[HN Gopher] Using a catch-all domain is a mistake
___________________________________________________________________
Using a catch-all domain is a mistake
Author : withzombies
Score : 92 points
Date : 2022-06-01 17:48 UTC (5 hours ago)
(HTM) web link (www.notcheckmark.com)
(TXT) w3m dump (www.notcheckmark.com)
| nokya wrote:
| I use catchall domain for... everything. Every account at every
| entity has its own unique address, since probably well before
| 2010. I have always more than happily accepted to have my address
| saved into marketing databases.
|
| I can share the frustration sometimes with employees turned
| sudden internet experts and "teaching" me that my email address
| cannot start with their employer's name. I usually retaliate by
| withdrawing my consent to be registered into their database.
|
| And that ends there, I disagree with everything else in the blog
| post.
|
| 1. Catchall facilitates blacklisting when it becomes necessary:
| whatever rotating address is used by the sender, I blacklist
| myself as the recipient.
|
| 2. It helps detect who shares databases with whom. This is not
| necessarily about "selling" but more often it taught me which
| companies operate with which companies under the umbrella of that
| "and our partners" statement found in every privacy policy
| written by legal consulting firms.
|
| 3. It's a smoking gun for companies wbo get hacked without even
| knowing it. I have been informed several times of a compromise
| before the company itself knew it.
|
| 4. I also use suffixes on my catchall addresses, this allows me
| optimize my email filters.
|
| 5. It makes correlation more difficult across databases and
| anything that helps achieving this goal is a win for me.
|
| 6. I use a password manager, I use both the login and the
| password fields. The title of the entry always allowed me to find
| the account very efficiently.
|
| I can probably find other reasons, I'd just conclude that after
| more than 10 years using a catchall domain, I still can't imagine
| sharing the same identifier across all my interactions.
| dzek69 wrote:
| 5) Until the tools are smart enough to detect custom domains...
| Until you have few domains of course :)
| Nadya wrote:
| I'm going to mirror most of the other commenters in saying - I've
| been doing this for nearly a decade and have basically never had
| an issue with it and have absolutely prevented some spam because
| of it. The "social awkwardness" problem of using
| "Company@example.com" can be solved by using
| "PineappleBanana@example.com" instead or random characters or my
| personal favorite throwaway "[Company]SentMeSpam@example.com".
| Yea, you might have to use a password manager to know which
| random string of nouns is tied to what account - but no more
| "social awkwardness" of using the company name in your email
| (can't say I've ever had that experience either...)
|
| In fact the only issues I've ever had with a "non-standard" email
| address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of
| my domains is a .ru address and even before the modern-day issues
| surrounding Russia .ru addresses get blocked in many places. My
| fallback email is an email hosted by https://cock.li which being
| chan-adjacent also gets blocked so occasionally I simply have to
| accept that I am not wanted as a user because my email isn't good
| enough.
| psifertex wrote:
| No need to use a password manager. Simply search email history
| for the very first usage of the email...
| ALittleLight wrote:
| I don't understand the part about awkwardness with customer
| service people. How often does that really come up? And, if it is
| predictable, just spend a minute and think of some satisfying
| reply and then use that whenever it does come up.
|
| "Oh, hilton@notcheckmark.com? You must be a big fan."
|
| "Yep, cause of the great customer service."
|
| Done.
|
| Regarding shooting yourself in the foot by using nonstandard
| naming - seems an easy solution is to just use the entire SLD. If
| registering in person, I guess that's a bit harder, but either
| way make sure you save the login in your password manager.
| digianarchist wrote:
| I also use custom addresses with the company name as the first
| part of the address and it does sometimes (not often) lead me
| to explain how email works to a customer support rep.
| neogodless wrote:
| I've had some of the same experiences as the author. "Do you work
| for..." or "You must be a big fan..." And plenty of "How do
| you... "
|
| A few sites actually check for and prevent you from putting their
| domain name in as email (probably something about having
| employees sign up... ?) so that's a bit annoying.
|
| I think it's worth it. Among other things, if any one alias
| becomes tainted enough, I'll throw it on a burner account so
| those emails go into a black hole, instead of my spam folder. And
| I'm _always_ using a password manager on a computer, rather than
| trying to remember email when I visit a retailer. (Often, these
| days, if I 'm in person, I just make up some kind of abbreviation
| - instead of "Ollies@", "olbgo@" because I don't care too much
| and even if I forget where it came from, it's not a big deal.)
|
| And there's a slight security benefit if one email + password
| leaks, though these days every password is unique too (was not
| always the case... ah the naivety of my internet youth.) I don't
| think email addresses get sold "a lot" but they sure do get
| breached a lot and end up in the hands of spammers. Cadillac@
| actually got sold or breached quite quickly after I signed up for
| a free car brochure, about a decade ago.
|
| With my current host (NameCheap) and Thunderbird, it's very easy
| to change my from address - it just works without any hassle.
| dzek69 wrote:
| I'm using catch all since forever. I regret nothing.
|
| Two stories:
|
| I don't use mails like facebook@domain uber@domain - that's too
| obvious. And knowing that may often disclose that I actually have
| an account registered on given page. I don't want that, so I go
| full random, using few words I have in mind, current few words
| from the song I'm listening too, etc. So password manager helps
| me with e-mails too.
|
| But Sometimes when a website annoys me (stupid rules for
| passwords, crippled UX for forms, because re-writing a select
| component in javascript is such a brilliant idea, etc) I tend to
| insult the company I'm registering with using my e-mail or
| password, I mean mail: this.freaking.store.is.dumb@domain.com and
| pass: goDieInPain1312323$$$$. Once I registered account for a
| supermarket loyality card with some very little insult towards
| the supermarket. Later I got some huge amount of the points
| collected and their system crashed and I had to contact the
| support (the bonus was too high for me to give up on that). First
| via e-mail then via phone, when they were confirming my address.
| They helped me and said nothing about the name I was using.
|
| Another story:
|
| When I started with catch-all I was actually using mails like
| companyname@mydomain, and when I once contacted them via phone
| the person talking with me was not very into tech I think and
| were accusing me of... I don't really know exactly, but she told
| me something about me using their stuff without their acceptance,
| when I tried to explain that's my own domain she told me I cannot
| use their name, because that's a copyright infringement. Weird.
