[talove]

I've had a catch-all for *@mydomain.com forward to my primary email address for 10+ years. In that time I signed up for services and websites with [domain]@mydomain.com thinking I'd catch all those dirty scoundrels selling my email address and have an easy way to filter unwanted mail.

But you know what really happened? I wound up with hard to remember email logins and caught less than a handful of services sharing my email address without my permission.

It wasn't worth it.

[Sohcahtoa82]

I did that, too. Used a catch-all and just subbed to things with a new e-mail address, relying on the catch-all to put it all into one box.

Big mistake.

First off, I got FLOODED with e-mail bounce-back spam because spammers send e-mail with forged From: headers and I'd get all the errors.

Second, I discovered that nobody is actually selling my e-mail address except for one gaming forum I used years ago. Not even Facebook has sold my e-mail address.

Third, I've run into issues when replying to e-mails. I filed a support ticket with a company once, where the e-mail address I had registered with them was company@mydommain.com. They responded via e-mail, and when I replied to said e-mail, their ticket system rejected it since the From: address was my main address of myname@mydomain.com.

Now that I want to just switch to a single e-mail account with gmail, I find myself needing to try to find every e-mail address I've used @mydomain.com and changing them with the website. Meh...not worth it.

[kinkrtyavimoodh]

> Not even Facebook has sold my e-mail address.

Won't FB be among those least likely to sell your email address? FB has tons of ways to make money using your data. Your email address offers very low marginal utility over all the rest of your data.

[sleepychu]

FYI you've used marginal utility incorrectly in this context. I think it would be better to say a low return.

"thus the marginal utility of a good or service is the change in the utility from an increase in the consumption of that good or service." [1]

[1] - https://en.wikipedia.org/wiki/Marginal_utility

[ComodoHacker]

Facebook would rather BUY users' e-mail addresses in bulk.

[pmontra]

You could have solved the second problem by storing the email with the login and password in a password manager. Maybe they were not a thing yet when you started this experiment.

The third problem is more serious. I use Thunderbird. I googled and there are a couple of addons that makes it easy to edit the from address without having to create new Thunderbird identities.

https://github.com/absorb-it/Virtual-Identity

https://freeshell.de//~kaosmos/index-en.html#editsender

Both are somewhat unsafe, one because of the site certificate, the other because of the download site.

The first problem looks like a showstopper tough.

[garaetjjte]

Why you need addons for it? Thunderbird allows to change From address by default. ("customize address" in identity combobox)

[pmontra]

I never noticed that, thanks. I googled and found it's there since Thunderbird 45, April 12, 2016.

[Sohcahtoa82]

Yeah, I started this back in 2003. I imagine password managers existed back then, but they certainly weren't as common.

These days I don't even use Thunderbird. I just have gmail retrieve all my e-mail from my POP3 server. Though FWIW, I still have Thunderbird installed with all my e-mail going back to 2003. I imagine there's a way I could capture every e-mail address I've used then manually go to each web site and change my registered e-mail address.

[turbohedgehog]

https://addons.mozilla.org/en-US/thunderbird/addon/correct-i...

This is the one I use.

[bdav24]

Hi Sohcahtoa82, selling might not happen that often (fortunately), but data leaks happen very often (see http://breachlevelindex.com/ for example)

[nicholashead]

This is exactly what I do, and it's worked beautifully for me. (domainname)@mydomain.com is pretty standard/easy, and storing it in password manager makes it even easier.

[morninj]

Same here. Sometimes I'll also add the date when I entered the address in a form. For instance, the last time I registered to vote, I used YYYYMMDD-ca-voter-registration@mydomain.org. During the last election cycle, I caught a few California politicians harvesting my address and adding it to their email lists.

[alien_robot]

Ironically the CAN-SPAM Act only prevents commercial entities from doing this, however shady the practice may be. Political emails are protected free speech and AFAIK the means by which addresses are obtained is irrelevant.

[dfinninger]

Tangential question - I've been meaning to set this up - how are you hosting your own email domain? Fastmail/Gsuite/self-hosted?

[imron]

Not the poster you replied to, but I use Fastmail.

If your Fastmail address is dfinniger@fastmail.com then you can randomly create emails like:

some-domain@dfinniger.fastmail.com

and it will automatically send them to your main email.

It's very convenient, and the cost per year is likely to be less than your hourly rate multiplied by the number of hours it'd take to set up self-hosting.

[morninj]

I use G Suite for one domain (because I was grandfathered into a free plan) and Zoho for others. IMAP is a little faster in Zoho, and I haven't seen a difference in reliability. The Google web interface is much better, though.

[prawn]

G-Suite in my case. I use service-specific emails and then remember them via autocomplete or a password manager.

[ldite]

Companies/organisations whose data leaks I have discovered through spam to single-use addresses:

  * monster.com
  * linkedin
  * Pragmatic Programmers (pragprog.com)
  * audioscrobbler (now part of last.fm)
  * The London Cycling Campaign
  * The Economist's subscription department

[subbz]

  * Dropbox
  * Adobe
  * ...

The list is long!

[hendersoon]

You need to discern between companies nefariously sharing your email without your permission and those that were the victim of hacks. Dropbox and Adobe were, of course, both thoroughly penetrated and the exfiltrated logins including email addresses are widely available.

