Tell HN: After 10 years of experiments, custom username emails receive no spam
For 10 years I've been using a custom email for every retailer I shop at that asks for an email address, always in the form of "company@mydomain.com". I did not keep track of how many custom emails I used (hundreds, easily), but I have received spam from exactly zero of these accounts.
The only account that I received is one I used on my public website as a "mailto:" link. 100% of my spam comes from this address. I host on runbox.com.
Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?
I would argue the former since I still get 30 spam emails a day from my website email address, and zero from companies that ask for them.
358 comments
[ 5.0 ms ] story [ 302 ms ] threadSome of these addresses were the unique style you mentioned.
So I guess you’re just lucky.
I've ran my own domain for longer than you have, and many emails have been compromised.
Some are 100% from companies selling the emails to sister companies.
The majority, though, is from a company itself being compromised by hackers / database access / etc. LinkedIn, Neopets, ProFlowers, TeeSpring, etc. I can go on.
It's not quite spam, it's not quite illegitimate, but it's not what I signed up for.
But then from around 2010 onward, that type of spam became much less common, and nowadays it's as you say. The vast majority, probably 90%, come from compromised accounts, like linkedin@[mydomain.com]. The rest hit the unique email addresses I have submitted in domain registration forms.
That's even more surprising considering that I've since shifted to using [username]+[company]@[mydomain.com]. Spammers could pretty easily strip off the `+[company]`, but I haven't seen that happen much.
And that may have dropped off because there was a concerted effort to make it harder to do that around then. In particular, that's kind of what killed qmail as an in-vogue MTA, because it wasn't being updated and you had to use awkward patches to stop backscatter.
If it's not what you signed up for, isn't that pretty much the definition of spam?
Then again, I actually fill out that little question after unsubscribing. The above I consider "legit" as long as unsubscribe works.
If I want emails from you, I will explicitly ask to be added to your mailing list. Anything else is spam as far as I'm concerned.
Ah: prior commercial relationship. That's not spam, unless they ignore your unsubscribe request.
I hope you're not notifying the world that your preferred supplier of [X] is a spammer. I like to stay on good terms with my preferred suppliers.
If I didn’t ask for it, it’s spam, regardless of whatever holes the US has punched in its definition to keep business owners happy.
That's why it's important that spam continues to be defined as Unsolicited Bulk Email.
At least in the EU, if you make a complaint, it falls on the sender to assert the legal basis for sending the email, so it's on them to prove informed consent (if that's the basis they're relying on).
> That's why it's important that spam continues to be defined as Unsolicited Bulk Email.
I'm not sure you've made the case that's important. In the EU, spam has been long defined as unsolicited commercial communications (since the E-privacy Directive in 2002) - no requirement for it to be in bulk.
True. But spam has existed since long before EU regulators got interested; one type of spam that isn't covered by the EU rules is political spam. At one time I used to get a lot of political spam from US politicians and parties. I've never been a US citizen, and I don't get to vote in US elections - these politicians were spamming mailing lists.
The EU rules specifically exclude spam that isn't trying to sell you something for money. Why? Possibly because the rules are made by politicians, who prefer that their own spam isn't included.
Nope. There's not much point in relying on a "definition" of spam that is essentially subjective. "Hey, I signed up for your newsletter, but what you've sent me isn't news to me, or I just don't like it; so it's spam".
The most surprising one is ongoing spam (and semi-legitimate contacts from recruiters) to an address that I only (intentionally) used at O'reilly. I just checked HIBP and that address was exposed in the July 2018 Apollo exposure.
It would have to somehow be protected against bad actors scrubbing themselves by any other means than no longer being bad actors.
It’s on another level now.
I also get a handful of spams a month from default addresses (hostmaster, etc), all of which come from Chinese IPs. I don't have any email address posted on my websites to scrape from (mailto: or otherwise), so I don't get any spam from that.
The end result is pretty much no spam. I assumed when I first setup my domain I'd have to configure spam assassin at some point, but that point has never come, thankfully.
And to compound this after doing a half ass job of what OP has done, I recently moved my custom google apps free domain to have a second reception domain i use JUST for this with a `.email` TLD (side note: the amount of tools that don't see modern TLD's as valid is enraging)>
I made the (maybe poor) choice of donating to political campaigns before the last US election using these emails
- `Biden-campaign@` - `democrats@` - `<specific local race@`
All of those I've had to unsubscribe from about 2-3 dozen total OTHER email lists as those emails are literally sold/given out to other campaigns. the biden one being the worst.