| lucideer wrote:
| I have not encountered the author's 2nd issue because I use a
| password manager.
|
| I have encountered their 1st issue (awkward encounters) and
| consider it a feature. I guess this depends on certain
| extro/intro-vert-ish human preferences, but it can be a nice
| talking point if you approach it right.
|
| The author's argument can be generalised to an appeal to
| normativity - doing ANYTHING that isn't common practice will
| garner awkward interactions. It's also a necessary early-adopter
| stage of anything eventually becoming common practice (and catch-
| all domains are becoming an automatically supported feature in
| many services now so here's hoping it does).
| czx4f4bd wrote:
| Just to provide a counterpoint, I've been doing the same thing
| for 6 years now and I haven't found the same issues to be a
| problem. Even as someone with pretty intense social anxiety, I
| haven't encountered any awkwardness, and don't find it
| particularly inconvenient to have to look up the correct email in
| my password manager.
|
| The only actual issue I can remember encountering was a weird
| glitch with Crashplan that wouldn't let me register with
| crashplan@[myfullname].com, so I ended up using backups@ instead.
| Also, my full name is tedious to have to spell out, so I switched
| to using [firstname].cloud as my email domain instead.
|
| In my case, while I haven't caught any notable email
| sharing/selling, I've still found unique per-service emails
| useful for filtering and organizing messages. Many orgs these
| days don't bother to use a consistent From email, so if I want to
| find everything from XYZ corp, it's easier to search for
| everything sent to xyz@name.cloud than everything from no-
| reply@xyz.com and orders@xyz.com and info@xyz.net and email-
| list-123@xyz.email and so on and so forth.
| stimpson_j_cat wrote:
| I've had people try to guess my login with Company ABC once they
| learned of my CompanyXYZ@mydomain.com address. Avoiding the reuse
| of email addresses helps here, the same way avoiding the reuse of
| passwords does.
|
| For blackhats, with catchalls you can create multiple accounts on
| sites that try to prevent it by assuming everyone only has 1
| email address.
|
| For me the biggest drawback is migrating ALL those emails if your
| provider decides to end support for catchalls (like Dreamhost).
| neogodless wrote:
| > For me the biggest drawback is migrating ALL those emails if
| your provider decides to end support for catchalls (like
| Dreamhost).
|
| With Gmail for Business / GSuite / Workspace, I had gone
| through the trouble of adding aliases through the Gmail.com UI
| when I wanted a from address. And I had created a bunch of dead
| accounts with aliases to reduce spam.
|
| But when I switched away from Workspace to NameCheap, I just
| set up my one account as a catch-all, and in Thunderbird, when
| I want to send from one of those aliases, I just type it in,
| and it works fine. (Gmail had a setting that if you got it
| wrong, it sent it as an alias, but also used your mail address
| as the actual from/reply-to, which I found annoying!)
|
| I also stopped bothering setting up those "honeypot" accounts.
| I get more spam, but... it's almost all detected as spam and
| put in the spam folder, so I don't worry too much. A few weeks
| ago, I had a day where a couple dozen gibberish addresses came
| in, like 8aeef09lk@domain.com, but then it stopped again.
|
| Of course, all that is to say, if my current host does end
| support, it would be a pain!
| pgib wrote:
| I did this for about 20 years, and have basically stopped because
| I wasn't really seeing an advantage to make it worth the bother.
| oehpr wrote:
| bitwarden has a feature that fixes this issue.
|
| https://i.imgur.com/eQe2Cq6.png
|
| More generally. Just coming up with a random word and assigning
| it rather than a specific name, and looking that word up in your
| password manager, should suffice.
| johnklos wrote:
| I don't buy it. The number of people on HN that say, "it takes
| non-zero effort, and it was hell to exert that little bit of
| effort, so you shouldn't do it."
|
| That might be a worthwhile message for a hardware hacker site
| where putting effort in to email configurations might be
| different enough from the meat of what most people are doing, but
| for this site? No. Don't try to sell "hacking is slightly hard,
| so don't do it" to hackers, please and thanks.
|
| I've been doing individual email addresses for ages, and I've
| forced more than one company to disclose breaches because I was
| able to show with certainty that an address couldn't have been
| lost any other possible way.
| exyi wrote:
| It's not even hard, number of email provider do it for you. You
| just need to explain it to someone once every 3 years...
| EddieDante wrote:
| I use "contact@" for when somebody who isn't a friend wants my
| email address. I have a separate, private address for people who
| actually _matter_ to me. Everything addressed to "contact@"
| immediately gets marked as read and saved to a separate folder so
| it doesn't clutter my inbox.
| Macha wrote:
| contact@ specifically is high up in things that spammers try
| when they have no leads to go on though. ~50% of my spam in my
| catchall comes from contact@ admin@ and similar addresses.
| EddieDante wrote:
| True, but I can't be bothered to come up with anything more
| distinctive. And if my local gym wants to send me bullshit
| notifications and advertisements despite me being a longtime
| customer who pays for his membership annually, they can damn
| well go in the spam bucket alongside the cold emails from
| tech recruiters, Ukrainian mail-order brides, and Danielle
| Kennedy from Prime Equity Funding. I don't really give a
| shit. Email has achieved parity with snail mail: it's nice to
| get from friends, but otherwise an annoyance.
| m3adow wrote:
| Why not just use regex/wildcard addresses which makes it less
| "akward".
|
| Like "mail-recruiter@foo.bar", "mail-hilton.com@foo.bar", etc.
|
| It's easy to configure, makes it more clear that you are in fact
| not trying to impersonate others and you circumvent the problem
| of receiving automated mailes to "sales@foo.bar", "hr@foo.bar",
| etc.
|
| BTW: I've been using my solution for more than five years and
| only had one "awkward" moment when a recruiter was a bit sore I
| gave them my mail address specific for cold call recruiters.
