aliases to reduce spam. | | But when I switched away from Workspace to NameCheap, I just | set up my one account as a catch-all, and in Thunderbird, when | I want to send from one of those aliases, I just type it in, | and it works fine. (Gmail had a setting that if you got it | wrong, it sent it as an alias, but also used your mail address | as the actual from/reply-to, which I found annoying!) | | I also stopped bothering setting up those "honeypot" accounts. | I get more spam, but... it's almost all detected as spam and | put in the spam folder, so I don't worry too much. A few weeks | ago, I had a day where a couple dozen gibberish addresses came | in, like 8aeef09lk@domain.com, but then it stopped again. | | Of course, all that is to say, if my current host does end | support, it would be a pain! | pgib wrote: | I did this for about 20 years, and have basically stopped because | I wasn't really seeing an advantage to make it worth the bother. | oehpr wrote: | bitwarden has a feature that fixes this issue. | | https://i.imgur.com/eQe2Cq6.png | | More generally. Just coming up with a random word and assigning | it rather than a specific name, and looking that word up in your | password manager, should suffice. | johnklos wrote: | I don't buy it. The number of people on HN that say, "it takes | non-zero effort, and it was hell to exert that little bit of | effort, so you shouldn't do it." | | That might be a worthwhile message for a hardware hacker site | where putting effort in to email configurations might be | different enough from the meat of what most people are doing, but | for this site? No. Don't try to sell "hacking is slightly hard, | so don't do it" to hackers, please and thanks. | | I've been doing individual email addresses for ages, and I've | forced more than one company to disclose breaches because I was | able to show with certainty that an address couldn't have been | lost any other possible way. | exyi wrote: | It's not even hard, number of email provider do it for you. You | just need to explain it to someone once every 3 years... | EddieDante wrote: | I use "contact@" for when somebody who isn't a friend wants my | email address. I have a separate, private address for people who | actually _matter_ to me. Everything addressed to "contact@" | immediately gets marked as read and saved to a separate folder so | it doesn't clutter my inbox. | Macha wrote: | contact@ specifically is high up in things that spammers try | when they have no leads to go on though. ~50% of my spam in my | catchall comes from contact@ admin@ and similar addresses. | EddieDante wrote: | True, but I can't be bothered to come up with anything more | distinctive. And if my local gym wants to send me bullshit | notifications and advertisements despite me being a longtime | customer who pays for his membership annually, they can damn | well go in the spam bucket alongside the cold emails from | tech recruiters, Ukrainian mail-order brides, and Danielle | Kennedy from Prime Equity Funding. I don't really give a | shit. Email has achieved parity with snail mail: it's nice to | get from friends, but otherwise an annoyance. | m3adow wrote: | Why not just use regex/wildcard addresses which makes it less | "akward". | | Like "mail-recruiter@foo.bar", "mail-hilton.com@foo.bar", etc. | | It's easy to configure, makes it more clear that you are in fact | not trying to impersonate others and you circumvent the problem | of receiving automated mailes to "sales@foo.bar", "hr@foo.bar", | etc. | | BTW: I've been using my solution for more than five years and | only had one "awkward" moment when a recruiter was a bit sore I | gave them my mail address specific for cold call recruiters. | simmons wrote: | I've been doing this for over 20 years, and it hasn't really been | a problem. During the occasional real-life interaction that | requires someone to confirm my address and they express surprise, | I just tell them that it's correct and I have advanced email | needs. It never takes more than a few seconds -- nobody has ever | said "please tell me all about your advanced email needs!" :) | | > _I use a password manager for passwords but I also need to use | it to remember the associated emails._ | | I do this, too. It never occurred to me that you might not | populate the email/username field -- it's kind of the password | manager's job to keep track of that. :) | | > _The truth is no one really sells your email - at least no | legitimate companies._ | | I think that on the whole, this is true. However, I have had a | number of these addresses start receiving spam over the years. I | think this is due to the companies' databases being compromised | due to poor security. At the end of the day, the cause of the | leak isn't greatly important, and I'm glad I can simply turn off | those particular addresses. | SargeDebian wrote: | I've been offered the employee discount multiple times when | providing storename@firstlast.tld. I declined as I'm not going | to risk fighting some fraud charge over EUR20. | | I've never had difficult or negative interactions either. "I | bought @firstlast.tld and now I can do whatever I want" settles | it. | | I also have @lastna.me. My grandma has her own and mostly her | bridge club mates are puzzled about how her email address just | looks like her name. The whole setup is worth a few bucks, I | guess. | fnordpiglet wrote: | The USPS is one of the worst offenders for selling email | addresses. | dewey wrote: | I've been doing that for a very long time and _never_ had such an | interaction. Definitely not to the level of "It's been a decade | of trouble and totally not worth it". | lerela wrote: | I'm also doing this and see multiple benefits. | | However I've recently been bitten by my catch-all, using a money | transfer service with the