Tell HN: After 10 years of experiments, custom username emails receive no spam

377 points by sbf501 ↗ HN
For 10 years I've been using a custom email for every retailer I shop at that asks for an email address, always in the form of "company@mydomain.com". I did not keep track of how many custom emails I used (hundreds, easily), but I have received spam from exactly zero of these accounts.

The only account that I received is one I used on my public website as a "mailto:" link. 100% of my spam comes from this address. I host on runbox.com.

Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

I would argue the former since I still get 30 spam emails a day from my website email address, and zero from companies that ask for them.

358 comments

[ 5.0 ms ] story [ 302 ms ] thread
Another thing guaranteed to attract spam is a public contact email on a domain name.
(comment deleted)
Email spam is the bottom of the barrel compared to tracking people on Facebook.
Depends if they get breached haveibeenpwned.com style. I definitely and clearly get spam from several breaches. Some is generic (it’s on some big spam list) and some of it is targeted - like crowd funding campaigns spamming the hacked list of kickstarter accounts - which I am surprised how much of I get given how community driven such things often but I guess are not always.

Some of these addresses were the unique style you mentioned.

So I guess you’re just lucky.

I'm glad you had a good experience. I had a different one.

I've ran my own domain for longer than you have, and many emails have been compromised.

Some are 100% from companies selling the emails to sister companies.

The majority, though, is from a company itself being compromised by hackers / database access / etc. LinkedIn, Neopets, ProFlowers, TeeSpring, etc. I can go on.

Compromises are 99% of those I see (similar setup) - the last 1% is acquired companies that have pivoted/do something else.

It's not quite spam, it's not quite illegitimate, but it's not what I signed up for.

I've seen a shift. Between 2005-2010, I used [company]@[mydomain.com], and I noticed that I would get spam in the form of [gibberish]@[mydomain.com], presumably from spammers who were just targeting email addresses with a catch-call filter. In fact, around that time, my hosting provider, Dreamhost, started restricting email catch-alls to deal with this problem.

But then from around 2010 onward, that type of spam became much less common, and nowadays it's as you say. The vast majority, probably 90%, come from compromised accounts, like linkedin@[mydomain.com]. The rest hit the unique email addresses I have submitted in domain registration forms.

That's even more surprising considering that I've since shifted to using [username]+[company]@[mydomain.com]. Spammers could pretty easily strip off the `+[company]`, but I haven't seen that happen much.

We've successfully pushed spam down hard enough that the only people spamming are people who never even see your email address; it's all computerized and they just don't care at all to try to do anything to clean up the lists.
The gibberish name ones may be targeting backscatter. They might have a reply-to with the address they're really targeting.

And that may have dropped off because there was a concerted effort to make it harder to do that around then. In particular, that's kind of what killed qmail as an in-vogue MTA, because it wasn't being updated and you had to use awkward patches to stop backscatter.

>It's not quite spam, it's not quite illegitimate, but it's not what I signed up for.

If it's not what you signed up for, isn't that pretty much the definition of spam?

You usually sign up for "company updates" or some such nomenclature, but after Bob's Discount Swords pivots to Improved Plowshares™, it's not really relevant anymore.

Then again, I actually fill out that little question after unsubscribing. The above I consider "legit" as long as unsubscribe works.

In my experience, you don't sign up for anything, but are automatically added to mailing lists against your will just for the sin of purchasing something. I never want to get emails from any company just because I purchased 1 item from them. Most people I know tell me they feel the same way, but instead of unsubscribing, they just mark it as spam and eventually it stops showing up in their inbox.

If I want emails from you, I will explicitly ask to be added to your mailing list. Anything else is spam as far as I'm concerned.

> just for the sin of purchasing something

Ah: prior commercial relationship. That's not spam, unless they ignore your unsubscribe request.

I hope you're not notifying the world that your preferred supplier of [X] is a spammer. I like to stay on good terms with my preferred suppliers.

illegal spam ⊆ spam

If I didn’t ask for it, it’s spam, regardless of whatever holes the US has punched in its definition to keep business owners happy.

No,I don't think so. If you signed up to receive email, then it's going to be hard to show that you received email that's different from what you signed-up for. And if it's not Bulk, then it's simply email - not bulk, and not unsolicited.

That's why it's important that spam continues to be defined as Unsolicited Bulk Email.

>If you signed up to receive email, then it's going to be hard to show that you received email that's different from what you signed-up for.

At least in the EU, if you make a complaint, it falls on the sender to assert the legal basis for sending the email, so it's on them to prove informed consent (if that's the basis they're relying on).

> That's why it's important that spam continues to be defined as Unsolicited Bulk Email.

I'm not sure you've made the case that's important. In the EU, spam has been long defined as unsolicited commercial communications (since the E-privacy Directive in 2002) - no requirement for it to be in bulk.