| simmons wrote:
| I've been doing this for over 20 years, and it hasn't really been
| a problem. During the occasional real-life interaction that
| requires someone to confirm my address and they express surprise,
| I just tell them that it's correct and I have advanced email
| needs. It never takes more than a few seconds -- nobody has ever
| said "please tell me all about your advanced email needs!" :)
|
| > _I use a password manager for passwords but I also need to use
| it to remember the associated emails._
|
| I do this, too. It never occurred to me that you might not
| populate the email/username field -- it's kind of the password
| manager's job to keep track of that. :)
|
| > _The truth is no one really sells your email - at least no
| legitimate companies._
|
| I think that on the whole, this is true. However, I have had a
| number of these addresses start receiving spam over the years. I
| think this is due to the companies' databases being compromised
| due to poor security. At the end of the day, the cause of the
| leak isn't greatly important, and I'm glad I can simply turn off
| those particular addresses.
| SargeDebian wrote:
| I've been offered the employee discount multiple times when
| providing storename@firstlast.tld. I declined as I'm not going
| to risk fighting some fraud charge over EUR20.
|
| I've never had difficult or negative interactions either. "I
| bought @firstlast.tld and now I can do whatever I want" settles
| it.
|
| I also have @lastna.me. My grandma has her own and mostly her
| bridge club mates are puzzled about how her email address just
| looks like her name. The whole setup is worth a few bucks, I
| guess.
| fnordpiglet wrote:
| The USPS is one of the worst offenders for selling email
| addresses.
| dewey wrote:
| I've been doing that for a very long time and _never_ had such an
| interaction. Definitely not to the level of "It's been a decade
| of trouble and totally not worth it".
| lerela wrote:
| I'm also doing this and see multiple benefits.
|
| However I've recently been bitten by my catch-all, using a money
| transfer service with the email worldremit@mycatchall.com (guess
| the company). When they asked for additional documents to verify
| my account after many months, they never received my reply and I
| ended up banned. I could not login anymore. When I reached out
| from another email address, they refused to process the documents
| because they originated from another, unauthorized email address,
| and asked that I resent the original email from the registered
| email. I suspect their anti-phishing filters just ban any email
| containing "worldremit", so it never got through and despite
| multiple thorough explanations I could never get someone to
| listen or reinstate the account.
|
| I'm still getting the newsletter though, because unsubscribing
| requires logging in first... But then I can just ban this email
| address, so at least the anti-spam strategy works!
| thebean11 wrote:
| I try to disguise it a little to avoid the awkwardness, and also
| put the recipient into the subdomain instead of sender name. For
| example for grubhub I'd do:
|
| me@grb.mydomain.com
|
| No need to remember anything because it's all in a password
| manager. I've found this worthwhile, already blocked a couple
| spammers.
|
| You could also go with something fully random, you still get the
| same benefit. It's easy to look in your email history and see
| what you originally used the email address for. Password manager
| obviously required though.
| Hackbraten wrote:
| That's exactly how I've been doing it for more than a decade.
| (Without the subdomain part but with the disguising.) I feel
| it's been worth it so far.
| curiousfab wrote:
| Using custom subdomains for each account is a great idea. Once
| you start getting spam on this subdomain, you just need to
| remove the DNS entry and the spammer's attempts to deliver spam
| will be unsuccessful (versus if you use different local part
| names, you have to filter / reject the mails explicitly).
| schroeding wrote:
| Nice! I tried this a few years ago, and while this worked
| nicely for inbound email, deliverability outbound was really
| bad, even with DKIM etc. set. Normal mails from <my domain>
| were fine.
|
| I guess "amazon.<my domain>" got quite the phishing score at
| the time, so good call using grb instead of grub. :D
| thebean11 wrote:
| Yeah deliverability is a good point. I'm usually only using
| this trick for services where I wouldn't be sending outbound
| email luckily. Normal emails come from mydomain.com.
| thebestmoshe wrote:
| What do you use to manage all the subdomains?
| encryptluks2 wrote:
| Note some services won't even recognize a subdomain email
| address as valid.
| kennywinker wrote:
| Really? Wouldn't that catch people with `.co.uk` or similar
| localized domains?
| pantulis wrote:
| "The truth is no one really sells your email - at least no
| legitimate companies. "
|
| Of course, because legitimate companies used to sell your
| cookies, which basically are going the convey the same
| information about your profile.
|
| Now in the cookieless era of CDP platforms and identity
| stitching, having different email addresses _may_ be more useful.
| kevin_thibedeau wrote:
| This isn't a new thing. Data brokers have been building
| identity profiles for decades. Snarfing up email addresses is
| part of that process.
| crizzlenizzle wrote:
| > The truth is no one really sells your email - at least no
| legitimate companies.
|
| Yes, but legitimate companies leak data now and then. I get
| metric tons of spam to dropbox@, linkedin@, myspace@,
| moneybookers@, etc.
| stevekemp wrote:
| When I used wildcard support I got spam to :
|
| linkedin@steve.org.uk
|
| facebook@steve.org.uk
|
| So I'd be tempted to think that my address had been leaked from
| there, but I also got other messages sent to addresses like:
|
| admin@steve.org.uk
|
| sales@steve.org.uk
|
| support@steve.org.uk
|
| In the end I figured that I was just dictionary-attack, and
| optimistic senders, and I could never be sure that a particular
| company had actually leaked an address.
|
| These days I just give steve/at/steve.fi to everybody (I moved
| countries, hence the new TLD). I ported over all the aliases
| that had received email in the past five years and started
| rejecting unknown local-parts. That stopped badbots from
| mailing things that seemed like poorly-scraped message-ids
| "blah-blah-1234@steve.org.uk".
| wiredfool wrote:
| I did it for years, until someone started dictionary spam runs on
| my domain. That was a pain, so I whitelisted the ones I used, and
| went to email-company@domain. Works pretty well, I've black holed
| 20 or 30 over time, and it's a decent second check on phishing
| emails.
|
| Sadly, because I chose - instead of plus, I'm going to be hosting
| my own inbound email for the rest of this domains life. (And
| since it's mylastname.net, that's going to be a while)
| notarealperson2 wrote:
| > Sadly, because I chose - instead of plus, I'm going to be
| hosting my own inbound email for the rest of this domains life.
|
| What do you mean? I use migadu and they support address aliases
| with wildcards, so I could just alias something-* to
| something@example.com and add a sieve script to sort it into a
| corresponding folder. I assume most email hosts do not support
| that, but I doubt they are the only one.
