Ask HN: Do you track how your email address is used?
If you want to know when your email is sold or shared, there are several strategies to know who the culprit is. Plus addressing/subaddressing is the practice I hear about the most often, and how I keep track of email use.
Do you care about tracking your email? And do you use plus addressing or do something else?
I self-host my own email server (against The Greater Internet's better judgement, it feels) and one of the neat things I can do with Postfix is set any arbitrary character as a username/junk separator.
Gmail has supported this for a long time with the '+' character, but this has some major problems. Many things that accept email addresses don't recognize '+' as a valid email username character and won't let you submit the form. I hypothesize that some of this is poor awareness of what constitutes a valid email address, and some of it is intentional to force users to input their "real" email address. I have also run across a few systems that stripped off the '+' suffix off my gmail address.
My solution is to use the '.' as the separator because 'firstname.lastname' is a VERY common email username and I'm happy to not allow it in a "real" username on my tiny mail host.
So every new site or company I interact with gets [email protected] instead of my "real" email address. I can filter incoming emails based on the To header. And I even have a list of companies (a couple well-known) that have leaked or sold my email address to spammers. Some day I'll write a blog post about that.
I do this too. It's worth noting that you don't need to host your own email server to do this. I personally use Migadu as an email host for my own domains which lets me define arbitrary wildcard redirects. I'm sure most of its competitors will let you do the same.
Not quite, it's not a separator, you can't add arbitrary content after the dot. Dots are just ignored in Gmail, so you need to keep a map of dot placement and quantity to service, vastly less convenient.
Yes, you're right. The dots thing isn't as powerful as the + separator. But it is useful for sites that have a poor understanding (or regex) associated to their address validator. In context of the parent comment, that's the point, that the dots aren't restricted as the plus separator can be.
I do something similar except I make up a custom email every time. (No plus addressing at all, everything without a valid destination goes to the default account) It's rare something doesn't like it, most automated systems use the reply to header. Email lists are usually the ones least tolerant.
No, most companies that get the special email treatment don't accept email from customers anyway.
If I did it, I would have to set it manually. I don't know of an email client that supports setting the From header to the address in the To header of the relied-to message, but it feels like something that would be fairly easy to do as a Thunderbird plugin or whatever.
I use canaries. I point a dozen domains to fastmail and another dozen to my self hosted email servers. Each have aliases that are mapped to vendors but do not have the vendor name as some vendors are getting upset at this practice and calling it fraud. If I start getting garbage on that alias, I notify the vendor. In most cases they will give me a boiler plate response and then I delete the alias. If they are snarky I create a reject rule with my own snark that also explains the emails for that vendor have been either sold or compromised. This is to let people buying email addresses know they bought a dirty list as some of the modern bots have some telemetry.
I'm not GP, but I've had transitions denied while attempting to purchase something because the retailer's code flagged my email address as suspicious because it contained their name in it.
Haven't had that happen to me, but I did get asked by a clueless support rep from $VERY_BIG_MULTINATIONAL_CORPORATION whether I was also an employee due to their company name appearing in my email address. (Coincidentally I used to consult for that company.) Long story short I set them straight rather than trying to parlay their ignorance to my advantage.
The most shocking thing was that I was calling them regarding an issue in which they required me to prove my identity, and yet the person I spoke with didn't seem to be well versed in security measures.
Also: I use a separate alias for every company (and sometimes individual) I deal with. In the 25 or so years I've been doing this, so far I'm up to over 1,000 aliases.
I would venture a guess that there is an equal proportion of company executives who would think that creating and using an email address like '[email protected]' was completely fine - an awareness of internet scams is not correlated with business acumen!
Also frustrating when a company adds it after you register, e.g. Spotify allowed me to use spotify@ at one point, now I can't register anything with that word in .
I care. I use a generated email address at my domain for every account/service/website.
I store the account info in keepass, they all have generated passwords too.
I can see when email comes in who abused the email, was compromised, or sold it.
If an email starts getting spam, i block receiving to that address. if desired, I update the account to have another generated email, but usually if I'm getting spam to that email I don't want to do business with them again.
- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)
- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.
- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.
- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.
- I rented a car from hertz and had to give an email address. and then they sold it to other companies.
- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.
"I can be pretty certain it is my bank contacting me."
This is a neat advantage of this approach. I usually get phishing emails on a "wrong" email address, which makes them trivial to identify. So I know what to look out for should they ever manage to target the correct email address.
I generate a "username" on Bitwarden for every new address I need which is effectively the same approach (using my domain). Do you mean though that you generate an email address with your mail server, or do you just use a catch-all? I do the latter and I've never considered "turning off" an address before and now I wonder if I have that option.
I run my own IT. I host my own email, authoritative DNS, web, etc. I use wireguard for a lot of stuff. I put stuff behind cloudflare. I'm sneaky when I need to be, but mostly I'm just a control freak. I also know way more than the average person about email and email authentication. Or lack thereof.
Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.
edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.
edit 2 employ dmarc if you want to see who is trying really game
postfix as MTA.
dovecot for IMAP.
opendkim, postfix-policyd-spf-python, and opendkim for authentication
a database to store mailbox and alias info. something like mariadb, postgresql, or just sqlite would do.
I wrote my own code to tie it all together, but there are tutorials that show how to do pretty much the same thing if you do some searching.
I have my email stack running on linux in a cheap VPS.
The main problem most people run into is having poor ip and/or domain reputation with the large mailbox providers. (gmail, yahoo, etc.) It takes time and not sending email that looks spammy to build enough reputation to get delivery to the inbox and avoid being sent to the spam folder. You can get an idea of domain/ip rep by signing up for google postmaster tools and entering your domain and ip or block of IPs from which you are sending. If you are lucky when you sign up for a cheap VPS you will get an IP address that does not have a bed ruputation or at least no reputation.
My setup is only for my personal, non-commercial stuff.
You could also use a setup like this with integrated with something like AWS SES in order to mitigate bad IP reputation.
I do not. I have three mail boxes, for trashy, job-y and personal things. And a couple of technical (apple id, etc).
Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.
Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.
Same. I used to run my own email servers and do all the per domain things. It was just way too exhausting. Switched to Gmail and haven't looked back. Don't even worry about email at all now. I just wish I had jumped on Gmail earlier to have a better username.
The important detail is to add random nonce/salt to the generated email, like _jri68, so that it's not guessable, so it's provable that the database was compromised. Guessing [email protected] is believable, but guessing [email protected], is not.
Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?
I also do this. There are some bad sellers that keep my email address and create a new email list for every promotion, so the Unsubscribe link in their emails always says something like “Unsubscribed from Promotion-2024-October” instead of “Unsubscribed from AnnoyingSeller”. Those get sinkholed.
I also once helped a seller discover that their contractor had stolen and resold their customer contact list when I started getting unrelated spam at that address and complained lol
Honestly, using a username generator in Bitwarden, it's so easy to do this that it basically "pays" for itself the first time you get a "true" spam email and it's effortless to identify who sold you out. I originally tried doing this manually but that was too much effort; now it's as simple and natural as generating a password for a new login. I see no reason to ever stop.
Of course, the vast majority of spam I get is marketing emails from companies I've actually done business with. Few if any even have an opt-in checkbox on their checkout form and those that do hardly ever honor it. There's simply nothing to be done about that except unsubscribe after the first time they spam you - and this is where having unique emails also helps, because those "unsubscribe" links are obviously riddled with tracking as well.
I do the exact same thing and I don't live in the US so suing a party that sells my shit isn't an option, but it's nice to be able to blackhole an alias so that the corporation in question doesn't get to bother me with their bullshit. It's only happened once or twice.
I've seen quite a few people here reccomending the use of . and + from gmail, but I don't think its a good idea at all.
Most people who work in the 'email marketing' space know about this feature. So it's common to see people recommending clients to 'clear' their email list before sending unsolicited emails. And some services even offer this as a feature in the platform.
And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain.
Lightly and calmly, meaning I have many aliases on my addresses on personal domains and I try to always give unique aliases (keeping some spare on purpose), but not always-always because I'm not enough disciplined and the track is very informal, when (very rarely) I see spam I know it's time to rotate the alias. That's is.
