Ask HN: Do you track how your email address is used?

69 points by themingus ↗ HN
If you want to know when your email is sold or shared, there are several strategies to know who the culprit is. Plus addressing/subaddressing is the practice I hear about the most often, and how I keep track of email use. Do you care about tracking your email? And do you use plus addressing or do something else?

101 comments

[ 5.6 ms ] story [ 184 ms ] thread
I care. I use a generated email address at my domain for every account/service/website. I store the account info in keepass, they all have generated passwords too. I can see when email comes in who abused the email, was compromised, or sold it. If an email starts getting spam, i block receiving to that address. if desired, I update the account to have another generated email, but usually if I'm getting spam to that email I don't want to do business with them again.
I do the exact same thing.

It gives you quite a bit of insight and control.

some examples:

- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)

- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.

- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.

- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.

- I rented a car from hertz and had to give an email address. and then they sold it to other companies.

- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.

It goes on and on. More people should do this.

"I can be pretty certain it is my bank contacting me."

This is a neat advantage of this approach. I usually get phishing emails on a "wrong" email address, which makes them trivial to identify. So I know what to look out for should they ever manage to target the correct email address.

Does that work? I mean if I had that rule, I wouldn’t do business with almost anyone again. How does that help even?
I do this as well. Unique emails for every account along with unique passwords, password manager. Works great so far.
(comment deleted)
I generate a "username" on Bitwarden for every new address I need which is effectively the same approach (using my domain). Do you mean though that you generate an email address with your mail server, or do you just use a catch-all? I do the latter and I've never considered "turning off" an address before and now I wonder if I have that option.
Sure do - though I have my own domain, so I don't need subaddressing. If some address gets compromised, I just set it to bounce.
Fastmail offers per-service generated addresses. I think it's kind of fascinating to watch my email address that went solely to my local credit union start sending me spam somewhat related to my employer.
Fastmail allows for aliasing too - username@domain.tld -> bank@username.domain.tld, retailer@username.domain.tld, etc. Pretty convenient. I use that feature pretty often and I can only recall one instance which seemed to indicate my address was sold to spammers. It’s more useful for organizing incoming mail, like plus-aliasing in gmail.
The important detail is to add random nonce/salt to the generated email, like _jri68, so that it's not guessable, so it's provable that the database was compromised. Guessing bestbuy@example.com is believable, but guessing bestbuy_jri68@example.com, is not.
Yes every service gets a custom address.

It's also interesting that some services don't allow COMPANYNAME@mydomain.com for registration. (Can't remember which)

Aliexpress. I log in there as express.ali@
I can't remember which company now, but one time I called into customer support and gave them the unique email address that I used for that account. It had their company name in it. Something like bityard.acme@example.com, for instance. The person on the other end paused for several seconds as if looking over their shoulder and whispered, "wait... do you work here or something?"
Yes, I’ve done this for years. And to be honest, I don’t think I’ve ever “caught” a business sharing a service when they shouldn’t have. Makes me question why continue to do it.
I've been doing this for years, as well. I've also found that the majority of companies I give an email address to are actually surprisingly good stewards of that information. However, I have found a number of email leaks. It looks like my block list is up to 31 addresses. Most of those are leaks that led to spam. (Although one was a smoothie chain that insisted on sending me email every single day, and their unsubscribe page always seemed to be "malfunctioning".)

I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.

I care. Maintain a collection of emails per tier of service plus some Apple obfuscation.
Yes.

I use a catch-all. I can accept (whatever)@mydomain.tld

Anytime a new company wants my email address, I just randomly give them one.

So far I only get spam to the email addresses other people posted on a website as contacts for organizations I volunteer with.

(I get spam from web scraping, not from company hacks/sharing etc.)

JW, why?

Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?

Before this, when just using a single email address, I had no idea where the spam was coming from.

Now I know where the spam (I get) comes from.

I haven't had to ban any addresses yet.

I do the exact same thing and I don't live in the US so suing a party that sells my shit isn't an option, but it's nice to be able to blackhole an alias so that the corporation in question doesn't get to bother me with their bullshit. It's only happened once or twice.
I also do this. There are some bad sellers that keep my email address and create a new email list for every promotion, so the Unsubscribe link in their emails always says something like “Unsubscribed from Promotion-2024-October” instead of “Unsubscribed from AnnoyingSeller”. Those get sinkholed.

I also once helped a seller discover that their contractor had stolen and resold their customer contact list when I started getting unrelated spam at that address and complained lol

Honestly, using a username generator in Bitwarden, it's so easy to do this that it basically "pays" for itself the first time you get a "true" spam email and it's effortless to identify who sold you out. I originally tried doing this manually but that was too much effort; now it's as simple and natural as generating a password for a new login. I see no reason to ever stop.