| Invictus0 wrote:
| Those little interactions count as awkward? Jeez. Try having a
| weird last name and get back to me.
| unixfg wrote:
| The only issue I've had was with that real estate data website
| that rhymes with Willow. They have a strict policy against
| usernames that contain their branding and my first support ticket
| resulted in them demanding I change my E-mail address.
| edave64 wrote:
| I've been using a similar system, only that I additionally append
| a random 5 digit number, so that if e.g. hilton-68425@domain.org
| gets leaked, that doesn't automatically make
| hyatt-95813@domain.org easy to guess. Though it does sound like
| something that might be possible to brute force.
|
| Also, they feed into different subfolders of the same main
| address.
|
| It definitely has caused some issues, but nothing that would make
| me regret choosing this system. Obviously the email gets stored
| in the password manager. And even if not, I just look at the
| existing emails and check their destination address.
|
| Honestly, the most annoying part is the setup of new addresses. I
| might look into a way to automate that.
|
| Although it is true that I have not caught a single company
| giving the email away, but it still helps me keep the inbox
| organized.
| walrus01 wrote:
| reminds me a bit of the family member who owns
| firstname@lastname.com and can't get random non technical people
| to believe that their email address domain really is lastname.com
|
| "but don't you mean at gmail.co..."
|
| no
| gowld wrote:
| There's a 199X NYTimes article about how prestigious
| lastname.com is. Maybe someone can find it in the archives
| omnibrain wrote:
| I used mail@firstname.lastname.name and sometimes even like the
| op "service"@firstname.lastname.name for some time. This lead
| into all kinds of trouble, social and technical. Social as in
| people did not understand why I "owned" "service"@..., why I
| did not have something like
| firstname.lastname@t-online.de/web.de/gmx.de/googlemail.de,
| that a third level domain is even possible, or they did not
| recognize .name.
|
| Technical trouble was almost the same: Systems did not
| recognise the new at the time .name or Systems had trouble with
| third level domains. Somstimes I could sign up, but something
| in the backend broke and I never received mails.
| [deleted]
| mmastrac wrote:
| I've been using firstname@lastname.com for ages and this
| doesn't happen to me. Usually it's "huh that's neat", but I
| also have a very unique last name
| Macha wrote:
| Mine is first@fullname.com. Most just accept it (all when I
| visit California, maybe that's your experience?), but I do
| get queried about it from time to time in my home country
| arran-nz wrote:
| I use this method and experience a few of the same drawbacks,
| like remembering email + password per service - A password
| manager does make it doable. (Highly recommend KeepassXC[0])
|
| However, contrary to OP I enjoy these somewhat awkward situations
| where someone doesn't quite understand my email address. I find
| it can naturally lead to a conversation about privacy and data
| protection and I'm happy to spread the awareness, if someone is
| interested.
|
| [0][?] https://keepassxc.org/
| echoechozulu wrote:
| I do this and my biggest regret is that I cannot easily check
| haveibeenpwned.com to find out if any of the accounts have been
| breached.
| andywaite wrote:
| Yes you can: https://haveibeenpwned.com/DomainSearch
| echoechozulu wrote:
| Oh, nice! I didn't know about this. Thank you!
| AdamJacobMuller wrote:
| You have really good timing :)
| AdamJacobMuller wrote:
| You can authenticate whole domains and see whenever anyone at
| your domain is listed.
| 5evOX5hTZ9mYa9E wrote:
| I've had sales and customer service ask me about this a handful
| of times and I simply said: 'It's a unique email address so that
| you guys can't sell my details or get hacked and lose my email.'
|
| The only interaction that stick in my mind regarding this when
| one of the sales people asked me how they might set up their own
| version of catch-all domain. That's about it.
| Brian_K_White wrote:
| Right? Every time someone remarks, that's a _good_ thing.
| alchemyromcom wrote:
| This is a great idea that I had never thought of. Something that
| might help, if it does actually make a person feel awkward, is to
| use a numeric code. That way, you could be
| commercial301@mydomain.com and then 301 could equal Gap, or
| whatever you want.
| mattlondon wrote:
| Unique email @<your burner domain> per website, so you only have
| to remember one password for everything.
|
| Handy for places where you need to sign-up but otherwise you
| don't care. I don't use this approach on "meaningful" accounts
| where I'd care about a breach.
|
| I think this person's mistake was not having a memorable system
| for the username aspect.
| jiveturkey wrote:
| Have to say, disagree with every single point. It also feels
| poorly argued. The example about not being able to log into
| grubhub stuck out to me within 20 seconds of reading. He says he
| uses a password manager, then says he has to navigate many
| accounts while trying to login. Any sane password manager is not
| simply a list of emails and passwords, but also the SITES they
| BELONG to. This can't have happened the way he describes it.
|
| Also, in particular, I can't understand the social awkwardness. I
| don't see how the interactions he has described are awkward in
| any way. OK, once in a while you have to explain yourself.
| Sometimes you might have a laugh about it. 95% of the time you
| just repeat yourself and move on. There's nothing awkward here.
| Unless he's using a different definition of awkward, as well as
| social.
| stickfigure wrote:
| For weeks our Shopify app was getting rejected because "you
| cannot use the Shopify name or trademark in your app". It
| wasn't... repeated requests for clarification just got back the
| same form response.
|
| After a several frustrating back-and-forths, _finally_ someone at
| Shopify said "check your email address".
|
| The developer contact email address we had submitted, which was
| only used for shopify<->us communication and no customer would
| ever see, was shopify@ourdomain.com.
|
| <facepalm>
| mro_name wrote:
| I wonder what they'd have said about
| tobias.luetke@ourdomain.com
| mike_hock wrote:
| So it turns out using a catch-all domain wasn't a mistake.
|
| Confusing companies by using THEIR name, being completely
| disorganized with the names and not even saving them in a file,
| was a mistake.
| black_puppydog wrote:
| I've been doing this for 5 years and while I agree that leaks are
| rare, it has been only smooth sailing.
|
| I use thunderbird with an addon that automatically sets the
| responding email address, and have a script called "email" that
| generates a random address (no prefix or anything) and puts it in
| my clipboard. If I want to k ow what I used an email for, I can
| find it in my password manager or by checking from where that
| address first got mail.
