Fastmail has that same technique, and it is very nice. I have run into sites where I sign up for an email where they do not allow the "+" (presumably to prevent you from doing a "foo+spam@example.com"). My only concern with this is it seems like with either way, it would be trivial for a spammer to figure out your real email address (i.e. spam@foo.example.com, use a regular expression to convert it to foo@example.com). How hard would it be to maybe alias foo@spam.example.com and spam@foo.example.com so they both go to foo@example.com? or maybe spam@foo123.example.com also aliases. That way it makes it that much harder to derive the original email address.
If you're using <some-alias>@user.example.com nothing says that user@example.com has to be a valid delivery address. If I read the article correctly in fact, that is the case in their implementation. So it's not possible for spammers to guess an unaliased email address.
this seems a little over-complicated, why not just use a catch-all?
If website example.com requires my email, I provide them with the email example.com_xxxx@jszym.com where xxxx is a randomly-generated 4 (or more) character code. I save the email and password in my password manager.
This way, I can blackhole compromised emails, and also prevent spear-phishing by checking the 4+ letter code.
I don't wish to be overly negative, and this is a problem-space ripe for a solution, but this service can vanish tomorrow and take with it all the sites I've subscribed to.
I was thinking just today that it'd be cool for the next generation of email to require a sort of OAuth login to get permissions to send you automated emails. You can then just revoke the API access for a rogue/compromised service.
This sounds a lot like Throttle (https://throttlehq.com/). How are they getting around the deliverability issues? If they forward mail along, don't large ISPs like Gmail ultimately attribute any spam that comes along to their outbound IPs?
I moved away from Throttle for this very reason, because getting mail deliverability right is incredibly finnicky. Ended up moving to Fastmail and using their catchall. Fastmail solved the deliverability problem for me (since they host the catchall domain), as well as permitting me to send out from any of my wildcard aliases (thus allowing me to reply in situations where I still want to keep my real address hidden).
7 comments
[ 4.2 ms ] story [ 35.9 ms ] threadIf website example.com requires my email, I provide them with the email example.com_xxxx@jszym.com where xxxx is a randomly-generated 4 (or more) character code. I save the email and password in my password manager.
This way, I can blackhole compromised emails, and also prevent spear-phishing by checking the 4+ letter code.
I don't wish to be overly negative, and this is a problem-space ripe for a solution, but this service can vanish tomorrow and take with it all the sites I've subscribed to.
I was thinking just today that it'd be cool for the next generation of email to require a sort of OAuth login to get permissions to send you automated emails. You can then just revoke the API access for a rogue/compromised service.
How? Not answered in the FAQ.
I moved away from Throttle for this very reason, because getting mail deliverability right is incredibly finnicky. Ended up moving to Fastmail and using their catchall. Fastmail solved the deliverability problem for me (since they host the catchall domain), as well as permitting me to send out from any of my wildcard aliases (thus allowing me to reply in situations where I still want to keep my real address hidden).