Of course if [email protected] write to my [email protected] I could try to locate who have sold/leaked my address but it's still vague, since Amazon, eBay, PayPal, have a gazillion of third party. If it's to [email protected] it's likely he was cracked and so on.
I used to use a catch-all with a custom e-mail for every website I used. I had amazon@mydomain, newegg@mydomain, etc.
I found that despite what people think, your e-mail address isn't being sold. At least, not by any vendors with a remotely decent reputation. I never got spam to any of those e-mail addresses.
That is my experience as well. I have heaps of 'Masked Email' aliases for my Fastmail email account and the only significant offender I've come across is various Kickstarter projects (as I understand Kickstarter passes on my email address when a project is successfully funded) and various Bitcoin sites from back when I dabbled in Bitcoins. All other reputable companies have actually not sold any of my email addresses (including some I've noticed elsewhere in this thread accused of doing so, which I find quite interesting). I am now at the point where I'm considering migrating back the majority of my aliases back to [email protected] address for most things. It is more hassle than it's worth as I often forget I had a Masked Email and end up creating a second account. Also in-store if I need to provide my address it is awkward giving out what sounds to store staff like a dodgy address. Also when I reinstall my computer/phone/etc it's a hassle figuring out what login address I used for each site/app I have accounts with. I may use Masked Email only if there is a higher level of risk.
I ran a catch-all for two decades, including during my IBEW apprenticeship. They were unabashed on sending their own (and others') SPAM daily – direct-to-trash.
I do, I use Fastmail and create aliases for every service. It's interesting to see how fast companies will "lose" or sell your email address.
I've seen it as fast as 24 hours my unique email address is being used by others even though their privacy policy says that they will never share your info.
Fastmail offers per-service generated addresses. I think it's kind of fascinating to watch my email address that went solely to my local credit union start sending me spam somewhat related to my employer.
Fastmail allows for aliasing too - [email protected] -> [email protected], [email protected], etc. Pretty convenient. I use that feature pretty often and I can only recall one instance which seemed to indicate my address was sold to spammers. It’s more useful for organizing incoming mail, like plus-aliasing in gmail.
Occasional use of plus addressing but I find a lot of signup forms now actively block this. Also have a secondary crappy gmail address that I use for low value stuff that is sus. (That’s full of spam and has multiple hits on have I been pwned)
Beyond that I don’t worry about this too much.
As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above
Yes, I’ve done this for years. And to be honest, I don’t think I’ve ever “caught” a business sharing a service when they shouldn’t have.
Makes me question why continue to do it.
I've been doing this for years, as well. I've also found that the majority of companies I give an email address to are actually surprisingly good stewards of that information. However, I have found a number of email leaks. It looks like my block list is up to 31 addresses. Most of those are leaks that led to spam. (Although one was a smoothie chain that insisted on sending me email every single day, and their unsubscribe page always seemed to be "malfunctioning".)
I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.
I care but don't have time or the resources. What I have made a habit of tho is registering to any new website or service using example [email protected] → register using [email protected]. I then take note of which variant / which service.
I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.
I've used spamgourmet.com for many years (Literally decades, my first entry was 2003-08-07) to create disposable email address. You just make up the address "[email protected]" to create an email address for tempsite that expires after 4 uses. You can always remove this limit later.
My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.
The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..
Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.
I also have an @ alias on my domains, and give unique addreses to companies/services which identifies them. I'm only had a couple accusations of "fraud", but they were easily dispelled by asking them to explain what "fraud" I was committing (they couldn't) and explaining why I do this.
Addresses which have been lost/stolen and start receiving spam become spam traps, and I change the email address with the company/service to a new alias so their legitimate mail is delivered normally.
In some of the few cases where the loss/theft was identified, it didn't happen at company/service directly, but with one of their suppliers, for example, a breach at the marketing email provider they used.
My friend Ward was doing sub-addressing back in the 1970s, with made up apartment/box numbers, and eventually the xmodem.com domain. He learned quite a few things about it.