> In the EU, spam has been long defined as unsolicited commercial communications

True. But spam has existed since long before EU regulators got interested; one type of spam that isn't covered by the EU rules is political spam. At one time I used to get a lot of political spam from US politicians and parties. I've never been a US citizen, and I don't get to vote in US elections - these politicians were spamming mailing lists.

The EU rules specifically exclude spam that isn't trying to sell you something for money. Why? Possibly because the rules are made by politicians, who prefer that their own spam isn't included.

> If it's not what you signed up for, isn't that pretty much the definition of spam?

Nope. There's not much point in relying on a "definition" of spam that is essentially subjective. "Hey, I signed up for your newsletter, but what you've sent me isn't news to me, or I just don't like it; so it's spam".

Similar here. I don't recall when I started doing it, but it's been at least 20 years. I get a fair amount of spam from "well, what did you expect?" addresses (social sites, mostly) and some from addresses that are hard to pin down (paypal address might be shared to a seller; amazon address is definitely shared to sellers).

The most surprising one is ongoing spam (and semi-legitimate contacts from recruiters) to an address that I only (intentionally) used at O'reilly. I just checked HIBP and that address was exposed in the July 2018 Apollo exposure.

I'd love a wall of shame that collected all these bad examples.

It would have to somehow be protected against bad actors scrubbing themselves by any other means than no longer being bad actors.

Had the same experience when TD Ameritrade had an employee selling email addresses. My scheme is company+10 random digits, it was clearly not guessed.
The worst offender for me is an email address I used to get a fishing license from the state fish and wildlife group. As soon as I did that, I started getting advertisements from some outfitter/prepper type places. Not sure if they bought the address or if licensee info is public in my state.
I made the mistake of using my primary address when I decided to get my real estate license years ago.

It’s on another level now.

Probably public. In NJ, you get snail mail solicitations when you register stuff at the DMV.
I have a similar experience. I've been using this system for about 15 years, and have to block one or two address a year due to spam. A couple were due to first party spam that I could not manage to unsubscribe from (Cooks Illustrated, I'm looking at you), and a few scraped from forums (didn't realize the email would be public when signing up). The rest appeared to be due to an account compromise (based on breadth of low quality spam) - oh and less than 1/4 of those sites notified me of a compromise. I don't think I've ever received spam from what appears to be a "legitimate" "business partner" which is what I would expect from emails that were sold.

I also get a handful of spams a month from default addresses (hostmaster, etc), all of which come from Chinese IPs. I don't have any email address posted on my websites to scrape from (mailto: or otherwise), so I don't get any spam from that.

The end result is pretty much no spam. I assumed when I first setup my domain I'd have to configure spam assassin at some point, but that point has never come, thankfully.

Seconding this.

And to compound this after doing a half ass job of what OP has done, I recently moved my custom google apps free domain to have a second reception domain i use JUST for this with a `.email` TLD (side note: the amount of tools that don't see modern TLD's as valid is enraging)>

I made the (maybe poor) choice of donating to political campaigns before the last US election using these emails

- `Biden-campaign@` - `democrats@` - `<specific local race@`

All of those I've had to unsubscribe from about 2-3 dozen total OTHER email lists as those emails are literally sold/given out to other campaigns. the biden one being the worst.

Also if you have your own business you'll start getting solicitations, LOTS of solicitations. And god forbid your email is on an old resume, or somewhere else.

Now, is any of this "technically" spam? Maybe but not really. Do I consider it worthless? yes.

But to site your last specific one. I did a search for an address I know was on a compromised product. Specifically a game Heroes of Newerth. They were hacked in I believe 2015 and the list was sold. My email was my old method `name+hon@email.domain`. I get like 20~ emails to that a year and all of them go to spam or are flagged as spam automatically.

Yeah, HoN was the first of my catch-alls to receive spam. Idiots didn't even acknowledge that they have been compromised and insisted that obviously I did use hon@mail.mydomain.tld somewhere else. These days I'd use the opportunity to check how well GDPR works in practice.
I've noticed a lot of "mid size" compromises.

The pizza place down the street uses a third party digital order system, that was compromised. One of the first emails I actually had to blackhole due to the insane volume of spam and attacks that started coming to it.

Also.. my previous landlord. His computer or account got compromised at some point, and that was another email I had to blackhole due to the insane volume of porn spam that started coming to it.

Exactly my experience. The leaked emails are pretty much always related to hacks/leaks of said companies.

I have a couple of addresses that look to have been sold (e.g. addresses used in cheap kickstarter campaigns), but that is more rare.

Yes, I have been doing exactly the same for at least 15 years now and have had a wide variety of throwaway/registration emails compromised.
Same. I get spam/phishing at a number of the custom email addresses I've used. Including adobe@, elance@, etc.
I've been doing this for 2-3 years. Probably also in the hundreds of emails given. I have had one such email used for spam.