Also if you have your own business you'll start getting solicitations, LOTS of solicitations. And god forbid your email is on an old resume, or somewhere else.
Now, is any of this "technically" spam? Maybe but not really. Do I consider it worthless? yes.
But to site your last specific one. I did a search for an address I know was on a compromised product. Specifically a game Heroes of Newerth. They were hacked in I believe 2015 and the list was sold. My email was my old method `name+hon@email.domain`. I get like 20~ emails to that a year and all of them go to spam or are flagged as spam automatically.
The pizza place down the street uses a third party digital order system, that was compromised. One of the first emails I actually had to blackhole due to the insane volume of spam and attacks that started coming to it.
Also.. my previous landlord. His computer or account got compromised at some point, and that was another email I had to blackhole due to the insane volume of porn spam that started coming to it.
I have a couple of addresses that look to have been sold (e.g. addresses used in cheap kickstarter campaigns), but that is more rare.
Edit to add: I have no spam filters on those accounts.
Address linked with "mailto:" on a contact page had to be blocked after a few years. Same with WHOIS addresses (published before there were sane privacy rules for those). Address with "@" and "." replaced with "at" and "dot" receive no spam at all.
Summed up, there are a few hundred inbound messages a day. Spamassassin and some basic postfix rules filters almost all of them. One or two a month get through.
1- An address I used for buying an RPi from a french retailer (kubii.fr) which seems to have had a data breach
2- An address I used at Decathlon when I signed up for 4x payment plan. They seem to share the address you use with Sofinco which keeps spamming me even after unsubscribing.
However, it’s entirely possible I’m not seeing many messages that are getting blocked by spam controls (gmail), so I hesitate to draw any sweeping conclusions about it.
I’m also very cautious about what I sign up for. I can say that from what I’ve seen with others, the amount of spam and phishing is very dependent on what you do. For example marketing people need to go widely distribute their addresses as part of their job, and I definitely see them receiving far more spam/phishing than others.
It comes in two forms.
One is that companies subscribe to the marketing emails without asking. When this happens, they tend to re-offend on unsubscription, so they had to be blocked by blacklisting.
The second form is that they do in fact share my email address with others. Not two months ago booked a hotel in Europe and got a spam from some other company before I got a booking confirmation. So this happens.
That all said, the point of using per-company emails is less about spam and more about denying them an option of collating my online activity. The fact that you don't get spam doesn't mean your email address (+ relevant personal details) aren't getting resold, shared and otherwise vacuumed by the data collectors. That's them I more worried about than an occasional spam.
And I like PP but goddamn, emails coming from a swath of domains, a neverending stream of physical mail.
I won't donate to them again because the amount of contact they try to have with me is absurd.
Marking them all as spam seems to be helping more than unsubscribing.
Can confirm.
Joined an art museum in a major city.
Within a month, the unique e-mail address was getting spam from the aquarium, the science museum, the local PBS television station, and some museums I never even knew existed.
So, I never had to explicitly filter e-mails out by "To:" field, but using this system still gives me some sense of control.
Possible confounding factor: I try to keep my personal and professional lives ~separate and so the retailers/etc most likely to be compromised get a personal email address (whose inbox is virtually unusable due to amount of commercial email it receives, though relatively little of that is spam per se).
I gave a custom username email to a in-person store (big chain) with a rewards program because they were offering a huge discount if you did. Since then they've sent at least 1 email a day, with an average of about two (I've redirected all their emails to a folder I never look at). Which is a particularly remarkably obnoxious rate of sending emails...
I've also split my email addresses in to a public one (displayed in my profile here, on github, on a website, etc) and a private one. The public one gets a spam email or two a week.
Incidentally, I was surprised to discover that pinterest forbids you from having the word pinterest in your email (or did when I signed up).
Why are you setting up these custom filters instead of just clicking the link and opting out?
I've encountered many companies that let you unsubscribe, then add you to a 'new' mailing list a few months later. You can usually identify these companies because when you click to unsubscribe they take you to a page with a dozen or more 'newsletters' that you have to uncheck to remove yourself from if you can't find the 'all' link.
Also after getting home and already having multiple marketing emails I was sort of curious about just how many they were going to send, which is why it's in its own folder.
I then resorted to unsubscribing, but in my experience that doesn't always seem to work. I could be wrong here as I haven't kept track of who I unsubscribe from and if I would still get newsletters after the fact. But I've experienced receiving newsletters from some company I could've sworn I just unsubscribed from a few times.