email worldremit@mycatchall.com (guess | the company). When they asked for additional documents to verify | my account after many months, they never received my reply and I | ended up banned. I could not login anymore. When I reached out | from another email address, they refused to process the documents | because they originated from another, unauthorized email address, | and asked that I resent the original email from the registered | email. I suspect their anti-phishing filters just ban any email | containing "worldremit", so it never got through and despite | multiple thorough explanations I could never get someone to | listen or reinstate the account. | | I'm still getting the newsletter though, because unsubscribing | requires logging in first... But then I can just ban this email | address, so at least the anti-spam strategy works! | thebean11 wrote: | I try to disguise it a little to avoid the awkwardness, and also | put the recipient into the subdomain instead of sender name. For | example for grubhub I'd do: | | me@grb.mydomain.com | | No need to remember anything because it's all in a password | manager. I've found this worthwhile, already blocked a couple | spammers. | | You could also go with something fully random, you still get the | same benefit. It's easy to look in your email history and see | what you originally used the email address for. Password manager | obviously required though. | Hackbraten wrote: | That's exactly how I've been doing it for more than a decade. | (Without the subdomain part but with the disguising.) I feel | it's been worth it so far. | curiousfab wrote: | Using custom subdomains for each account is a great idea. Once | you start getting spam on this subdomain, you just need to | remove the DNS entry and the spammer's attempts to deliver spam | will be unsuccessful (versus if you use different local part | names, you have to filter / reject the mails explicitly). | schroeding wrote: | Nice! I tried this a few years ago, and while this worked | nicely for inbound email, deliverability outbound was really | bad, even with DKIM etc. set. Normal mails from <my domain> | were fine. | | I guess "amazon.<my domain>" got quite the phishing score at | the time, so good call using grb instead of grub. :D | thebean11 wrote: | Yeah deliverability is a good point. I'm usually only using | this trick for services where I wouldn't be sending outbound | email luckily. Normal emails come from mydomain.com. | thebestmoshe wrote: | What do you use to manage all the subdomains? | encryptluks2 wrote: | Note some services won't even recognize a subdomain email | address as valid. | kennywinker wrote: | Really? Wouldn't that catch people with `.co.uk` or similar | localized domains? | pantulis wrote: | "The truth is no one really sells your email - at least no | legitimate companies. " | | Of course, because legitimate companies used to sell your | cookies, which basically are going the convey the same | information about your profile. | | Now in the cookieless era of CDP platforms and identity | stitching, having different email addresses _may_ be more useful. | kevin_thibedeau wrote: | This isn't a new thing. Data brokers have been building | identity profiles for decades. Snarfing up email addresses is | part of that process. | crizzlenizzle wrote: | > The truth is no one really sells your email - at least no | legitimate companies. | | Yes, but legitimate companies leak data now and then. I get | metric tons of spam to dropbox@, linkedin@, myspace@, | moneybookers@, etc. | stevekemp wrote: | When I used wildcard support I got spam to : | | linkedin@steve.org.uk | | facebook@steve.org.uk | | So I'd be tempted to think that my address had been leaked from | there, but I also got other messages sent to addresses like: | | admin@steve.org.uk | | sales@steve.org.uk | | support@steve.org.uk | | In the end I figured that I was just dictionary-attack, and | optimistic senders, and I could never be sure that a particular | company had actually leaked an address. | | These days I just give steve/at/steve.fi to everybody (I moved | countries, hence the new TLD). I ported over all the aliases | that had received email in the past five years and started | rejecting unknown local-parts. That stopped badbots from | mailing things that seemed like poorly-scraped message-ids | "blah-blah-1234@steve.org.uk". | wiredfool wrote: | I did it for years, until someone started dictionary spam runs on | my domain. That was a pain, so I whitelisted the ones I used, and | went to email-company@domain. Works pretty well, I've black holed | 20 or 30 over time, and it's a decent second check on phishing | emails. | | Sadly, because I chose - instead of plus, I'm going to be hosting | my own inbound email for the rest of this domains life. (And | since it's mylastname.net, that's going to be a while) | notarealperson2 wrote: | > Sadly, because I chose - instead of plus, I'm going to be | hosting my own inbound email for the rest of this domains life. | | What do you mean? I use migadu and they support address aliases | with wildcards, so I could just alias something-* to | something@example.com and add a sieve script to sort it into a | corresponding folder. I assume most email hosts do not support | that, but I doubt they are the only one. | Invictus0 wrote: | Those little interactions count as awkward? Jeez. Try having a | weird last name and get back to me. | unixfg wrote: | The only issue I've had was with that real estate data website | that rhymes with Willow. They have a strict policy against | usernames that contain their branding and my first support ticket | resulted in them demanding I change my E-mail address. | edave64 wrote: | I've been using a similar system, only that I additionally append | a random 5 digit number, so that if