Edit to add: I have no spam filters on those accounts.

Spam is just any unwanted email, and I'm sure you're receiving plenty of those. I assume what you haven't received are phishing emails with malicious links?
If they do sell the emails it'd be a simple job to clean them first (i.e remove any that explicitly mention their company name) Spammers are a pain in the ass, but not stupid.
After doing the same since 2003, out of ~200 email addresses used 18 are listed on HIBP, ~15 receive dozens of spam emails a day (or rather: would receive if I hadn't completely blocked them) and ~10 see almost non-stop login attempts from all around the world via IMAP and SMTP.

Address linked with "mailto:" on a contact page had to be blocked after a few years. Same with WHOIS addresses (published before there were sane privacy rules for those). Address with "@" and "." replaced with "at" and "dot" receive no spam at all.

Summed up, there are a few hundred inbound messages a day. Spamassassin and some basic postfix rules filters almost all of them. One or two a month get through.

I only have 2 addresses that receive spam:

1- An address I used for buying an RPi from a french retailer (kubii.fr) which seems to have had a data breach

2- An address I used at Decathlon when I signed up for 4x payment plan. They seem to share the address you use with Sofinco which keeps spamming me even after unsubscribing.

I too do this, yet I occasionally receive evidence that my address was sold or stolen. I've confronted one company about the problem, and they outright denied that they had any part in it.
Most recently Chatbooks sold my email to some T-shirt companies. Or maybe they were pwnd. Either way, I wouldn’t call this a “modern myth.” You’re fortunate to be so spam-free.
Maybe its the spammers' filters that explain this? company@mydomain.com might be stripped from their mailing list because lots of folks do this. Me for instance.
I’ve been doing this for over 20 years, and have the same results. The only spam I get is to a few addresses where there was a data breach (LinkedIn). I have another account where I don’t do this, and it gets around a dozen messages per day from the completely illegal spammers (no opt-out, etc).

However, it’s entirely possible I’m not seeing many messages that are getting blocked by spam controls (gmail), so I hesitate to draw any sweeping conclusions about it.

I’m also very cautious about what I sign up for. I can say that from what I’ve seen with others, the amount of spam and phishing is very dependent on what you do. For example marketing people need to go widely distribute their addresses as part of their job, and I definitely see them receiving far more spam/phishing than others.

I've been doing this for over 10 years, but I do get spam on some of them.

It comes in two forms.

One is that companies subscribe to the marketing emails without asking. When this happens, they tend to re-offend on unsubscription, so they had to be blocked by blacklisting.

The second form is that they do in fact share my email address with others. Not two months ago booked a hotel in Europe and got a spam from some other company before I got a booking confirmation. So this happens.

That all said, the point of using per-company emails is less about spam and more about denying them an option of collating my online activity. The fact that you don't get spam doesn't mean your email address (+ relevant personal details) aren't getting resold, shared and otherwise vacuumed by the data collectors. That's them I more worried about than an occasional spam.

Donate to a political candidate or large non-profit. Those are where I see the most sharing of addresses. I have been doing the same sort of custom emails.
Seriously. Donate to planned parenthood once and you basically ensure that the company spends more over the next 10 years bothering you than your donation was worth.

And I like PP but goddamn, emails coming from a swath of domains, a neverending stream of physical mail.

I won't donate to them again because the amount of contact they try to have with me is absurd.

Huh, I donated about a year back and, while I think I did get some messages, I unsubscribed and haven't seen any since. How long ago was your donation?
Yup, one donation and I get a never ending stream of different political campaigns messaging me. Unsubscribe from one and a different one emails me the next day.

Marking them all as spam seems to be helping more than unsubscribing.

I should have specified that it was only retail, not social media or politics.
Donate to a political candidate or large non-profit

Can confirm.

Joined an art museum in a major city.

Within a month, the unique e-mail address was getting spam from the aquarium, the science museum, the local PBS television station, and some museums I never even knew existed.

I do this and I definitely get spam to addresses associated with e-mails leaked or sold in bulk to the highest bidder. I rarely _see_ it as most of the time "unsubscribe" link works (for sold e-mail lists, as the buyers usually try to maintain some sort of decency) and for those where it is useless (shameless "enlargement" type emails, usually from stolen email databases) it is usually classified correctly as spam by an e-mail provider or e-mail client.

So, I never had to explicitly filter e-mails out by "To:" field, but using this system still gives me some sense of control.

As an additional datapoint, my main email address is publicly available (I obfuscate it when typing out of anti-spam research force-of-habit but it's all over the Internet, public records, people's inboxes, company customer lists, etc etc), in continuous use for 15+ years, and I receive less than a handful of spam per week, almost all of the "Hello owner of $DOMAIN would you like you buy our SEO/etc services" genre rather than garden-variety spam.