|
| Signing things up in person, I just use human-randomly generated
| strings.
|
| In short: I have none of the problems the author has...
| jnellis wrote:
| After the dotcom bust, it was sometimes the user information
| which was the only thing left to sell off (even when they
| promised not to.) Spam was more of a problem back then, or maybe
| just being able to avoid it was more of a problem. So catch all
| email like this was actually beneficial but it became obvious
| only a few years later, to me at least, that no one was selling
| email addresses anymore and all that management was unnecessary
| overhead. I'd say about by 2006 it had definitely sorted itself
| out.
|
| I now route mail by context and only deal with maybe a half dozen
| accounts regularly.
| gigel82 wrote:
| I wish there was a simple equivalent for phone numbers. Even if I
| had to pay <$1 / month per unique phone number it would still be
| worth it.
|
| Too many services now need a phone number "for my security". I
| use my Google Voice whenever I can but there is no way to trace
| the leaker from that. Car dealerships appear to be a big source
| of leaks in my experience (significant uptick in spam calls and
| texts after I give a dealership my GV number).
| reidjs wrote:
| Can you do it with twilio?
| walrus01 wrote:
| this doesn't solve the SMS 2FA problem but if you know what
| you're doing with voip you can set up a DID to answer with a
| filtering message like "please press 8675 to be connected", and
| it'll only ring your _actual_ phone if somebody follows the
| instructions. cuts down on 98% of telemarketing and scams.
|
| then only give out the DID number not your direct phone to
| things like car dealerships.
|
| i had one car dealership that I took my car to for an oil
| change _one time_ that persisted in sales calls for six months
| until I finally escalated the matter to their general manager.
| gaudat wrote:
| Such thing do exist in some countries. I remember one of my
| relatives protected their phone number by adding an incoming
| call password.
| loloquwowndueo wrote:
| I have a variation that I use for online sign-ups only. I have to
| explicitly declare the alias before using it. So it's relatively
| easy to check which ones I have used in the past (and the name
| tells me which site I used it for) and I can easily "revoke" by
| removing the alias. I can't really use it when asked for an email
| address at a store, for example - but it doesn't happen that
| often (going to real stores, I mean :) )
| zepearl wrote:
| bulls*hit.
|
| 1)
|
| It's true that trying to use a "pure" solution
| ("[source]@[yourdoma.in]" - e.g. "amazon@mydomain.com") causes a
| lot of problems (red flags being issued on the remote site).
|
| On the other hand with a mixed solution
| ("[partial_source_mixed_with_something_else]@[yourdoma.in]" -
| e.g. "zeama@mydomain.com") I never had any problems (I anyway
| keep files/keepass-entries to track which userid&pwd&email I'm
| using for which URL).
|
| 2a)
|
| My common&real email address gets quite some spam (no filtering
| applied) (but I admit that the amount during the last years was
| stable).
|
| 2b)
|
| My custom email addresses almost never get spam (even the ones
| that I used for "weird" sites) => I assume that whoever gets in
| some way email addresses performs some kind of healthcheck on
| them to get rid of the ones that might identify the source (from
| where they were extracted).
|
| 2c)
|
| The few spam emails that I got during the last years on my custom
| email addresses indicated that they originated from 1) the garage
| which I use to swap winter/summer tires and 2) my doctor (?!) =>
| it was interesting (e.g. is my doctor's IT compromised + did the
| garage sell my email address because I didn't visit them during
| the last two years?) => anyway changing address (which got rid of
| the spam) was super easy in these cases :)
| joshstrange wrote:
| I agree that using per-company email address to sign up is not a
| good idea but I love my catch-all email address.
|
| When I'm testing my software (professional or personal) I can
| "create" emails on the fly for new user accounts. Yes, with
| Gmail, you can do the base+anything@gmail.com trick but with my
| setup I never need to rely on that (or worry someone might block
| it), I just use anything@mydomain.com and I'm good to go.
|
| Same for my LLC, I have a catchall so I can setup things like
| accounts@mydomain.com and get all those emails to my main
| josh@mydomain.com email address and then in the future if I need
| to turn that into a group or it's own email address it's super
| easy and forward compatible. Just like support@mydomain.com,
| right now I'm the only one that handles that but I can hand that
| off in the future if I need to without any issues at all.
|
| Tangentially related: getting your own name as your domain name
| is really nice in more ways than you might think. Giving my email
| over the phone is a cake walk, I've normally just given them my
| name, then I just say "josh at joshstrange dot com" and I never
| have to worry about spelling or them hearing me perfectly since
| it's just a combination of the info I just gave them (my name). I
| get comments about it from time to time but buying that domain in
| high school was the best decision I ever made when it comes to
| tech/email. It's stayed the same for well over a decade and I
| never had to give out an embarrassing email or worry about "what
| email did I use to sign up for that account?".
| alias_neo wrote:
| Lucky you mister Josh Strange.
|
| If however, like myself, you have a name like Mr Fair
| lyPopularNameNoOneInBritainCanSpellCorrectly IncomprehensibleIt
| alianOrSpanishOrSomethingEuropeanFamilyNameNoBritHearingItWillE
| verAssumeStartsWithTheLetterItActuallyDoes, it's the epitome of
| tedium every time you have to get someone on the phone or in
| person to spell your name correctly.
|
| My wife fucking hates it that she switched from her easy,
| unmistakable English family name to my shit show of a Phonetic
| spelling exercise.
|
| I guarantee I'd never receive a single spam message because
| nobody is EVER spelling my FirstnameLastname.com correctly, Mr
| MyNameExistsInAutocorrect Strange.
|
| Jokes aside, seriously, my family name starts with "El" and the
| second you start saying it you see people write "L" and pause.
| joshstrange wrote:
| Totally fair criticism of my statement and I apologize for
| not taking into account names that are harder to spell or
| hear correctly.
|
| I am very thankful that I don't have those issues but yes, my
| advice doesn't hold up in those situations.
| alias_neo wrote:
| No worries, I was a light hearted rebuttal!
|
| I always found the firstname@lastname.com to confuse people
| far more than the name itself. I often get questions like
| "is that at gmail.com or hotmail.com or...?"