However it wouldn't be surprising if some website's unsubscribe feature was buggy. I can also imagine it's not being reported. Or if it was it, and you could figure out where to report to, the report would get lost on its way customer support to the people responsible.
Most of the spam/phishing I get is from companies that stored my personal details and then got hacked.
I would say it's likely you just got lucky.
An address I used only for Comcast Xfinity gets a surprisingly large amount of spam. (I'm no longer a customer and have disabled the address.) I'm not the only one to suspect they've had a data breach:
https://news.ycombinator.com/item?id=30062511
https://news.ycombinator.com/item?id=30980625
https://news.ycombinator.com/item?id=31118355
Email databases for sale are not always for spam or malware. They are often used for tracking and cross marketing calculations. Placing a companies name in the address will signal a canary and they may likely filter your contact out of their database or at least flag it and treat it differently.
I've been using email canaries for decades but recently had to adjust my canaries to be less obvious. A few vendors got upset that I had their name in the address and one even accused me of fraud and canceled my $500 gift card. That was the Tractor Supply Company.
Either way I will continue using canaries and multiple domains as it is a good way to be filtered out of some cross marketing databases and to avoid some behavioral tracking and some machine learning. It is also useful to find companies that get upset. This is an indicator to me they lack integrity and should be avoided. Canaries are also a good indicator to detect if a company has been compromised.
I have had this happen a few times.
> Canaries are also a good indicator to detect if a company has been compromised.
Yep, this is a fantastic use case.
I've noticed a couple breaches, and also a few unexpected transfers of my email address between semi-related parties.
Just once it appeared an address was sold via a marketing list, after filling out a lead-form for a free online conference hosted by multiple companies that you've seen on HN.
Surprisingly, unsubscribing tends to stop emails from everyone.
It is fun to receive a survey about "an anonymous company you have used in the past"... sent to myemail+uber@gmail.com.
*yet less reliable, '+' in email addresses isn't always accepted, and when it is sometimes only partly, e.g. signup works but password reset doesn't
I used to use + addressing schemes, but abandoned it for the reasons you mentioned (websites breaking horribly).
I think there’s an unofficial Terraform provider but I haven’t looked recently.
Also, depending on the legislative framework, it might be illegal: If I give company my email address with a plus and an identifier in it, I give them permission to contact me under that specific email (with the plus on it). If I as a result receive emails under another address (without the plus on it), this might be a GDPR violation.
Not that spam laws are enforced or particularly enforceable.
In either case, the existence of the different authorised email address is irrelevant.
For example: A lot of pentesting companies offer "darknet research" as part of their engagement; these have a non-nefarious use for these leaks, including private addresses: Given a list of customer's employees it's easy to guess some obvious Gmail/GMX/Yahoo/... addresses and check if they might be affected by any leaks (password reuse is pretty popular, especially with the not so technically minded). Troy Hunt, who runs haveibeenpwned, uses these lists as well; I suppose he normalizes Gmail, too.
Yes, OP could still be an evil /dudett/..., but while "innocent until proven guilty" might not be a HN rule, it's still something I like to assume about random people in the internet.
Plusaddressing is valid and has been since 1982[1]. It's part of RFC822 and the subsequent RFC2822.
The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.
[1] https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-a...
There won't be a general approach to deduplicating addresses that map to the same mailbox as the mapping rules aren't always public. But for Gmail, the rule is public, so a best effort deduplication could strip the +.
Or just sanity.
I am totally onboard (https://news.ycombinator.com/item?id=31797121#31822961) with having compliant parsers (or just not using them)
But the RFC from what I can recall is _wild_. I can't find the part so maybe I am mixing something else up, but I believe you can embed comments into an email address.
All I am saying is that the possible scope of valid email addresses is likely so large, trying to write a parser for them is a sign of an underexperienced team rather than not having one at all.
My favourite is services that let you sign up with a + in the address but then break when you try and login or reset your password.
I personally use Thunderbird and AWS SES to send mail, but many people who grew up on web interfaces are intimidated by Thunderbird.
That surprises me; it's web interfaces that intimidate me.
It's the only thing I missed when I switched to Fastmail. (Which has since added it too, but not before I left in favour of my own SES-based solution.)
Iirc there was a section of settings called 'sending & receiving', and there was a drop-down to select 'reply from same address' or similar.