Possible confounding factor: I try to keep my personal and professional lives ~separate and so the retailers/etc most likely to be compromised get a personal email address (whose inbox is virtually unusable due to amount of commercial email it receives, though relatively little of that is spam per se).

Maybe not 3rd party spam, but definitely first party spam.

I gave a custom username email to a in-person store (big chain) with a rewards program because they were offering a huge discount if you did. Since then they've sent at least 1 email a day, with an average of about two (I've redirected all their emails to a folder I never look at). Which is a particularly remarkably obnoxious rate of sending emails...

I've also split my email addresses in to a public one (displayed in my profile here, on github, on a website, etc) and a private one. The public one gets a spam email or two a week.

Incidentally, I was surprised to discover that pinterest forbids you from having the word pinterest in your email (or did when I signed up).

I wasn't counting 1st party spam as spam because in many cases I like the information I get (usually sales on things I buy). I should have pointed that out in my post. Thanks for making the distinction.
So just unsubscribe from the mailing list then?

Why are you setting up these custom filters instead of just clicking the link and opting out?

> So just unsubscribe from the mailing list then?

I've encountered many companies that let you unsubscribe, then add you to a 'new' mailing list a few months later. You can usually identify these companies because when you click to unsubscribe they take you to a page with a dozen or more 'newsletters' that you have to uncheck to remove yourself from if you can't find the 'all' link.

Unsubscribe also frequently doesn't carry over when a company is sold to another, who then harvests every email ever mentioned anywhere to send new spam to.
Because it's faster to set up a custom filter than search in the email for a link... I couldn't even tell you if there is an unsubscribe link (I mean I suppose I could go look, but I definitely never did).

Also after getting home and already having multiple marketing emails I was sort of curious about just how many they were going to send, which is why it's in its own folder.

I had custom filters for a while but I stopped using them, it became unmaintainable and caused some false positives.

I then resorted to unsubscribing, but in my experience that doesn't always seem to work. I could be wrong here as I haven't kept track of who I unsubscribe from and if I would still get newsletters after the fact. But I've experienced receiving newsletters from some company I could've sworn I just unsubscribed from a few times.

However it wouldn't be surprising if some website's unsubscribe feature was buggy. I can also imagine it's not being reported. Or if it was it, and you could figure out where to report to, the report would get lost on its way customer support to the people responsible.

It's not just companies selling your email address to third parties, it's also companies that keep your email on file and then get compromised.

Most of the spam/phishing I get is from companies that stored my personal details and then got hacked.

I would say it's likely you just got lucky.

What email service are you using?
I have no spam on my gmail account. All I do is every time some new spam shows up I immediately unsubscribe. I might get new spam maybe once a month but that’s easy to unsubscribe from.
Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

Email databases for sale are not always for spam or malware. They are often used for tracking and cross marketing calculations. Placing a companies name in the address will signal a canary and they may likely filter your contact out of their database or at least flag it and treat it differently.

I've been using email canaries for decades but recently had to adjust my canaries to be less obvious. A few vendors got upset that I had their name in the address and one even accused me of fraud and canceled my $500 gift card. That was the Tractor Supply Company.

Either way I will continue using canaries and multiple domains as it is a good way to be filtered out of some cross marketing databases and to avoid some behavioral tracking and some machine learning. It is also useful to find companies that get upset. This is an indicator to me they lack integrity and should be avoided. Canaries are also a good indicator to detect if a company has been compromised.

> A few vendors got upset that I had their name in the address

I have had this happen a few times.

> Canaries are also a good indicator to detect if a company has been compromised.

Yep, this is a fantastic use case.

This is exactly my use-case and experience after many years of custom catch-all'ing.

I've noticed a couple breaches, and also a few unexpected transfers of my email address between semi-related parties.

Just once it appeared an address was sold via a marketing list, after filling out a lead-form for a free online conference hosted by multiple companies that you've seen on HN.

Surprisingly, unsubscribing tends to stop emails from everyone.

Slightly easier* than running a domain, i've had luck with myemail+CompanyX@gmail.com when signing up to CompanyX. Gmail handles the '+' transparently (in the same way as it ignores '.') and delivers the email to myemail@gmail.com.

It is fun to receive a survey about "an anonymous company you have used in the past"... sent to myemail+uber@gmail.com.

*yet less reliable, '+' in email addresses isn't always accepted, and when it is sometimes only partly, e.g. signup works but password reset doesn't

Tbh with GSuite + a 5$ domain I get catch alls for minimal effort.

I used to use + addressing schemes, but abandoned it for the reasons you mentioned (websites breaking horribly).