| atleta wrote:
| I've been doing this for well over a decade and while I had
| similar experiences sometimes, I don't see how this was a mistake
| by any means. Yep, not many companies sell or _leak_ your email,
| but some do. And let 's not forget that 10+ years ago we had much
| worse spam filters. (Though we had less spam as well.) And using
| a unique email for each provider and company it's pretty easy to
| block them when they start spamming you or when they give away
| your address.
|
| In theory, one could use generated addresses in some cases. E.g.
| for throw away ones or when you have to give it in person. The
| problem is that then you'd have to keep track which one you gave
| to whom.
|
| It also helps with filtering as services may change the from
| address or use multiple from addresses while you may want to
| label all email from them the same.
|
| Then in some cases, where you do want to make your email public
| still you want to know how people found you. I think this one
| would be called "role based addresses". E.g. I think it's pretty
| nice to have your paypal address as paypal@yourdomain.com (when
| people were still using them for a lack of alternatives), same
| for github, etc.
| [deleted]
| Xorakios wrote:
| Certainly people's experiences might vary, but I have only had a
| couple companies threaten me for using their company name and way
| more success in just blocking addresses when I get spam-stormed.
| I agree it's rare, but so annoying when it happens, so it seems
| easier just to have a catchall.
|
| hn@drewpalmer.com
| ChrisArchitect wrote:
| Dunno if all these gripes are describing a "huge mistake". Some
| inconvenience, maybe not the best domain/confusion on the naming,
| and maybe the realizing down the road the threat might not be
| that big, but you still got to organize and manage your concern
| with only a few technical steps.
| threatofrain wrote:
| I've been using email aliases for over a decade and have never
| experienced the leading examples the author mentions. Although I
| already have email accounts setup for impromptu scenarios,
| setting up an email alias in one minute is easy enough.
| RLN wrote:
| I have several times. Generally I can just say "you can write
| anything before the @ and it still comes to me" and people
| understand it though. It doesn't need to become a big
| discussion about how email works and they've probably forgotten
| by the end of the interaction.
|
| Maybe once or twice I've given my address to a new friend as
| newfriend@domain.com and it's lead to at least a small
| discussion about it.
| AdamJacobMuller wrote:
| > The only benefit is that I'm able to tell when companies are
| breached before wider disclosures because I start getting spam
| emails sent to thatcompany@.
|
| My big problem is that this is worse than useless.
|
| I started doing unique-address-emails back in probably 2002 or
| 2003 and did it for around a decade before giving up.
|
| A couple of times per year I would start getting spam or similar
| on an email address and would know exactly what had been breached
| and I would try to notify the companies involved. I'd probably
| spend an hour or two finding emails for key contacts and send a
| few paragraph email explaining how I knew they were breached
| etc...
|
| 90% of the time I got absolutely no reply whatsoever.
|
| 5% of the time I got a pleasant reply and someone said they were
| already aware or they would look into it.
|
| 5% of the time I got confused emails from a non-technical person
| that didn't understand how their PHP shopping cart software which
| hadn't been updated in 2 years got hacked, and didn't know what
| PHP or Linux or anything else was because the neighbor's kid had
| installed the site one time 2 years ago and now was too busy in
| college and why are you bothering us about this we have orders to
| ship!
|
| 5% of the time I got incredulous replies from technical people
| who insisted that I was wrong. That email address must have
| leaked some other way!
|
| Then there was the last time I ever sent one of these emails. I
| guess I had found and emailed the owner of a company to email who
| had then added in his tech person. I explained why I had huge
| confidence something on their side was breached, but, couldn't
| explain to them what or how. They eventually got rather hostile
| about it, first accusing me of extorting them for the information
| (I never asked for money, but bounties weren't really even a
| thing back then like they are today). Eventually culminated in
| them adding in their lawyer with more threats and demands for my
| full name / address (presumably so they could actually sue me). I
| ignored them and fortunately the whole thing went away.
|
| That was the last time I sent a report about one of my emails
| being compromised and shortly thereafter I stopped using tagged
| addresses entirely.
| markdown wrote:
| Sounds like you were the one who made it worse than useless ie.
| you gave yourself more work and then resented it.
| AdamJacobMuller wrote:
| I suppose. I mostly did it as a fun experiment and stopped
| when it ceased to be fun.
|
| I don't resent it or regret it, I had a lot of fun writing
| the software which powered it.
| ZetaZero wrote:
| As you found out, it is a waste of time to report the leak. But
| you can still get all the benefits of nuking that email.
| AdamJacobMuller wrote:
| Nuking the actual email was of limited benefit over time.
|
| For whatever reason I started to get spam on my real non-
| aliased email address and at that point it was all bets off.
|
| Shortly after I gave up on the tagged addresses I just moved
| to gmail.
| teawrecks wrote:
| No one said you're supposed to contact anyone about the spam.
| If the problem could be solved on their end, this catch-
| all/tagging solution wouldn't need to exist in the first place.
| The assumption is that people can't be trusted with your email
| address, so you create a way that their incompetence/malice
| can't hurt you, and then you go about your business.
|
| Imagine criticizing helmets because children keep falling off
| their bikes.
|
| Btw 90+5+5+5=105%.
| AdamJacobMuller wrote:
| > No one said you're supposed to contact anyone about the
| spam.
|
| Considering that, as far as I knew at the time, nobody was
| doing this at all, nobody told me any of what I was
| "supposed" to do. Even if they had told me what i was
| "supposed" to do, I generally am not good at following
| directions or doing what i'm supposed to do.
|
| > Btw 90+5+5+5=105%.
|
| Case in point.
| gowld wrote:
| The benefit isn't that you can tell the company they were
| breached. The benefit is that you can tell yourself, friends,
| and the public.
| AdamJacobMuller wrote:
| Meh.
|
| Some people might want to be the name-and-shame type, but,
| that's not me.
| xigoi wrote:
| Your percentages don't quite add up...
| AdamJacobMuller wrote:
| There's an additional 5% chance that I did that intentionally
| to be funny. Does it add up now?
| [deleted]
| detritus wrote:
| Embarrassment (really?), minor as it could be, seems like a
| really low bar for failure here.
| desdiv wrote:
| For people who are having problem with the "hilton@domain.com"
| situation, consider using ROT13 or some other similar scheme
| (hilton becomes uvygba).