e.g. hilton-68425@domain.org | gets leaked, that doesn't automatically make | hyatt-95813@domain.org easy to guess. Though it does sound like | something that might be possible to brute force. | | Also, they feed into different subfolders of the same main | address. | | It definitely has caused some issues, but nothing that would make | me regret choosing this system. Obviously the email gets stored | in the password manager. And even if not, I just look at the | existing emails and check their destination address. | | Honestly, the most annoying part is the setup of new addresses. I | might look into a way to automate that. | | Although it is true that I have not caught a single company | giving the email away, but it still helps me keep the inbox | organized. | walrus01 wrote: | reminds me a bit of the family member who owns | firstname@lastname.com and can't get random non technical people | to believe that their email address domain really is lastname.com | | "but don't you mean at gmail.co..." | | no | gowld wrote: | There's a 199X NYTimes article about how prestigious | lastname.com is. Maybe someone can find it in the archives | omnibrain wrote: | I used mail@firstname.lastname.name and sometimes even like the | op "service"@firstname.lastname.name for some time. This lead | into all kinds of trouble, social and technical. Social as in | people did not understand why I "owned" "service"@..., why I | did not have something like | firstname.lastname@t-online.de/web.de/gmx.de/googlemail.de, | that a third level domain is even possible, or they did not | recognize .name. | | Technical trouble was almost the same: Systems did not | recognise the new at the time .name or Systems had trouble with | third level domains. Somstimes I could sign up, but something | in the backend broke and I never received mails. | [deleted] | mmastrac wrote: | I've been using firstname@lastname.com for ages and this | doesn't happen to me. Usually it's "huh that's neat", but I | also have a very unique last name | Macha wrote: | Mine is first@fullname.com. Most just accept it (all when I | visit California, maybe that's your experience?), but I do | get queried about it from time to time in my home country | arran-nz wrote: | I use this method and experience a few of the same drawbacks, | like remembering email + password per service - A password | manager does make it doable. (Highly recommend KeepassXC[0]) | | However, contrary to OP I enjoy these somewhat awkward situations | where someone doesn't quite understand my email address. I find | it can naturally lead to a conversation about privacy and data | protection and I'm happy to spread the awareness, if someone is | interested. | | [0][?] https://keepassxc.org/ | echoechozulu wrote: | I do this and my biggest regret is that I cannot easily check | haveibeenpwned.com to find out if any of the accounts have been | breached. | andywaite wrote: | Yes you can: https://haveibeenpwned.com/DomainSearch | echoechozulu wrote: | Oh, nice! I didn't know about this. Thank you! | AdamJacobMuller wrote: | You have really good timing :) | AdamJacobMuller wrote: | You can authenticate whole domains and see whenever anyone at | your domain is listed. | 5evOX5hTZ9mYa9E wrote: | I've had sales and customer service ask me about this a handful | of times and I simply said: 'It's a unique email address so that | you guys can't sell my details or get hacked and lose my email.' | | The only interaction that stick in my mind regarding this when | one of the sales people asked me how they might set up their own | version of catch-all domain. That's about it. | Brian_K_White wrote: | Right? Every time someone remarks, that's a _good_ thing. | alchemyromcom wrote: | This is a great idea that I had never thought of. Something that | might help, if it does actually make a person feel awkward, is to | use a numeric code. That way, you could be | commercial301@mydomain.com and then 301 could equal Gap, or | whatever you want. | mattlondon wrote: | Unique email @<your burner domain> per website, so you only have | to remember one password for everything. | | Handy for places where you need to sign-up but otherwise you | don't care. I don't use this approach on "meaningful" accounts | where I'd care about a breach. | | I think this person's mistake was not having a memorable system | for the username aspect. | jiveturkey wrote: | Have to say, disagree with every single point. It also feels | poorly argued. The example about not being able to log into | grubhub stuck out to me within 20 seconds of reading. He says he | uses a password manager, then says he has to navigate many | accounts while trying to login. Any sane password manager is not | simply a list of emails and passwords, but also the SITES they | BELONG to. This can't have happened the way he describes it. | | Also, in particular, I can't understand the social awkwardness. I | don't see how the interactions he has described are awkward in | any way. OK, once in a while you have to explain yourself. | Sometimes you might have a laugh about it. 95% of the time you | just repeat yourself and move on. There's nothing awkward here. | Unless he's using a different definition of awkward, as well as | social. | stickfigure wrote: | For weeks our Shopify app was getting rejected because "you | cannot use the Shopify name or trademark in your app". It | wasn't... repeated requests for clarification just got back the | same form response. | | After a several frustrating back-and-forths, _finally_ someone at | Shopify said "check your email address". | | The developer contact email address we had submitted, which was | only used for shopify<->us communication and no customer would | ever see, was shopify@ourdomain.com. | | <facepalm> | mro_name wrote: | I wonder what they'd have said about | tobias.luetke@ourdomain.com | mike_hock wrote: | So it turns out using a catch-all domain wasn't a mistake. | | Confusing companies by using THEIR name, being completely | disorganized with the names and not even saving them in a file, | was a mistake. | black_puppydog wrote: | I've been doing this for 5 years and while I agree that leaks are | rare, it has been only smooth sailing. | | I use thunderbird with an addon that automatically sets the | responding email address, and have a script called "email" that | generates a random address (no prefix or anything) and puts it in | my clipboard. If I want to k ow what I used an email for, I can | find it in my password manager or by checking from where that | address first got mail. | | Signing things up in person, I just use human-randomly generated | strings. | | In short: I have none of the problems the author has... | jnellis wrote: | After the dotcom bust, it was sometimes the user information | which was the only thing left to sell off (even when they | promised not to.) Spam was more of a problem back then, or maybe | just being able to avoid it was more of a problem. So catch all | email like this was actually beneficial but it became obvious | only a few years later, to me at least, that no one was selling | email addresses anymore and all that management was unnecessary | overhead. I'd say about by 2006 it had definitely sorted itself | out. | | I now route mail by context and only deal with maybe a half dozen | accounts regularly. | gigel82 wrote: | I wish there was a simple equivalent for phone numbers. Even if I | had to pay <$1 / month per unique phone number it would still be | worth it. | | Too many services now need a phone number "for my security". I | use my Google Voice whenever I can but there is no way to trace | the leaker from that. Car dealerships appear to be a big source | of leaks in my experience (significant uptick in spam calls and | texts after I give a dealership my GV number). | reidjs wrote: | Can you do it with twilio? | walrus01 wrote: | this doesn't solve the SMS 2FA problem but if you know what | you're doing with voip you can set up a DID to answer with a | filtering message like "please press 8675 to be connected", and | it'll only ring your _actual_ phone if somebody follows the | instructions. cuts down on 98% of telemarketing and scams. | | then only give out the DID number not your direct phone to | things like car dealerships. | | i had one car dealership that I took my car to for an oil | change _one time_ that persisted in sales calls for six months | until I finally escalated the matter to their general manager. | gaudat wrote: | Such thing do exist in some countries. I remember one of my | relatives protected their phone number by adding an incoming | call password. | loloquwowndueo wrote: | I have a variation that I use for online sign-ups only. I have to | explicitly declare the alias before using it. So it's relatively | easy to check which ones I have used in the past (and the name | tells me which site I used it for) and I can easily "revoke" by | removing the alias. I can't really use it when asked for an email | address at a store, for example - but it doesn't happen that | often (going to real stores, I mean :) ) | zepearl wrote: | bulls*hit. | | 1) | | It's true that trying to use a "pure" solution | ("[source]@[yourdoma.in]" - e.g. "amazon@mydomain.com") causes a | lot of problems (red flags being issued on the remote site). | | On the other hand with a mixed solution | ("[partial_source_mixed_with_something_else]@[yourdoma.in]" - | e.g. "zeama@mydomain.com") I never had any problems (I anyway | keep files/keepass-entries to track which userid&pwd&email I'm | using for which URL). | | 2a) | | My common&real email address gets quite some spam (no filtering | applied) (but I admit that the amount during the last years was | stable). | | 2b) | | My custom email addresses almost never get spam (even the ones | that I used for "weird" sites) => I assume that whoever gets in | some way email addresses performs some kind of healthcheck on | them to get rid of the ones that might identify the source (from | where they were extracted). | | 2c) | | The few spam emails that I got during the last years on my custom | email addresses indicated that they originated from 1) the garage | which I use to swap winter/summer tires and 2) my doctor (?!) => | it was interesting (e.g. is my doctor's IT compromised + did the | garage sell my email address because I didn't visit them during | the last two years?) => anyway changing address (which got rid of | the spam) was super easy in these cases :) | joshstrange wrote: | I agree that using per-company email address to sign up is not a | good idea but I love my catch-all email address. | | When I'm testing my software (professional or personal) I can | "create" emails on the fly for new user accounts. Yes, with | Gmail, you can do the base+anything@gmail.com trick but with my | setup I never need to rely on that (or worry someone might block | it), I just use anything@mydomain.com and I'm good to go. | | Same for my LLC, I have a catchall so I can setup things like | accounts@mydomain.com and get all those emails to my main | josh@mydomain.com email address and then in the future if I need | to turn that into a group or it's own email address it's super | easy and forward compatible. Just like support@mydomain.com, | right now I'm the only one that handles that but I can hand that | off in the future if I need to without any issues at all. | | Tangentially related: getting your own name as your domain name | is really nice in more ways than you might think. Giving my email | over the phone is a cake walk, I've normally just given them my | name, then I just say "josh at joshstrange dot com" and I never | have to