Exactly. Catch-all setup on Google Workspace/G Suite/too-many-renames is usually obtuse but it’s a one-time tutorial effort.
I wonder if there's a way to script setting it up to be honest, I end up about an hour deep in help docs each time I set up a new domain+email trying to work out how to make a catch all and how to configure the thing so replies come from the right email.
Oh, I’ve never realized replies could be made to come from the right email. I manually add addresses as-needed (once a month or so).

I think there’s an unofficial Terraform provider but I haven’t looked recently.

Wouldn’t it trivial for them to strip out all values from + to @ prior to selling your address?
(comment deleted)
Yes. I've written code that does this for parsing leaked email lists before as part of a normalizing step.
Not sure why this is downvoted. I can imagine non-nefarious reasons to collect these lists.
Why do people downvote stuff that simply triggers them? This is useful info
Because it's cruise control for not needing to justify their point of view whilst still pushing their perspective. Sick, right? Votes and e-peen points have to be the worst aspect of HN and Reddit.
It's spam detection evasion.

Also, depending on the legislative framework, it might be illegal: If I give company my email address with a plus and an identifier in it, I give them permission to contact me under that specific email (with the plus on it). If I as a result receive emails under another address (without the plus on it), this might be a GDPR violation.

I don't see how it's a GDPR violation, but it does turn any contact into spam - the +less address didn't solicit any contact.

Not that spam laws are enforced or particularly enforceable.

It's a violation because you have to get explicit permission for each and every way of communication. So giving permission to be contacted through a single email address doesn't mean you gave permission for the phone or in this case another email address.
True, though there are marketing comms laws that predate GDPR (at least in the UK) that cover that too - that's what I meant by it being unsolicited spam.

In either case, the existence of the different authorised email address is irrelevant.

The original post never said they were using these lists to send unsolicited emails. It's your assumption they are a spammer; while I said I can imagine non-nefarious reasons to collect these lists.

For example: A lot of pentesting companies offer "darknet research" as part of their engagement; these have a non-nefarious use for these leaks, including private addresses: Given a list of customer's employees it's easy to guess some obvious Gmail/GMX/Yahoo/... addresses and check if they might be affected by any leaks (password reuse is pretty popular, especially with the not so technically minded). Troy Hunt, who runs haveibeenpwned, uses these lists as well; I suppose he normalizes Gmail, too.

Yes, OP could still be an evil /dudett/..., but while "innocent until proven guilty" might not be a HN rule, it's still something I like to assume about random people in the internet.

Hm, just saw: Something ate the "evil dude slash dudette slash ...".
I imagine the challenge is knowing what parsing rules apply to which domains. Gmail supports the + thing, but that's non-standard. Is that something you tried to handle in a general way?
> Gmail supports the + thing, but that's non-standard

Plusaddressing is valid and has been since 1982[1]. It's part of RFC822 and the subsequent RFC2822.

The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.

[1] https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-a...

Sorry, I should have been clearer. Gmail will place messages for user@gmail.com and user+foo@gmail.com in the same mailbox. The grandparent comment talks about normalizing the address by removing stuff after the +. This sort of deduplicates the addresses. Other platforms may have distinct mailboxes for user and user+foo, so you can't strip it on those platforms. The mapping of user+foo to user is non-standard.

There won't be a general approach to deduplicating addresses that map to the same mailbox as the mapping rules aren't always public. But for Gmail, the rule is public, so a best effort deduplication could strip the +.

> The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.

Or just sanity.

I am totally onboard (https://news.ycombinator.com/item?id=31797121#31822961) with having compliant parsers (or just not using them)

But the RFC from what I can recall is _wild_. I can't find the part so maybe I am mixing something else up, but I believe you can embed comments into an email address.

All I am saying is that the possible scope of valid email addresses is likely so large, trying to write a parser for them is a sign of an underexperienced team rather than not having one at all.

Malicious actors are probably going to implement the Gmail parsing rules before they even look at the standard.
it should be trivial, i don't know if many do it - iirc haveibeenpwned.com doesn't
Sometimes it's only partly supported, in the sense that the website will just break if your email has a `+`. I'm pretty sure I encountered that one with both Disney and Royal Caribbean reservation workflows just flat out breaking.
> I'm pretty sure I encountered that one with both Disney and Royal Caribbean reservation workflows just flat out breaking.

My favourite is services that let you sign up with a + in the address but then break when you try and login or reset your password.

I switched to '-' instead of '+' which was a trivial change in exim.conf and saved my sanity because there was just too many places which either break on '+' or refuse to accept it in the first place.
I used to do this, until I had to reply to an automated email for some customer support system. It rejected all my replies because the From: didn't match.
You can send emails with any From: header you wish.
Not from within Gmail's web interface.

I personally use Thunderbird and AWS SES to send mail, but many people who grew up on web interfaces are intimidated by Thunderbird.