|
| Other alternatives include:
|
| 1. shorten it so much that it's not revealing anymore
| (hil@domain.com)
|
| 2. use another language if you're multilingual
| (hiruton@domain.com for Japanese)
| nokya wrote:
| Or use a password manager.
|
| 1. Create new every with title "Hilton"
|
| 2. Generate email address (e.g. 8467588@somewhere.com)
|
| 3. Generate password
|
| Done.
| cosmojg wrote:
| I had the exact same experience! Almost verbatim. Nowadays, after
| one very long weekend spent changing my email address across
| dozens of different websites and services, I just use
| name@name.red instead of anything service-specific. Even now,
| though, the fact that it's a ".red" rather than a ".com" is too
| much for some people (e.g., my student loan servicer doesn't
| support .red domains at all). It's fun being special until it
| isn't.
| mholt wrote:
| I had to stop using plus-addressing (me+brand@gmail.com) because
| of broken email address parsers/validators. If I was on the phone
| with a support agent, I would give them my plus-address and their
| system would reject it and they'd ask for another one.
| Stubbornly, I'd refuse to budge and insist that is my email
| address that they need to use. It got to the point where I'd
| either have to forfeit my healthcare/tax/flight/<whatever>
| account or give up on the plus-address. And if they asked about
| it, I'd explain honestly that it's because I don't trust them.
|
| It did reveal some interesting data leaks sometimes including on
| npm [1], but the hassle wasn't worth it.
|
| I now rely solely on spam controls again.
|
| [1]: https://twitter.com/mholt6/status/1315743799335763968
| bityard wrote:
| GMail has supported the "+" alias since the service was
| announced, one would think there'd be no excuse to not support
| it everywhere at this point. My consipiracy-theory hypothesis
| is that many companies "know" that any address with a + in it
| is an alias and actively filter it out. Because they don't want
| an alias, they want your _real_ address.
|
| I run my own mail server and use a "." as the alias character.
| Haven't seen a system reject a single one of these.
| pavon wrote:
| I do this and haven't had nearly as many problems as the author
| for a couple of reasons. First, I refuse to give out my email in
| most of the situations he complains about. I almost never want or
| need to link my physical retail purchases to an email address,
| and in the cases where I do, it is usually faster and easier to
| ask for a loyalty packet and sign up online than to dictate all
| the information to a clerk.
|
| Second, I'm not strict about it, and use a generic address (my-
| formal-name@example.com) in situations where I do need to give an
| email verbally (like contractors asking where to send a quote).
| And I also have my-nick-name@example.com which I give to friends
| and family.
|
| Since I only use the catch-all emails for things I do online,
| they are all stored in a password manager so I don't have any
| problem forgetting them.
|
| With these more relaxed rules, I still end up using a catchall
| email the vast majority of the time, with a fraction of the
| annoyances. The only time it really comes up is for telephone
| support calls with accounts I created online, and it isn't a big
| deal.
|
| The benefit is that I can block 90% of spam using nothing but a
| black list of address that have been compromised. And the novelty
| of knowing who has shitty security with my information.
| vageli wrote:
| > I also have a bunch that I've misspelled. My GrubHub account is
| gruhub@. I use a password manager for passwords but I also need
| to use it to remember the associated emails.
|
| I find that to be a strange complaint. What password manager is
| being used that doesn't support a username alongside a password
| in an entry?
| yawnxyz wrote:
| I have stuff like "info@" "register@" or "support@" that I filter
| through in my inbox. The only problem I've had with catch-call
| email is getting a ton more spam from bots... for some reason
| they'll add randomname@ bc our name shows up with some other
| company name, some spam CRMs will confuse some other company's
| staff with our email address and send to that address
| aaronharnly wrote:
| I've also been doing this for more than a decade. Other than my
| spouse rolling her eyes when I give an email address over the
| phone, it hasn't been hard and definitely has helped. I have put
| blocks on a few email addresses that were involved in data
| breaches and became spam spigots.
| willk wrote:
| I got my wife to use a catch-all last year. She absolutely
| loves it.
| fnordpiglet wrote:
| I've done this for 30 years. I didn't do it to catch people
| selling my info, but I do enjoy it when I do. I do it so they
| don't send me email to my personal email address which I only
| give to people I want to email me. I can also blackhole someone
| that's marketing to much and it is easy to search my email for
| any correspondence to and from that vendor.
|
| It is awkward sometimes when I say It on the phone but I'm also
| in senior leadership at a big company so my skin is about as
| thick as it comes with regards to awkward situations. My entire
| career now is a series of awkward situations I'm asked to fix.
|
| Also, I use a password manager (dude it's 2022, if you're not
| using a unique password already you ought to reconsider your life
| choices and once your password is unique who cares if your email
| is too?)
| zzyzxd wrote:
| I was purchasing a car at local Honda dealership and the salesman
| refused to believe that my email address was honda@mydomain.com.
| He just insisted that I should tell him my "real" email address.
| If it happens today, I would just walk away. But back then I was
| a new grad who just got a new job and really wanted a new car in
| a new city, so I said "fine, does mylastname@mydomain.com sound
| more legit?" He was ok with that. I brought the car back home,
| and set a new inbox rule that blocks all emails to
| mylastname@mydomain.com. Because I can't think of a reason to use
| mylastname@mydomain.com in any cases. I have never heard anything
| from Honda ever again.
|
| I once got a text message from an agent after a dealership visit,
| he asked me why I just couldn't give him a good feedback since he
| worked so hard and I seemed to be happy with the result. I was
| like "sorry, but for some reason I can't receive emails from
| Honda, including after-visit survey".
|
| > The truth is no one really sells your email - at least no
| legitimate companies.
|
| Speaking of this, I actually did sometimes catch someone sold or
| leaked my email addresses. They usually came from spam emails
| with "Undisclosed recipients" that I had to dig into headers to
| find out which one of my addresses was leaked.
|
| Most of addresses used in spams are the ones I shared with
| individual/small business and I would like to believe that they
| were not intentional.
|
| The only legit, big company that sold/leaked my email was Docker.