For instance, if you look at the article he wrote about CBBS[1], you'll see he's listed at apartment #3D.
I never took up the practice, though I suppose I could having the warot.com domain to play with, and a single family residence to make up PO boxes, apartments, etc.
I do not regularly track, but I do reflexively create throwaway emails at a domain I bought for that purpose, so that I can /dev/null them if/when someone sells that email address to a list.
Not any more. Dark web rollups include just about everything you could ever want to know about anyone. Using a unique address per service just makes it easier to identify which services you use.
When I learned about public git commits "leaking" my email address it was already too late. Now I'll probably use that email for this particular task. And another sad thing, is that many spammers are picking up "support" email address from Google Play Store.
Still waiting for a email service which would charge each spammer several dollars for "successful delivery", or plain "waste of time".
I self-host so that I can set the addresses to whatever I want it to be. I use the ISP's server for sending and my own server for receiving (this can be configured with Exim).
Then, if I receive some spam messages, I can delete an alias that I don't want, in order to avoid receiving any messages.
(When someone sends to an invalid alias, the SMTP server gives them a 550 error.)
(I use Heirloom-mailx for reading, managing, and sending email messages.)
My strategy is to use a few alias for sources with spam risk like forum, sign up on “free” offers etc., some for newsletters. When I’m suspicious but not sure, I quickly add the +. Only for very few official transactions, I would use my real addresses.
In general, Gmail deals very well with spammers. For the rest, when an alias is spoiled, I simply discard it and create a new one.
been running my own email for 25 years or so. been using "plus" addressing (actually hyphen) for approximately as much. got only few cases when email got sold/shared. biggest issue was linkedin email address leak a bunch of years ago, so i got a lot of spam to -linkedin@ alias . changed email on linkedin to something different, and old emails go to spam
Fastmail let's you set a wildcard when you bring your own domain. Same outcome as other's mention - [email protected] is my spotify email address. I make it up during login creation and it just works. I've used this technique for every login but not once has it resulted in traceable spam. Logins are all tracked in keepass.
This one time a restaurant owner was demanding email addresses when creating a reservation. I provided the email created using the above technique and explained why.
"if I create an account with Target called [email protected] and I start seeing emails from Walmart sent to target@ then I know Target sold my data."
His eyes got really big and he changed the subject.
I have addresses like [email protected] directed to my email, which I use to register myself in "someservice". This is how I know where email was leaked and needs to be disabled. I use Protonmail basic subscription to attach my domain. Before that I was using rewriting rules in Postfix.
If an email is truly unsolicited (didn't come from an entity you didn't give your address to), it's not wise to click on an unsubscribe link anyway, as it sends a strong signal to the spammers that not only was the email delivered to a real person, but they also read it. In their eyes, you just went from a random string of letters to a hot sales lead.
I use Proton's email aliases for throwaway accounts, and I have a catch-all on my own domain and use custom email addresses (think [email protected]) for accounts that I intend to keep until I die.
I do something like this with Proton and my own domain as well. However, I made the mistake of buying a .io domain, thinking England would be pretty stable. Now I need to figure out what I’m doing.
I use iCloud’s Hide my Email feature. So I have dozen email addresses and I receive email in the same inbox. I don’t care how my email addresses are used. The moment I see too much spam, I remove the email address.
I love this feature in Apple’s ecosystem so much. The newer iOS and iPadOS releases when autofilling a sign-up form even give an option to generate a new hide my email address. It’s effortless to not use your real email. If you pay for an iCloud subscription, hide my email is included. Apple tracks what site you used hide my email on when signing up and allows you to toggle forwarding of emails to your inbox on and off.
I have a public address and a private address. Gmail does well enough with spam filtering. I check it monthly and find some false positives. Nothing important though.
I can’t imagine spending more time on this, though.
A lot of services don't accept the '+' sign in an email address, even though it's perfectly valid according to RFCs. Part of this is ignorance of standards but I suspect part of it is deliberate. (To get the users' "real" addresses.)
The worst examples are services that accept + when creating an account but does not accept + for logins. Believe it or not this has happened to me several times, and with large companies too. When companies started blocking + address specifically and/or being clever with removing the + part, I decided it was not worth using + addresses anymore.