> many people who grew up on web interfaces are intimidated by Thunderbird.

That surprises me; it's web interfaces that intimidate me.

Yes, I also prefer Thunderbird. But almost nobody that I've introduced it to was interested in using it.
Yeah you can, you can default it to send from the address the email you're replying to was sent to too.

It's the only thing I missed when I switched to Fastmail. (Which has since added it too, but not before I left in favour of my own SES-based solution.)

I'd love to know how. Tips welcome, thank you.
Sorry, it's many years since I've used gmail, don't have an account to check and describe exactly. I suppose I should've said 'you certainly used to be able to', I don't know for sure you still can.. would be dumb to remove that though.

Iirc there was a section of settings called 'sending & receiving', and there was a drop-down to select 'reply from same address' or similar.

(comment deleted)
That option is only for fixed addresses, not catchall addresses.

I.e. if your main email address is ojford@ojford.com but you're also preconfigured e.g. foobar@ojford.com you could set that option to have Gmail use either ojford@ojford.com or foobar@ojford.com as your return address, depending on the originating email's TO address. However, if you _also_ have a catchall address and somebody sends to newservice@ojford.com, even with the setting set your return address would be ojford@ojford.com.

Hm.. ok, I thought it worked but perhaps not - it has been a long time. I use my own client now, so obviously it behaves exactly as I want :) (which is as you describe).
I'm certain this didn't exist back when I had this issue.
Does thurnderbird let you change the from on an ad-hoc basis, or do you have to manually add different identities?
Current Thunderbird does enable the From address to be edited in the Compose window, and can fill in that field from the TO address of the message being replied to. Previous Thunderbird versions needed an Addon called Virtual Identities to do this.
I can attest to the unstable handling of '+' suffixed emails. UPS allowed me to ship a package as guest with myemail+ups@gmail.com but wouldn't let me create an account with the same email ID. I had no way to track the package pickup onwards.
Can confirm; once signed up as foo+bar@example.com, everything worked (including the confirmation mail)… and then the address was automatically normalized (‽) as foobar@example.com and I could no longer receive any mail (since that's a different account altogether).
There's also the unstable handling of . symbol (dot or dots) in email address before @ symbol. Gmail allows dots in email address before @ and normalizes them, so the same address with or without dots works. This leads to funny behavior such as unlimited account creation with the same email address (yes, + symbol would also work for this but that works almost everywhere and is better known) or my wife thinking she does not have an account while she does, creating a new one instead.
> unlimited account creation

Nice, hadn't thought about :-)

How did they expect you to respond to a survey about an anonymous company?
I assume it was a more general survey. Uber might want to know what people are doing for transportation even when it's not Ubering.
I used this to determine that Xfinity was compromise, yet still no acknowledgement despite reporting the issue to them and they went through some spiel about how I received the email by mistake and continue to receive emails by mistake at <randomword>_<randomword>@<customdomain>. The only person I shared that email with was them, and never had the issue with another provider.
If I have to provide an address to get a download link, that address will be either postmaster@aol.com or abuse@domain-of-the-company . EMailing the link to the provided address will probably just make me seek out different software. Make software that users want to sign up to hear more about; don't force them to opt in to marketing just to try something. It's the first impression and sets the tone with your company.
> fantastic use case

How does it work?

If a company to which you have provided an email address, gets compromised, it's likely that you'll start getting automated pishing emails to that address? And that the address ends up in... some "warning" database like Have I Been Pawned, and you'll get notified?

Or something else?

Seems like a good idea :-)

> A few vendors got upset that I had their name in the address

When it happens, I say "this is because your company is so important to me that it has its own mailbox to be prioritized accordingly"

It worked every single time :)

Same, though go with “I use the incoming address name to file things into the right folder, so work things, banking things, shopping, and such, are separated” – I don't butter them up by making them sound important enough that I created a mail inbox just for them.

If they still object then I don't sign up. I've had web form refuse to accept an email address with their company name in, so that sale went elsewhere, and one physical retail store wouldn't let me sign up to their prize draw with such an address, so I didn't. In neither case do I suspect anything of value was lost by myself!

I guess ROT13 could also be a last resort if signing up is important enough.
Slightly mangling the name (e.g. target => trget) is another way.
> Placing a companies name in the address will signal a canary and they may likely filter

Oh, good point. I guess I may have invalidated all my research! :|

But you’ve stumbled on an even better solution! Now you are spam free + tracking free.
On the other hand, your address is being filtered out, so... win? :D
If you're interested in getting "true" results, perhaps you could do something like this:

name1@website.com

name2@website.com

etc.

In a spreadsheet, you have one column with the number, and another with the company name. You might want to change this up, putting the identifier in different parts of the email address, to avoid similar "canary" signals.