worry about spelling or them hearing me perfectly since | it's just a combination of the info I just gave them (my name). I | get comments about it from time to time but buying that domain in | high school was the best decision I ever made when it comes to | tech/email. It's stayed the same for well over a decade and I | never had to give out an embarrassing email or worry about "what | email did I use to sign up for that account?". | alias_neo wrote: | Lucky you mister Josh Strange. | | If however, like myself, you have a name like Mr Fair | lyPopularNameNoOneInBritainCanSpellCorrectly IncomprehensibleIt | alianOrSpanishOrSomethingEuropeanFamilyNameNoBritHearingItWillE | verAssumeStartsWithTheLetterItActuallyDoes, it's the epitome of | tedium every time you have to get someone on the phone or in | person to spell your name correctly. | | My wife fucking hates it that she switched from her easy, | unmistakable English family name to my shit show of a Phonetic | spelling exercise. | | I guarantee I'd never receive a single spam message because | nobody is EVER spelling my FirstnameLastname.com correctly, Mr | MyNameExistsInAutocorrect Strange. | | Jokes aside, seriously, my family name starts with "El" and the | second you start saying it you see people write "L" and pause. | joshstrange wrote: | Totally fair criticism of my statement and I apologize for | not taking into account names that are harder to spell or | hear correctly. | | I am very thankful that I don't have those issues but yes, my | advice doesn't hold up in those situations. | alias_neo wrote: | No worries, I was a light hearted rebuttal! | | I always found the firstname@lastname.com to confuse people | far more than the name itself. I often get questions like | "is that at gmail.com or hotmail.com or...?" | atleta wrote: | I've been doing this for well over a decade and while I had | similar experiences sometimes, I don't see how this was a mistake | by any means. Yep, not many companies sell or _leak_ your email, | but some do. And let 's not forget that 10+ years ago we had much | worse spam filters. (Though we had less spam as well.) And using | a unique email for each provider and company it's pretty easy to | block them when they start spamming you or when they give away | your address. | | In theory, one could use generated addresses in some cases. E.g. | for throw away ones or when you have to give it in person. The | problem is that then you'd have to keep track which one you gave | to whom. | | It also helps with filtering as services may change the from | address or use multiple from addresses while you may want to | label all email from them the same. | | Then in some cases, where you do want to make your email public | still you want to know how people found you. I think this one | would be called "role based addresses". E.g. I think it's pretty | nice to have your paypal address as paypal@yourdomain.com (when | people were still using them for a lack of alternatives), same | for github, etc. | [deleted] | Xorakios wrote: | Certainly people's experiences might vary, but I have only had a | couple companies threaten me for using their company name and way | more success in just blocking addresses when I get spam-stormed. | I agree it's rare, but so annoying when it happens, so it seems | easier just to have a catchall. | | hn@drewpalmer.com | ChrisArchitect wrote: | Dunno if all these gripes are describing a "huge mistake". Some | inconvenience, maybe not the best domain/confusion on the naming, | and maybe the realizing down the road the threat might not be | that big, but you still got to organize and manage your concern | with only a few technical steps. | threatofrain wrote: | I've been using email aliases for over a decade and have never | experienced the leading examples the author mentions. Although I | already have email accounts setup for impromptu scenarios, | setting up an email alias in one minute is easy enough. | RLN wrote: | I have several times. Generally I can just say "you can write | anything before the @ and it still comes to me" and people | understand it though. It doesn't need to become a big | discussion about how email works and they've probably forgotten | by the end of the interaction. | | Maybe once or twice I've given my address to a new friend as | newfriend@domain.com and it's lead to at least a small | discussion about it. | AdamJacobMuller wrote: | > The only benefit is that I'm able to tell when companies are | breached before wider disclosures because I start getting spam | emails sent to thatcompany@. | | My big problem is that this is worse than useless. | | I started doing unique-address-emails back in probably 2002 or | 2003 and did it for around a decade before giving up. | | A couple of times per year I would start getting spam or similar | on an email address and would know exactly what had been breached | and I would try to notify the companies involved. I'd probably | spend an hour or two finding emails for key contacts and send a | few paragraph email explaining how I knew they were breached | etc... | | 90% of the time I got absolutely no reply whatsoever. | | 5% of the time I got a pleasant reply and someone said they were | already aware or they would look into it. | | 5% of the time I got confused emails from a non-technical person | that didn't understand how their PHP shopping cart software which | hadn't been updated in 2 years got hacked, and didn't know what | PHP or Linux or anything else was because the neighbor's kid had | installed the site one time 2 years ago and now was too busy in | college and why are you bothering us about this we have orders to | ship! | | 5% of the time I got incredulous replies from technical people | who insisted that I was wrong. That email address must have | leaked some other