I.e. if your main email address is ojford@ojford.com but you're also preconfigured e.g. foobar@ojford.com you could set that option to have Gmail use either ojford@ojford.com or foobar@ojford.com as your return address, depending on the originating email's TO address. However, if you _also_ have a catchall address and somebody sends to newservice@ojford.com, even with the setting set your return address would be ojford@ojford.com.
Nice, hadn't thought about :-)
How does it work?
If a company to which you have provided an email address, gets compromised, it's likely that you'll start getting automated pishing emails to that address? And that the address ends up in... some "warning" database like Have I Been Pawned, and you'll get notified?
Or something else?
Seems like a good idea :-)
When it happens, I say "this is because your company is so important to me that it has its own mailbox to be prioritized accordingly"
It worked every single time :)
If they still object then I don't sign up. I've had web form refuse to accept an email address with their company name in, so that sale went elsewhere, and one physical retail store wouldn't let me sign up to their prize draw with such an address, so I didn't. In neither case do I suspect anything of value was lost by myself!
Oh, good point. I guess I may have invalidated all my research! :|
name1@website.com
name2@website.com
etc.
In a spreadsheet, you have one column with the number, and another with the company name. You might want to change this up, putting the identifier in different parts of the email address, to avoid similar "canary" signals.
Personally, I use BitWarden to generate usernames for each website, to help keep my fingerprint (somewhat) scrambled. LastPass also has a good username generator. [1] I would just avoid using complete non-sense words, since there might be some amount of human review.
[1] https://www.lastpass.com/features/username-generator
I had to read my e-mail address to someone there just last week.
I may be misreading your comment, but if not, it sounds like the OP (of this Tell HN) did exactly that.
Expect this to change, if Apple's anonymous e-mail forwarding becomes popular.
Just like when IT departments (including the one at my company) insisted that everyone use Blackberries because iPhones weren't suitable for a corporate environment.
Once enough C-levels start using any feature, it spreads like wildfire.
They'll continue to block the non-apple ones regardless.
This is a killer feature, I love Fastmail.
Kinda annoying of then, maybe I would go for an opaque (or maybe just a simplified) canary. Like the initials or abbreviation
rot13 FTW
You don't use a password manager?
Google becomes hpphar.
Easy to [en/de]code on the fly by looking at your keyboard.
Eventually the conversation went like:
"So you're saying you created a new email address just to use with us?"
"Sure, yeah."
"...That's weird."
Also have one for thifty@mydomain.com (the car rental company) - when they saw my email address at the counter they gave me the employee discount rate - I didn't correct them :)
I've had more confused than upset, but Samsung straight-up refuses to accept email addresses with "samsung" in them. I'm not sure what they think they're accomplishing.
I think I get more spam from hacked/leaked email databases than sold ones. Dropbox is the worst (signed up and used it briefly over a decade ago, and now suffer an eternity of spam).
A few years ago I created an account with a freemium publisher with the email address their.domain@my.domain and as soon as I logged into my account I had full unlimited access to all content.
I suspect their system had a routine that detected staff accounts based on a string search for their domain.
But even with the most rudimentary web-dev languages you can replace the inner string match with a lowercase transform, split on @ and perform an exact string compare. Insanely simple stuff. Probably still a one-liner in any sane/productive framework.
The default is greedy... match match match nom nom nom!
I believe sqrl uses a system like that.
No one got upset, but a record label was confused and asked me about it, and another company had their legal department ask me under what license I use their TM ;) In both cases a simple explanation was the end of it.
Please name!, or give details of size.
Not for shame — for curiosity!
As I said, one quick explanation of single-use emails cleared everything up.
[0]: https://en.wikipedia.org/wiki/T%C3%9CV_Nord
I'd like to start doing this, but wondering what I would do if I figured out someone had passed the address on or been compromised.
Back then, my college required us to forward our university email to a personal account. That's fine as our personal addresses were hidden and not public.
What was not fine was one day the IT department changed everyone's public email address to their private address. They also changed mailing lists from BCC to CC so that you got to see everyone's email who received the email.
A few hours later after these changes, the spam started rolling in. At first it was a moderate amount of spam, a few messages a day, but it quickly increased. At one point it was up to 200-300 spam messages a day and stayed that way for several years. In any given month my gmail spam count sat between 3,000 to 6,000.
Over the past 10 years, as botnets have been taken down, those numbers have come down an order of magnitude. I still get between 20 - 30 spam messages a day on that account.