I used to, but it basically showed that no one ever gave away my email address to spammers, or at least if they did, the spam filter caught it. It's not worth it.
Catchall for 25 years :) (on domainfactory - df.eu) each company/service gets their own email prefix, so I can determine spam and also filter unsolicited emails.
I can't remember which company now, but one time I called into customer support and gave them the unique email address that I used for that account. It had their company name in it. Something like [email protected], for instance. The person on the other end paused for several seconds as if looking over their shoulder and whispered, "wait... do you work here or something?"
I have a catch-all domain but I don’t bother to setup unique emails for each service. It’s too much of a headache and you have to ask yourself:
If I find out someone sold/shared/leaked my email what am I going to do?
Here the possible responses as I see it:
* Stop doing business with them - This is way easier said than done
* Be mad - ok, great, now what?
* Send a strongly worded email - again, so what?
* Sue them? - Good luck
Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.
There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.
for general purpose website signup not directly linked to my identity, I use Simplelogin. For real life personal stuff I just have a gmail. There is another dedicated email for open source work, plus a few historical email addresses which aren't actively used but still occasionally receives stuff.
I use Hey.com's "catch all" inbox for this but it's a bit janky. If you set up a "custom domain" Hey account, you can actually email `[anything]@yourdomain.com` and it'll arrive in the catch all inbox. (Not unique to hey obviously) It has the benefit that it's impossible to block, but Hey obviously doesn't really want me doing that since they charge per-email-address.
I do this too, with namecheap.com's email servers... I pay for a few email domains on namecheap, but one is specifically for spam, and I use their "catch all" as well.
So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.
I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.
Gmail has supported this for a long time with the '+' character, but this has some major problems. Many things that accept email addresses don't recognize '+' as a valid email username character and won't let you submit the form. I hypothesize that some of this is poor awareness of what constitutes a valid email address, and some of it is intentional to force users to input their "real" email address. I have also run across a few systems that stripped off the '+' suffix off my gmail address.
My solution is to use the '.' as the separator because 'firstname.lastname' is a VERY common email username and I'm happy to not allow it in a "real" username on my tiny mail host.
So every new site or company I interact with gets [email protected] instead of my "real" email address. I can filter incoming emails based on the To header. And I even have a list of companies (a couple well-known) that have leaked or sold my email address to spammers. Some day I'll write a blog post about that.
https://support.google.com/mail/answer/7436150?hl=en
Some companies want you to respond from the email address on file when you interact with them.
If I did it, I would have to set it manually. I don't know of an email client that supports setting the From header to the address in the To header of the relied-to message, but it feels like something that would be fairly easy to do as a Thunderbird plugin or whatever.
The most shocking thing was that I was calling them regarding an issue in which they required me to prove my identity, and yet the person I spoke with didn't seem to be well versed in security measures.
Also: I use a separate alias for every company (and sometimes individual) I deal with. In the 25 or so years I've been doing this, so far I'm up to over 1,000 aliases.
This is why I also like how iCloud does with their hide my mail feature; there’s nothing suspicious about the email you give out.
ROT13 or the date in base36 (to keep it short) might help when you need to spell your email address over the phone. Today is [email protected].
I will update my technique to use incorporate this method, thanks!
There are people that will read an email from "[email protected]" and think it's actually from the owner of the company...
For specific vendors where I am at the shop, I just make up an alias email with their name in it.
For apps, services, I configured bitwarden to create email aliases on Fastmail, so they are linked to a service.
It gives you quite a bit of insight and control.
some examples:
- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)
- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.
- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.
- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.
- I rented a car from hertz and had to give an email address. and then they sold it to other companies.
- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.
It goes on and on. More people should do this.
This is a neat advantage of this approach. I usually get phishing emails on a "wrong" email address, which makes them trivial to identify. So I know what to look out for should they ever manage to target the correct email address.
Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.
edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.
edit 2 employ dmarc if you want to see who is trying really game
I wrote my own code to tie it all together, but there are tutorials that show how to do pretty much the same thing if you do some searching.