way! | | Then there was the last time I ever sent one of these emails. I | guess I had found and emailed the owner of a company to email who | had then added in his tech person. I explained why I had huge | confidence something on their side was breached, but, couldn't | explain to them what or how. They eventually got rather hostile | about it, first accusing me of extorting them for the information | (I never asked for money, but bounties weren't really even a | thing back then like they are today). Eventually culminated in | them adding in their lawyer with more threats and demands for my | full name / address (presumably so they could actually sue me). I | ignored them and fortunately the whole thing went away. | | That was the last time I sent a report about one of my emails | being compromised and shortly thereafter I stopped using tagged | addresses entirely. | markdown wrote: | Sounds like you were the one who made it worse than useless ie. | you gave yourself more work and then resented it. | AdamJacobMuller wrote: | I suppose. I mostly did it as a fun experiment and stopped | when it ceased to be fun. | | I don't resent it or regret it, I had a lot of fun writing | the software which powered it. | ZetaZero wrote: | As you found out, it is a waste of time to report the leak. But | you can still get all the benefits of nuking that email. | AdamJacobMuller wrote: | Nuking the actual email was of limited benefit over time. | | For whatever reason I started to get spam on my real non- | aliased email address and at that point it was all bets off. | | Shortly after I gave up on the tagged addresses I just moved | to gmail. | teawrecks wrote: | No one said you're supposed to contact anyone about the spam. | If the problem could be solved on their end, this catch- | all/tagging solution wouldn't need to exist in the first place. | The assumption is that people can't be trusted with your email | address, so you create a way that their incompetence/malice | can't hurt you, and then you go about your business. | | Imagine criticizing helmets because children keep falling off | their bikes. | | Btw 90+5+5+5=105%. | AdamJacobMuller wrote: | > No one said you're supposed to contact anyone about the | spam. | | Considering that, as far as I knew at the time, nobody was | doing this at all, nobody told me any of what I was | "supposed" to do. Even if they had told me what i was | "supposed" to do, I generally am not good at following | directions or doing what i'm supposed to do. | | > Btw 90+5+5+5=105%. | | Case in point. | gowld wrote: | The benefit isn't that you can tell the company they were | breached. The benefit is that you can tell yourself, friends, | and the public. | AdamJacobMuller wrote: | Meh. | | Some people might want to be the name-and-shame type, but, | that's not me. | xigoi wrote: | Your percentages don't quite add up... | AdamJacobMuller wrote: | There's an additional 5% chance that I did that intentionally | to be funny. Does it add up now? | [deleted] | detritus wrote: | Embarrassment (really?), minor as it could be, seems like a | really low bar for failure here. | desdiv wrote: | For people who are having problem with the "hilton@domain.com" | situation, consider using ROT13 or some other similar scheme | (hilton becomes uvygba). | | Other alternatives include: | | 1. shorten it so much that it's not revealing anymore | (hil@domain.com) | | 2. use another language if you're multilingual | (hiruton@domain.com for Japanese) | nokya wrote: | Or use a password manager. | | 1. Create new every with title "Hilton" | | 2. Generate email address (e.g. 8467588@somewhere.com) | | 3. Generate password | | Done. | cosmojg wrote: | I had the exact same experience! Almost verbatim. Nowadays, after | one very long weekend spent changing my email address across | dozens of different websites and services, I just use | name@name.red instead of anything service-specific. Even now, | though, the fact that it's a ".red" rather than a ".com" is too | much for some people (e.g., my student loan servicer doesn't | support .red domains at all). It's fun being special until it | isn't. | mholt wrote: | I had to stop using plus-addressing (me+brand@gmail.com) because | of broken email address parsers/validators. If I was on the phone | with a support agent, I would give them my plus-address and their | system would reject it and they'd ask for another one. | Stubbornly, I'd refuse to budge and insist that is my email | address that they need to use. It got to the point where I'd | either have to forfeit my healthcare/tax/flight/<whatever> | account or give up on the plus-address. And if they asked about | it, I'd explain honestly that it's because I don't trust them. | | It did reveal some interesting data leaks sometimes including on | npm [1], but the hassle wasn't worth it. | | I now rely solely on spam controls again. | | [1]: https://twitter.com/mholt6/status/1315743799335763968 | bityard wrote: | GMail has supported the "+" alias since the service was | announced, one would think there'd be no excuse to not support | it everywhere at this point. My consipiracy-theory hypothesis | is that many companies "know" that any address with a + in it | is an alias and actively filter it out. Because they don't want | an alias, they want your _real_ address. | | I run my own mail server and use a "." as the alias character. | Haven't seen a system reject a single one of these. | pavon wrote: | I do this and haven't had nearly as many problems as the author | for a couple of reasons. First, I refuse to give out my email in | most of the situations he complains about. I almost never want or | need to link my physical retail purchases to an email address, | and in the cases where I do, it is usually faster and easier to | ask for a loyalty packet and sign