| I applied for a new job with docker@mydomain.com and a year later
| a bunch of recruiting spams came to me via that address. Although
| it was possible that it's just that particular recruiter forgot
| to shred my resume after I rejected their interview invite.
| tgsovlerkhgsel wrote:
| > Most of addresses used in spams are the ones I shared with
| individual/small business and I would like to believe that they
| were not intentional.
|
| Sounds very much like the computers/address books of the
| business owners get compromised and harvested.
| Komodai wrote:
| I have not encountered any of the issues you said.
|
| And what's wrong with "I use a password manager for passwords but
| I also need to use it to remember the associated emails."?
| C4K3 wrote:
| I've been doing this for close to a decade and sometimes
| salespeople and customer service people will ask to confirm, but
| that takes 5 seconds and isn't awkward (in my opinion.)
|
| It has more benefits than knowing who leaked your email, it lets
| you easily filter your incoming email by who you gave the email
| to, and when your email is leaked it lets you shut off that email
| address. Of course you can also filter your email by the sender's
| domain, but that isn't as consistent, and doesn't help at all
| when your email address has been leaked.
|
| It's true that you do have to set it up so that you can send
| email from the addresses to avoid not being able to reply by
| email, and you will want a password-manager or something to
| remember exactly what email you used, for convenience.
|
| Personally I'm glad I've done this, it's made it much easier to
| organize my emails.
| brewdad wrote:
| I have a single address, donotspamme@mydomain.com that I use as
| a throwaway and then route it to a folder to review about once
| a week. It draws a chuckle from salespeople when they ask for
| it or see it pop up in their system.
| NonNefarious wrote:
| Eh, I did it for a while and while I think the OP overstated
| the "awkwardness," I didn't find that the effort was
| worthwhile. I only caught one entity selling or otherwise
| divulging my address: the Atlanta Journal-Constitution
| newspaper, oddly enough.
|
| Oh, and someone did hack some FAA database and mine it for
| addresses.
|
| But that's all I netted in several years. Beyond my main
| address at my own domain, I keep a Gmail address for mailing
| lists and other low-grade traffic.
| Brian_K_White wrote:
| So basically, yes it's a bit of extra work, but simply worth
| it.
|
| Life without it is worse than life with it.
| gowld wrote:
| Moreso, it's _good_ to teach people that valid email address
| are in fact valid.
|
| This part:
|
| > Especially since all these companies ask for and verify your
| cell phone number
|
| is true, though.
|
| and
|
| > The one outlier is political campaigns: they'll share your
| email till the end of time.
|
| Because politicians exempted themselved from anti-spam laws, as
| they do with most laws.
| lazyjeff wrote:
| > Because politicians exempted themselved from anti-spam
| laws, as they do with most laws.
|
| This was the most puzzling thing to me. The politicians that
| I saw on TV as adamantly pro-privacy, anti-tracking, who made
| a lot of sense in everything they were saying -- you
| contribute a single dollar (because they want to show
| grassroots support for their pro-individuals campaign) and
| they IMMEDIATELY give your email and survey responses to
| everyone in their party, including to state-level campaigns
| in places across the country.
|
| There was no indication on the donation form that any of my
| personal details would be used for anything except to show
| that they had a lot of grassroots supporters.
|
| Not only that, but their emails are so clickbait-ey like
| "lazyjeff, you are the reason that [hated politician] is
| destroying democracy."
| scoot wrote:
| I use 33mail.com (33m.co) for this which gives you a personal
| subdomain for free, or a private domain on the paid plan. I'm
| on the (super cheap) paid plan due to mail volume, but haven't
| found the need for using a personal domain.
|
| I find it zero effort having a unique email address per site,
| and when combined with unique (algorithmic) password gives
| effectively a unique identity per site (cookie sharing aside,
| but there are solutions for that.)
|
| As a result, I have been able to call out a couple of sites for
| data breaches, and continue to see npm spam in particular.
| Worst offender so far is Pipedream, an absolute embarrassment
| for their CEO who appears to have initiated the data scrape. I
| won't be surprised to see them sued out of existence, which is
| a shame, as I like the service in general.
| willk wrote:
| I couldn't agree more. I've been using a catch-all for probably
| 12 years now. Sure, sometimes you get a second look when you
| give an email that has the business's name in it, but who
| cares?
|
| I get the benefit of blocking mail coming to me forever, doing
| fast sorts and searches, never have to worry if the company
| doesn't like a + in my email address.
| superkuh wrote:
| I strongly disagree. I've also been using a catch-all domain for
| more than a decade and giving each sign-up it's own
| name@mydomain.com. I can remember one small issue. Otherwise it's
| never been a problem. The problem has been getting marked as spam
| for running my own mailserver. But it's all worth it in the end.
| __david__ wrote:
| I agree with you. So many companies end up with absolutely
| terrible unsubscribe code that just flat out doesn't work[1].
| With my own server I can just burn a particular email with one
| line in a file, or I can block their whole domain. I end up
| having to do this fairly regularly.
|
| I can also choose the message to send in the smtp 5xx error
| line and so I like to call them names. I know a person never
| sees it but it makes me feel good knowing my server is cursing
| out the spammers' servers.
|
| [1] I would venture that roughly 30% to 40% of email
| unsubscribe links aren't url encoded so that the `+` in the
| email goes in naked to the url, resulting in the server
| decoding it into a ` `. Sigh.
| leephillips wrote:
| Yes, I also have insults in my client_checks file. I enjoy
| running my own mail server.
| gaudat wrote:
| Cringe take, but fair enough on the bank freaking out part.
|
| My interaction with them went like this:
|
| >staff: And what's your email address? >me: $BANK_NAME@$MY_DOMAIN
| >staff: _chuckles_
|
| And on the next day I got my bank account flagged.
| ntoskrnl wrote:
| Which bank was it?
| [deleted]
| ZetaZero wrote:
| My HN account email is sleepy.home9993@[mydomain]. My email
| provider (FastMail) creates these "masked emails" at the click of
| a button, with a Description field so I can identify the purpose.
| Each email address consists of two random words plus a 4 digit
| number. Then I just store the information in my password manager.
|
| I'm not wasting time trying to fix the breaches. I can just nuke
| that email forever.
___________________________________________________________________
(page generated 2022-06-01 23:00 UTC)