I have my email stack running on linux in a cheap VPS.
The main problem most people run into is having poor ip and/or domain reputation with the large mailbox providers. (gmail, yahoo, etc.) It takes time and not sending email that looks spammy to build enough reputation to get delivery to the inbox and avoid being sent to the spam folder. You can get an idea of domain/ip rep by signing up for google postmaster tools and entering your domain and ip or block of IPs from which you are sending. If you are lucky when you sign up for a cheap VPS you will get an IP address that does not have a bed ruputation or at least no reputation.
My setup is only for my personal, non-commercial stuff.
You could also use a setup like this with integrated with something like AWS SES in order to mitigate bad IP reputation.
edited to fix a typo
Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.
Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.
I use a catch-all. I can accept (whatever)@mydomain.tld
Anytime a new company wants my email address, I just randomly give them one.
So far I only get spam to the email addresses other people posted on a website as contacts for organizations I volunteer with.
(I get spam from web scraping, not from company hacks/sharing etc.)
Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?
Now I know where the spam (I get) comes from.
I haven't had to ban any addresses yet.
I also once helped a seller discover that their contractor had stolen and resold their customer contact list when I started getting unrelated spam at that address and complained lol
Of course, the vast majority of spam I get is marketing emails from companies I've actually done business with. Few if any even have an opt-in checkbox on their checkout form and those that do hardly ever honor it. There's simply nothing to be done about that except unsubscribe after the first time they spam you - and this is where having unique emails also helps, because those "unsubscribe" links are obviously riddled with tracking as well.
Most people who work in the 'email marketing' space know about this feature. So it's common to see people recommending clients to 'clear' their email list before sending unsolicited emails. And some services even offer this as a feature in the platform.
And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain.
Curious why this matters? Let's say you know [email protected] is hosted on gmail, so what?
Of course if [email protected] write to my [email protected] I could try to locate who have sold/leaked my address but it's still vague, since Amazon, eBay, PayPal, have a gazillion of third party. If it's to [email protected] it's likely he was cracked and so on.
I found that despite what people think, your e-mail address isn't being sold. At least, not by any vendors with a remotely decent reputation. I never got spam to any of those e-mail addresses.
I've seen it as fast as 24 hours my unique email address is being used by others even though their privacy policy says that they will never share your info.
Beyond that I don’t worry about this too much.
As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above
I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.
I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.
My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.
The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..
Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.
Because yahoo also hosted @yahoo addresses, it would have been pretty noticeable if they sold the addresses of their own users.
"EDIT:which probably correlates to the overall death of email, which is for old people, so I am told."
Still alive and kicking as the de facto passport of the internet.
Addresses which have been lost/stolen and start receiving spam become spam traps, and I change the email address with the company/service to a new alias so their legitimate mail is delivered normally.
In some of the few cases where the loss/theft was identified, it didn't happen at company/service directly, but with one of their suppliers, for example, a breach at the marketing email provider they used.
For instance, if you look at the article he wrote about CBBS[1], you'll see he's listed at apartment #3D.
I never took up the practice, though I suppose I could having the warot.com domain to play with, and a single family residence to make up PO boxes, apartments, etc.
[1] https://vintagecomputer.net/cisc367/byte%20nov%201978%20comp...
Then, if I receive some spam messages, I can delete an alias that I don't want, in order to avoid receiving any messages.
(When someone sends to an invalid alias, the SMTP server gives them a 550 error.)
(I use Heirloom-mailx for reading, managing, and sending email messages.)
"if I create an account with Target called [email protected] and I start seeing emails from Walmart sent to target@ then I know Target sold my data."
His eyes got really big and he changed the subject.
I can’t imagine spending more time on this, though.
It's also interesting that some services don't allow [email protected] for registration. (Can't remember which)
If I find out someone sold/shared/leaked my email what am I going to do?
Here the possible responses as I see it:
* Stop doing business with them - This is way easier said than done
* Be mad - ok, great, now what?
* Send a strongly worded email - again, so what?
* Sue them? - Good luck
Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.
There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.
So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.
I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.