up online than to dictate all | the information to a clerk. | | Second, I'm not strict about it, and use a generic address (my- | formal-name@example.com) in situations where I do need to give an | email verbally (like contractors asking where to send a quote). | And I also have my-nick-name@example.com which I give to friends | and family. | | Since I only use the catch-all emails for things I do online, | they are all stored in a password manager so I don't have any | problem forgetting them. | | With these more relaxed rules, I still end up using a catchall | email the vast majority of the time, with a fraction of the | annoyances. The only time it really comes up is for telephone | support calls with accounts I created online, and it isn't a big | deal. | | The benefit is that I can block 90% of spam using nothing but a | black list of address that have been compromised. And the novelty | of knowing who has shitty security with my information. | vageli wrote: | > I also have a bunch that I've misspelled. My GrubHub account is | gruhub@. I use a password manager for passwords but I also need | to use it to remember the associated emails. | | I find that to be a strange complaint. What password manager is | being used that doesn't support a username alongside a password | in an entry? | yawnxyz wrote: | I have stuff like "info@" "register@" or "support@" that I filter | through in my inbox. The only problem I've had with catch-call | email is getting a ton more spam from bots... for some reason | they'll add randomname@ bc our name shows up with some other | company name, some spam CRMs will confuse some other company's | staff with our email address and send to that address | aaronharnly wrote: | I've also been doing this for more than a decade. Other than my | spouse rolling her eyes when I give an email address over the | phone, it hasn't been hard and definitely has helped. I have put | blocks on a few email addresses that were involved in data | breaches and became spam spigots. | willk wrote: | I got my wife to use a catch-all last year. She absolutely | loves it. | fnordpiglet wrote: | I've done this for 30 years. I didn't do it to catch people | selling my info, but I do enjoy it when I do. I do it so they | don't send me email to my personal email address which I only | give to people I want to email me. I can also blackhole someone | that's marketing to much and it is easy to search my email for | any correspondence to and from that vendor. | | It is awkward sometimes when I say It on the phone but I'm also | in senior leadership at a big company so my skin is about as | thick as it comes with regards to awkward situations. My entire | career now is a series of awkward situations I'm asked to fix. | | Also, I use a password manager (dude it's 2022, if you're not | using a unique password already you ought to reconsider your life | choices and once your password is unique who cares if your email | is too?) | zzyzxd wrote: | I was purchasing a car at local Honda dealership and the salesman | refused to believe that my email address was honda@mydomain.com. | He just insisted that I should tell him my "real" email address. | If it happens today, I would just walk away. But back then I was | a new grad who just got a new job and really wanted a new car in | a new city, so I said "fine, does mylastname@mydomain.com sound | more legit?" He was ok with that. I brought the car back home, | and set a new inbox rule that blocks all emails to | mylastname@mydomain.com. Because I can't think of a reason to use | mylastname@mydomain.com in any cases. I have never heard anything | from Honda ever again. | | I once got a text message from an agent after a dealership visit, | he asked me why I just couldn't give him a good feedback since he | worked so hard and I seemed to be happy with the result. I was | like "sorry, but for some reason I can't receive emails from | Honda, including after-visit survey". | | > The truth is no one really sells your email - at least no | legitimate companies. | | Speaking of this, I actually did sometimes catch someone sold or | leaked my email addresses. They usually came from spam emails | with "Undisclosed recipients" that I had to dig into headers to | find out which one of my addresses was leaked. | | Most of addresses used in spams are the ones I shared with | individual/small business and I would like to believe that they | were not intentional. | | The only legit, big company that sold/leaked my email was Docker. | I applied for a new job with docker@mydomain.com and a year later | a bunch of recruiting spams came to me via that address. Although | it was possible that it's just that particular recruiter forgot | to shred my resume after I rejected their interview invite. | tgsovlerkhgsel wrote: | > Most of addresses used in spams are the ones I shared with | individual/small business and I would like to believe that they | were not intentional. | | Sounds very much like the computers/address books of the | business owners get compromised and harvested. | Komodai wrote: | I have not encountered any of the issues you said. | | And what's wrong with "I use a password manager for passwords but | I also need to use it to remember the associated emails."