Of course, the vast majority of spam I get is marketing emails from companies I've actually done business with. Few if any even have an opt-in checkbox on their checkout form and those that do hardly ever honor it. There's simply nothing to be done about that except unsubscribe after the first time they spam you - and this is where having unique emails also helps, because those "unsubscribe" links are obviously riddled with tracking as well.

I have a catch-all domain but I don’t bother to setup unique emails for each service. It’s too much of a headache and you have to ask yourself:

If I find out someone sold/shared/leaked my email what am I going to do?

Here the possible responses as I see it:

* Stop doing business with them - This is way easier said than done

* Be mad - ok, great, now what?

* Send a strongly worded email - again, so what?

* Sue them? - Good luck

Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.

There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.

I use iCloud’s Hide my Email feature. So I have dozen email addresses and I receive email in the same inbox. I don’t care how my email addresses are used. The moment I see too much spam, I remove the email address.
I love this feature in Apple’s ecosystem so much. The newer iOS and iPadOS releases when autofilling a sign-up form even give an option to generate a new hide my email address. It’s effortless to not use your real email. If you pay for an iCloud subscription, hide my email is included. Apple tracks what site you used hide my email on when signing up and allows you to toggle forwarding of emails to your inbox on and off.
I do not. I have three mail boxes, for trashy, job-y and personal things. And a couple of technical (apple id, etc).

Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.

Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.

Same. I used to run my own email servers and do all the per domain things. It was just way too exhausting. Switched to Gmail and haven't looked back. Don't even worry about email at all now. I just wish I had jumped on Gmail earlier to have a better username.
I care but don't have time or the resources. What I have made a habit of tho is registering to any new website or service using example any.name@gmail.com → register using a.nyname@gmail.com. I then take note of which variant / which service.

I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.

I use canaries. I point a dozen domains to fastmail and another dozen to my self hosted email servers. Each have aliases that are mapped to vendors but do not have the vendor name as some vendors are getting upset at this practice and calling it fraud. If I start getting garbage on that alias, I notify the vendor. In most cases they will give me a boiler plate response and then I delete the alias. If they are snarky I create a reject rule with my own snark that also explains the emails for that vendor have been either sold or compromised. This is to let people buying email addresses know they bought a dirty list as some of the modern bots have some telemetry.
woah, what do you mean by calling it fraud? Have you actually had companies come after you legally due to an email alias?
Conversations caused by the odd looking email address can often get very nasty.

This is why I also like how iCloud does with their hide my mail feature; there’s nothing suspicious about the email you give out.

It only has to be unique. It's easy to find out who you gave it to by looking at the very first email.

ROT13 or the date in base36 (to keep it short) might help when you need to spell your email address over the phone. Today is oaf@example.com.

Hiding information behind a non-standard encoding is a really smart idea.

I will update my technique to use incorporate this method, thanks!

Unix epoch `date +%s` still only requires 6 characters. I really like your idea.
I have not had anyone accuse me of fraud yet, but I have had email addresses rejected because they too obviously contained the company name in them.
Samsung does this for example! You can't register a Samsung account if your email contains the word "Samsung"...
I think this might be a lazy attempt to protect users from scammers trying to impersonate the company.

There are people that will read an email from "SamsungCeo@gmail.com" and think it's actually from the owner of the company...

I would venture a guess that there is an equal proportion of company executives who would think that creating and using an email address like 'CompanyCeo@gmail.com' was completely fine - an awareness of internet scams is not correlated with business acumen!
Also frustrating when a company adds it after you register, e.g. Spotify allowed me to use spotify@ at one point, now I can't register anything with that word in .
I'm not GP, but I've had transitions denied while attempting to purchase something because the retailer's code flagged my email address as suspicious because it contained their name in it.
Just another data point, I've had the same issue with some vendors.
I had this happen as well. I responded with a long rant, which apparently proved my humanity.
Haven't had that happen to me, but I did get asked by a clueless support rep from $VERY_BIG_MULTINATIONAL_CORPORATION whether I was also an employee due to their company name appearing in my email address. (Coincidentally I used to consult for that company.) Long story short I set them straight rather than trying to parlay their ignorance to my advantage.

The most shocking thing was that I was calling them regarding an issue in which they required me to prove my identity, and yet the person I spoke with didn't seem to be well versed in security measures.

Also: I use a separate alias for every company (and sometimes individual) I deal with. In the 25 or so years I've been doing this, so far I'm up to over 1,000 aliases.

I've always knew at least some companies would do that so I just use slight variations on their names. Never had an issue.
I do this too (3 domains, Fastmail)

For specific vendors where I am at the shop, I just make up an alias email with their name in it.

For apps, services, I configured bitwarden to create email aliases on Fastmail, so they are linked to a service.