Personally, I use BitWarden to generate usernames for each website, to help keep my fingerprint (somewhat) scrambled. LastPass also has a good username generator. [1] I would just avoid using complete non-sense words, since there might be some amount of human review.

[1] https://www.lastpass.com/features/username-generator

Just writing their name in reverse would probably work, and be less time consuming.
Only if you actually want to receive their spam for research purposes.
Reading these over the phone to dinosaur financial institutions is pretty unfun though. I was doing something similar with generated usernames, had to call in to reset my password because some places operate like it's still 1983, and the person helping me probably thought I was nuts with my 30+chr random username.
Sounds like you use Bank of America, too!

I had to read my e-mail address to someone there just last week.

I had this experience with a different bank (with an embarrassing email address). I wonder if there's some compliance thing here for banks.
Someone should sign up for all the mailing lists with a email address used nowhere else and track the cross-mailings. Maybe a bubble babble hash of the company name as the email prefix, and a big mailer like gmail or protonmail as the server. When the email is leaked and the company does not inform the user, report the company via GDPR.
> Someone should sign up for all the mailing lists with a email address used nowhere else and track the cross-mailings.

I may be misreading your comment, but if not, it sounds like the OP (of this Tell HN) did exactly that.

(comment deleted)
Fastmail offers a masked email feature for one-time email addresses: https://www.fastmail.help/hc/en-us/articles/4406536368911-Ma...
The 1Password integration doesn’t work for me. Not sure why :-(
Works fine for me. Maybe you have some conflicting settings enabled?
I wonder what settings would that be.
I've seen sites that disallow auto-generated addresses, super lame and makes me not want to use them, not sure how common that is today.
I've seen sites that disallow auto-generated addresses, super lame and makes me not want to use them, not sure how common that is today.

Expect this to change, if Apple's anonymous e-mail forwarding becomes popular.

Just like when IT departments (including the one at my company) insisted that everyone use Blackberries because iPhones weren't suitable for a corporate environment.

Once enough C-levels start using any feature, it spreads like wildfire.

> Expect this to change, if Apple's anonymous e-mail forwarding becomes popular.

They'll continue to block the non-apple ones regardless.

How do they disallow it?
I'm not sure if this is the same thing, but I think there are published lists of domains used by e.g. mailinator, so if they see a match they just reject you with a "please use a valid email address" message.
They can't easily filter Apples or Fastmails addresses, since they have @icloud.com / @fastmail.com domains.
Yes, and they recently enabled one time emails with your own custom domain, which really helps get around folks trying to identify and prevent this.

This is a killer feature, I love Fastmail.

I wish they'd open this up to use a subdomain, rather than the main domain.
But it makes it very difficult to ever switch to a different provider...
> A few vendors got upset that I had their name in the address

Kinda annoying of then, maybe I would go for an opaque (or maybe just a simplified) canary. Like the initials or abbreviation

> A few vendors got upset that I had their name in the address

rot13 FTW

too much work to remember each time for logins if it's something frequently used. The iCloud way of generating emails is great but only works well on my iDevices. I used to use endjunk.com for everything, and it was the same kind of "anything@you.endjunk.com" setup, but one day they just disappeared with no warning and I lost a few accounts because of that. Learned my lesson and just switched to GMail.
>> too much work to remember

You don't use a password manager?

I’m not sure what encoding this is, but sometimes I do QWERTY shifts.

Google becomes hpphar.

Easy to [en/de]code on the fly by looking at your keyboard.

That's a simple monoalphabetic substitution cypher, as would be any one-to-one fixed mapping.
You probably want to stay upset and explain why they are. I feel working around the issue is counter to the point.
I was offered a few employee discounts by front line associate because of using an email address with a company name. I declined but found it awkward to explain the details.
I added @lists. to the email address and found that it lessened the need to explain.
I also follow this system and have had this. It's disconcerting when companies who manage your PII don't understand the format of an email address.
I had a funny interaction with a financial institution about this at one point. They were having a lot of trouble understanding that company@mydomain.com was the correct email address.

Eventually the conversation went like:

"So you're saying you created a new email address just to use with us?"

"Sure, yeah."

"...That's weird."

The weirdest of these i had were support agents who thought I was a colleague because I usually use <theirdomain>@<mydomain>
I did that for one of my amazon accounts a few years back when i registered at an amazon conference (probably aws reinvent)- i.e. amazon@mydomain.com - and for about 6 months I got onto some internal email list at amazon/aws, definitely not intended for the public, likely because someone queried for all email address that had 'amazon' in the address from this registration list - thought it was pretty funny, but eventually they stopped - someone probably figured out what they did wrong.