? | C4K3 wrote: | I've been doing this for close to a decade and sometimes | salespeople and customer service people will ask to confirm, but | that takes 5 seconds and isn't awkward (in my opinion.) | | It has more benefits than knowing who leaked your email, it lets | you easily filter your incoming email by who you gave the email | to, and when your email is leaked it lets you shut off that email | address. Of course you can also filter your email by the sender's | domain, but that isn't as consistent, and doesn't help at all | when your email address has been leaked. | | It's true that you do have to set it up so that you can send | email from the addresses to avoid not being able to reply by | email, and you will want a password-manager or something to | remember exactly what email you used, for convenience. | | Personally I'm glad I've done this, it's made it much easier to | organize my emails. | brewdad wrote: | I have a single address, donotspamme@mydomain.com that I use as | a throwaway and then route it to a folder to review about once | a week. It draws a chuckle from salespeople when they ask for | it or see it pop up in their system. | NonNefarious wrote: | Eh, I did it for a while and while I think the OP overstated | the "awkwardness," I didn't find that the effort was | worthwhile. I only caught one entity selling or otherwise | divulging my address: the Atlanta Journal-Constitution | newspaper, oddly enough. | | Oh, and someone did hack some FAA database and mine it for | addresses. | | But that's all I netted in several years. Beyond my main | address at my own domain, I keep a Gmail address for mailing | lists and other low-grade traffic. | Brian_K_White wrote: | So basically, yes it's a bit of extra work, but simply worth | it. | | Life without it is worse than life with it. | gowld wrote: | Moreso, it's _good_ to teach people that valid email address | are in fact valid. | | This part: | | > Especially since all these companies ask for and verify your | cell phone number | | is true, though. | | and | | > The one outlier is political campaigns: they'll share your | email till the end of time. | | Because politicians exempted themselved from anti-spam laws, as | they do with most laws. | lazyjeff wrote: | > Because politicians exempted themselved from anti-spam | laws, as they do with most laws. | | This was the most puzzling thing to me. The politicians that | I saw on TV as adamantly pro-privacy, anti-tracking, who made | a lot of sense in everything they were saying -- you | contribute a single dollar (because they want to show | grassroots support for their pro-individuals campaign) and | they IMMEDIATELY give your email and survey responses to | everyone in their party, including to state-level campaigns | in places across the country. | | There was no indication on the donation form that any of my | personal details would be used for anything except to show | that they had a lot of grassroots supporters. | | Not only that, but their emails are so clickbait-ey like | "lazyjeff, you are the reason that [hated politician] is | destroying democracy." | scoot wrote: | I use 33mail.com (33m.co) for this which gives you a personal | subdomain for free, or a private domain on the paid plan. I'm | on the (super cheap) paid plan due to mail volume, but haven't | found the need for using a personal domain. | | I find it zero effort having a unique email address per site, | and when combined with unique (algorithmic) password gives | effectively a unique identity per site (cookie sharing aside, | but there are solutions for that.) | | As a result, I have been able to call out a couple of sites for | data breaches, and continue to see npm spam in particular. | Worst offender so far is Pipedream, an absolute embarrassment | for their CEO who appears to have initiated the data scrape. I | won't be surprised to see them sued out of existence, which is | a shame, as I like the service in general. | willk wrote: | I couldn't agree more. I've been using a catch-all for probably | 12 years now. Sure, sometimes you get a second look when you | give an email that has the business's name in it, but who | cares? | | I get the benefit of blocking mail coming to me forever, doing | fast sorts and searches, never have to worry if the company | doesn't like a + in my email address. | superkuh wrote: | I strongly disagree. I've also been using a catch-all domain for | more than a decade and giving each sign-up it's own | name@mydomain.com. I can remember one small issue. Otherwise it's | never been a problem. The problem has been getting marked as spam | for running my own mailserver. But it's all worth it in the end. | __david__ wrote: | I agree with you. So many companies end up with absolutely | terrible unsubscribe code that just flat out doesn't work[1]. | With my own server I can just burn a particular email with one | line in a file, or I can block their whole domain. I end up | having to do this fairly regularly. | | I can also choose the message to send in the smtp 5xx error | line and so I like to call them names. I know a person never | sees it but it makes me feel good knowing my server is cursing | out the spammers' servers. | | [1] I would venture that roughly 30% to 40% of email | unsubscribe links aren't url encoded so that the `+` in the | email goes in naked to the url, resulting in the server | decoding it into a ` `. Sigh. | leephillips wrote: | Yes, I also have insults in my client_checks file. I enjoy | running my own mail server. | gaudat wrote: | Cringe take, but fair enough on the bank freaking out part. | | My interaction with them went like this: | | >staff: And what's your email address? >me: $BANK_NAME@$MY_DOMAIN | >staff: _chuckles_ | | And on the next day I got my bank account flagged. | ntoskrnl wrote: | Which bank was it? | [deleted] | ZetaZero wrote: | My HN account email is sleepy.home9993@[mydomain]. My email | provider (FastMail) creates these "masked emails" at the click of | a button, with a Description field so I can identify the purpose. | Each email address consists of two random words plus a 4 digit | number. Then I just store the information in my password manager. | | I'm not wasting time trying to fix the breaches. I can just nuke | that email forever. ___________________________________________________________________ (page generated 2022-06-01 23:00 UTC)