Ask HN: Do you track how your email address is used?
If you want to know when your email is sold or shared, there are several strategies to know who the culprit is. Plus addressing/subaddressing is the practice I hear about the most often, and how I keep track of email use.
Do you care about tracking your email? And do you use plus addressing or do something else?
101 comments
[ 5.6 ms ] story [ 184 ms ] threadIt gives you quite a bit of insight and control.
some examples:
- at some point my email for amazon was shared, and I started getting offers from some vendor to 5-star review one of their products on amazon. I changed my amazon email address. (I generally trust amazon)
- emails from my bank have to go to a specific email address. I can be pretty certain it is my bank contacting me.
- I generally do not give my email address to retail stores. On several occasions I've given it to them for deliveries, telling them it isn't for anything but for the delivery. I'd say 80% of stores are super disrespectful of this. One spammed me every. single. day. with offers, until I got the delivery and turned off that email address.
- I once gave out a specific email address to a friend. He shared it with a second person to coordinate all of us meeting. and then I started getting phished so we figured out that the second person had his email compromised.
- I rented a car from hertz and had to give an email address. and then they sold it to other companies.
- linkedin stuff. easy to spot fakes since they don't go to my linkedin email address. Also easy to spot emails from people contacting me who got the email from linkedin.
It goes on and on. More people should do this.
This is a neat advantage of this approach. I usually get phishing emails on a "wrong" email address, which makes them trivial to identify. So I know what to look out for should they ever manage to target the correct email address.
It's also interesting that some services don't allow COMPANYNAME@mydomain.com for registration. (Can't remember which)
I don't think all or most of these companies on the list are intentionally selling my address to spammers. I suspect most of these leaks are due to poor handling of the data or server compromises. (Surely Adobe, for example, isn't so desperate that they would sell my address to spammers.) But whether by malice or incompetence, I can easily block them.
I use a catch-all. I can accept (whatever)@mydomain.tld
Anytime a new company wants my email address, I just randomly give them one.
So far I only get spam to the email addresses other people posted on a website as contacts for organizations I volunteer with.
(I get spam from web scraping, not from company hacks/sharing etc.)
Do you get so much spam from a specific email that you feel safe to ban it completely? Are you able to sue them or just send a strongly worded email about how they sold your email?
Now I know where the spam (I get) comes from.
I haven't had to ban any addresses yet.
I also once helped a seller discover that their contractor had stolen and resold their customer contact list when I started getting unrelated spam at that address and complained lol
Of course, the vast majority of spam I get is marketing emails from companies I've actually done business with. Few if any even have an opt-in checkbox on their checkout form and those that do hardly ever honor it. There's simply nothing to be done about that except unsubscribe after the first time they spam you - and this is where having unique emails also helps, because those "unsubscribe" links are obviously riddled with tracking as well.
If I find out someone sold/shared/leaked my email what am I going to do?
Here the possible responses as I see it:
* Stop doing business with them - This is way easier said than done
* Be mad - ok, great, now what?
* Send a strongly worded email - again, so what?
* Sue them? - Good luck
Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.
There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.
Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.
Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.
I have no idea if this works the way I expect it logically could or should, but if it does I guess I have some data to go thru.
This is why I also like how iCloud does with their hide my mail feature; there’s nothing suspicious about the email you give out.
ROT13 or the date in base36 (to keep it short) might help when you need to spell your email address over the phone. Today is oaf@example.com.
I will update my technique to use incorporate this method, thanks!
There are people that will read an email from "SamsungCeo@gmail.com" and think it's actually from the owner of the company...
The most shocking thing was that I was calling them regarding an issue in which they required me to prove my identity, and yet the person I spoke with didn't seem to be well versed in security measures.
Also: I use a separate alias for every company (and sometimes individual) I deal with. In the 25 or so years I've been doing this, so far I'm up to over 1,000 aliases.
For specific vendors where I am at the shop, I just make up an alias email with their name in it.
For apps, services, I configured bitwarden to create email aliases on Fastmail, so they are linked to a service.
Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.
edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.
edit 2 employ dmarc if you want to see who is trying really game
I wrote my own code to tie it all together, but there are tutorials that show how to do pretty much the same thing if you do some searching.
I have my email stack running on linux in a cheap VPS.
The main problem most people run into is having poor ip and/or domain reputation with the large mailbox providers. (gmail, yahoo, etc.) It takes time and not sending email that looks spammy to build enough reputation to get delivery to the inbox and avoid being sent to the spam folder. You can get an idea of domain/ip rep by signing up for google postmaster tools and entering your domain and ip or block of IPs from which you are sending. If you are lucky when you sign up for a cheap VPS you will get an IP address that does not have a bed ruputation or at least no reputation.
My setup is only for my personal, non-commercial stuff.
You could also use a setup like this with integrated with something like AWS SES in order to mitigate bad IP reputation.
edited to fix a typo
Beyond that I don’t worry about this too much.
As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above
So if I sign up for a service like amazon.com, my email address will be amazon.com@[my-spam-domain].com so I know exactly who is selling my email address. I do this for every service that asks for an email address.
I'd never use a "plus" email address from my main email account, which is far too easy for spammers to figure out my real email address from.
My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.
The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..
Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.
Because yahoo also hosted @yahoo addresses, it would have been pretty noticeable if they sold the addresses of their own users.
"EDIT:which probably correlates to the overall death of email, which is for old people, so I am told."
Still alive and kicking as the de facto passport of the internet.