Also have one for thifty@mydomain.com (the car rental company) - when they saw my email address at the counter they gave me the employee discount rate - I didn't correct them :)

I got cc'd into internal discussions at the management company for my flat block, about the block.
> A few vendors got upset that I had their name in the address

I've had more confused than upset, but Samsung straight-up refuses to accept email addresses with "samsung" in them. I'm not sure what they think they're accomplishing.

I think I get more spam from hacked/leaked email databases than sold ones. Dropbox is the worst (signed up and used it briefly over a decade ago, and now suffer an eternity of spam).

You should've just changed the address to 'spamsung'.
> A few vendors got upset that I had their name in the address

A few years ago I created an account with a freemium publisher with the email address their.domain@my.domain and as soon as I logged into my account I had full unlimited access to all content.

I suspect their system had a routine that detected staff accounts based on a string search for their domain.

I've seen this bug in prod while consulting. Bad regex.
Just adding an @ to the string match would make it a bit more robust. (Would still be vulnerable to jim@their.domain.my.domain, so add a $ on the end if it’s a regexp.)

But even with the most rudimentary web-dev languages you can replace the inner string match with a lowercase transform, split on @ and perform an exact string compare. Insanely simple stuff. Probably still a one-liner in any sane/productive framework.

Frameworks usually have some sort of email parser. Email parsing is non trivial. But I agree matching .*?@domain.com$ would probably work fine.
What is the purpose of the ? here?
I dunno, but I've seen a bug like this in prod while consulting.
It makes the preceding * less "greedy". I don't think it has any effect on the set of strings matched by this regexp, though, which is a simple string suffix check.
I agree, but the dot should be escaped because it matches any character, so "@domain\.com$" should just works for.
Or use [.] so it's super clear on the a-human-is-reading-it parse.
I don't think that's clearer because for [.] I need to remember that . does not need to be escaped in character classes whereas \. is quite clearly an escaped literal character without any advanced regexp knowledge.
Non-greedy match (match what's necessary nothing more.)

The default is greedy... match match match nom nom nom!

Definitely use a real email address parser if it’s available, easy and/or you’re dealing with unknown email addresses. But absent any strange circumstances there’s also nothing wrong with basic string manipulation if it’s done properly (e.g. split on @ and test for an exact string match, case insensitive). As personal preference, I’d choose that over regexp.
Hackers deliberately create strange circumstances, it's the primary way to find exploits. Any code that relies on a lack of strange circumstances is a time-bomb.
There aren't too many strange circumstances for a properly written split/test routine. Described more precisely:—

  1. Split on @
  2. Get last string from array
  3. Convert to lowercase
  4. Perform exact string compare against target domain
It's possible that there's some window for obscure unicode hijinks, but I'd posit that a regexp parser or a "proper" email parsing library is just as at-risk. Possibly more so as those would be significantly more complicated and involve significantly more code.
I have been thinking about using some sort of UUID-generator ([UUID]@mydomain.xz) whenever I sign up for a new site, but I just can not think of a _good_ way to keep track of them.
Database? Text file?
Generated algorithmically from their domain.

I believe sqrl uses a system like that.

If only there were some convenient software for keeping track of your unique login names and passwords for each site you use.
> few vendors got upset that I had their name in the address

No one got upset, but a record label was confused and asked me about it, and another company had their legal department ask me under what license I use their TM ;) In both cases a simple explanation was the end of it.

> another company had their legal department ask me under what license I use their TM

Please name!, or give details of size.

Not for shame — for curiosity!

We used to have one of the top range email marketing software at work. Emails, such as info@, contact@ and some others are automatically excluded and you can't even send any marketing to those.
I've had this happen a few times, but I was able to resolve them all except one cadre. Stitch Fix shut down my account abruptly, informing me of "security concerns" and disabled my account without any recourse after I'd spent a bunch of time setting it up. No offering of personal verification mattered. It was disappointing.
I've heard that fraud sentiment several times from friends of mine who do exactly that with the company name in the email address. They've since moved on to a randomly generated string of alphanumeric characters, this is put into a spreadsheet, and they write down when and where they used it.

I'd like to start doing this, but wondering what I would do if I figured out someone had passed the address on or been compromised.

The vast majority of my spam comes from the bad old days of desktop pc viruses and people using outlook express (say 15+ years ago).

Back then, my college required us to forward our university email to a personal account. That's fine as our personal addresses were hidden and not public.

What was not fine was one day the IT department changed everyone's public email address to their private address. They also changed mailing lists from BCC to CC so that you got to see everyone's email who received the email.

A few hours later after these changes, the spam started rolling in. At first it was a moderate amount of spam, a few messages a day, but it quickly increased. At one point it was up to 200-300 spam messages a day and stayed that way for several years. In any given month my gmail spam count sat between 3,000 to 6,000.

Over the past 10 years, as botnets have been taken down, those numbers have come down an order of magnitude. I still get between 20 - 30 spam messages a day on that account.