I run my own IT. I host my own email, authoritative DNS, web, etc. I use wireguard for a lot of stuff. I put stuff behind cloudflare. I'm sneaky when I need to be, but mostly I'm just a control freak. I also know way more than the average person about email and email authentication. Or lack thereof.

Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.

edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.

edit 2 employ dmarc if you want to see who is trying really game

Hi, Can you guide on how to do a similar setup.I would love if you could possbily share any relveant resources.
postfix as MTA. dovecot for IMAP. opendkim, postfix-policyd-spf-python, and opendkim for authentication a database to store mailbox and alias info. something like mariadb, postgresql, or just sqlite would do.

I wrote my own code to tie it all together, but there are tutorials that show how to do pretty much the same thing if you do some searching.

I have my email stack running on linux in a cheap VPS.

The main problem most people run into is having poor ip and/or domain reputation with the large mailbox providers. (gmail, yahoo, etc.) It takes time and not sending email that looks spammy to build enough reputation to get delivery to the inbox and avoid being sent to the spam folder. You can get an idea of domain/ip rep by signing up for google postmaster tools and entering your domain and ip or block of IPs from which you are sending. If you are lucky when you sign up for a cheap VPS you will get an IP address that does not have a bed ruputation or at least no reputation.

My setup is only for my personal, non-commercial stuff.

You could also use a setup like this with integrated with something like AWS SES in order to mitigate bad IP reputation.

edited to fix a typo

Thanks for your detailed reply.This seems daunting but I will look into it.
for general purpose website signup not directly linked to my identity, I use Simplelogin. For real life personal stuff I just have a gmail. There is another dedicated email for open source work, plus a few historical email addresses which aren't actively used but still occasionally receives stuff.
Occasional use of plus addressing but I find a lot of signup forms now actively block this. Also have a secondary crappy gmail address that I use for low value stuff that is sus. (That’s full of spam and has multiple hits on have I been pwned)

Beyond that I don’t worry about this too much.

As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above

while they might block the plus, they likely do not block the dot. It's not exactly the same but can help for at least a few scenarios.
I use Proton's email aliases for throwaway accounts, and I have a catch-all on my own domain and use custom email addresses (think apple.com-randomstring@example.com) for accounts that I intend to keep until I die.
I do something like this with Proton and my own domain as well. However, I made the mistake of buying a .io domain, thinking England would be pretty stable. Now I need to figure out what I’m doing.
When I learned about public git commits "leaking" my email address it was already too late. Now I'll probably use that email for this particular task. And another sad thing, is that many spammers are picking up "support" email address from Google Play Store. Still waiting for a email service which would charge each spammer several dollars for "successful delivery", or plain "waste of time".
I use Hey.com's "catch all" inbox for this but it's a bit janky. If you set up a "custom domain" Hey account, you can actually email `[anything]@yourdomain.com` and it'll arrive in the catch all inbox. (Not unique to hey obviously) It has the benefit that it's impossible to block, but Hey obviously doesn't really want me doing that since they charge per-email-address.
I do this too, with namecheap.com's email servers... I pay for a few email domains on namecheap, but one is specifically for spam, and I use their "catch all" as well.

So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.

I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.

What's especially awesome is how many unsolicited emails don't have unsubscribe links in them.
If an email is truly unsolicited (didn't come from an entity you didn't give your address to), it's not wise to click on an unsubscribe link anyway, as it sends a strong signal to the spammers that not only was the email delivered to a real person, but they also read it. In their eyes, you just went from a random string of letters to a hot sales lead.
Also nuts is when they couple them to phony real world locations like "123 Main St., Mytown MA"
I do not regularly track, but I do reflexively create throwaway emails at a domain I bought for that purpose, so that I can /dev/null them if/when someone sells that email address to a list.
I've used spamgourmet.com for many years (Literally decades, my first entry was 2003-08-07) to create disposable email address. You just make up the address "tempsite.4.username@spamgourmet.com" to create an email address for tempsite that expires after 4 uses. You can always remove this limit later.

My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.

The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..

Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.

what do you mean yahoo. As in you made a yahoo account with your domain?

Because yahoo also hosted @yahoo addresses, it would have been pretty noticeable if they sold the addresses of their own users.

"EDIT:which probably correlates to the overall death of email, which is for old people, so I am told."

Still alive and kicking as the de facto passport of the internet.

Use unique plus addresses for each service that requests email address.
A lot of services don't accept the '+' sign in an email address, even though it's perfectly valid according to RFCs. Part of this is ignorance of standards but I suspect part of it is deliberate. (To get the users' "real" addresses.)
The worst examples are services that accept + when creating an account but does not accept + for logins. Believe it or not this has happened to me several times, and with large companies too. When companies started blocking + address specifically and/or being clever with removing the + part, I decided it was not worth using + addresses anymore.