These aren't small numbers, either. We're talking about 68 million logins for Dropbox and 150 million for Adobe. To put those huge numbers in perspective, combined that's over half the population of the USA.

[rsync]

"But you know what really happened? I wound up with hard to remember email logins and caught less than a handful of services sharing my email address without my permission."

Can you elaborate ? I have been meaning to set up just such a mechanism as it has always seemed like a good idea ...

It seems like "rsync.net@example.com" would be very easy to remember and associate with the site (rsync.net, in this example) ...

[joosters]

I've been using the same system with my own domain for several years now, and unlike the OP, I've seen many unique emails get on to spammer lists. My blocklist of emails has got quite long!

As you say, using a password manager, or just picking a nameOfService@example.com style of email, means remembering the email addresses is pretty easy. n.b. you may need to also set up your email client to let you send emails with a customisable address too.

Spammers who send stuff to randomAddressTheyMadeUp@example.com can be mostly blocked because these tend to have a messy jumble of text and numbers - I use a simple regex to throw away these kind of spams. I use procmail to do the blocking, but I'm sure there are many other tools that would work just as well.

[AlecSchueler]

Not sure what he meant, but that's the system I use and I've never forgotten a login yet.

[dabber]

I wish I could do this with my phone number.

[BeetleB]

I toyed with the idea of using a catch-all, but couldn't get around the problem of having to occasionally send mails from the address (e.g. for customer support, etc - as another commenter mentioned).

Recently I came up with another solution that I know some have used:

Stick to one email address and have a whitelist. Anything not in the whitelist is "spam" (including irritating LinkedIn emails, etc). If I get email from anyone not in the whitelist, they get sent an email with a website link asking them to confirm their identity by submitting their email address. Once they do that, they are whitelisted and all their quarantined emails show up in my inbox.

The only remaining part is constructing that whitelist. I wrote a script to go extract all the From addresses and just dumped them in there. So people who've emailed me in the past will not deal with going to the website to confirm their identity.

If I get email from an entity I no longer want to see in my inbox, I press a keystroke to remove them from the whitelist. Likewise, if I go to my quarantine folder and see an email I'd like to whitelist, it's done with a keystroke.

Been using it for less than a month, and it is quite effective so far.

[kchr]

> I toyed with the idea of using a catch-all, but couldn't get around the problem of having to occasionally send mails from the address (e.g. for customer support, etc - as another commenter mentioned).

You know, the sender header is just a text string... What stops you from putting whatever e-mail alias you registered with as sender, for those occasions?

[BeetleB]

>What stops you from putting whatever e-mail alias you registered with as sender, for those occasions?

Cognitive load. I don't want to:

1. Think about it. 2. Figure out which email address goes with which To: field. 3. Find a way to automate all this.

In the end, my solution would be less work to get rid of unwanted emails than using a catch-all. Why should I do the extra work in maintaining the system, when the sender can do the tiny amount of extra work instead? More fundamentally, why should anyone feel they have the right to just insert anything into my inbox? I should control the inbox - not them.

[SeanDav]

I too have had a catch-all @mydomain for around 10 years and it works beautifully for me. In addition to @mydomain I also have 2 email addresses. My main email that I give directly to places I trust like my bank and the second one I direct all my @mydomain email to. This way I only have to remember 2 email addresses, no matter how many @mydomain email addresses I have created (many hundreds by now).

By default I only ever receive a limited number of emails from any new emailx@mydomain, unless I explicitly go to @mydomain and allow a specific emailx@mydomain to pass that limit.

My only irritation is that some vendors block @mydomain as a valid email address, in which case I use an ancient email address in its place. Needless to say that vendor will never see my main email.

[phyzome]

On the other hand, having a unique address for each site means they can't readily correlate your identity when selling information about users. (They're not gonna special-case your catch-all.)

[sr2]

Just make sure your catchall is renewed well into the next five years. Heck, you can do a 'rollover renewal' that lasts 10 years if you wanted.

This is to stop somebody eventually gaining control of the domain when it expires, setting up a catchall on it, and then being able to login to every single account you used with that address.

Some registrars protect a domain after expiration so nobody can hijack it and claim it as their own, but you often have to pay extra for this service.

[sashk]

It was worth it until large hack attacks which stole database of one of the mailing list company (forgot name) -- then spam started pouring on many-many legitimate addresses...

Only downside, is when company merges or renames: if it merged I end up with to accounts which have half of the history; if it renames -- hard to remember original email (recent example wayfair's old name was something else).

Now, I'm switching to single email -- it's just simpler

[secmax]

I do not use catch-all addresses, but use a version of [domain]@mydomain.com buy adding new email addresses (aliases) in an automated way. I "remember" the used email addresses in two ways: 1) my mail server configuration contains a list of all aliases created in the past, 2) my password manager saves logins on top of that. The nice side effect is, that you keep track of all the sites you have ever created logins at.

[remir]

Fastmail has an elegant solution for this called subdomain addressing. For example, let's say your email address is joe@fastmail.com. You can use amazon@joe.fastmail.com or facebook@joe.fastmail.com, spotify@joe.fastmail.com, etc...

https://www.fastmail.com/help/receive/addressing.html

[rikkus]

The username and password are saved in my password manager, so it's no hassle at all.

[bump-ladel]

I do the same, except I also add some diceware words, to make the address harder to guess, and so I can update to a new address on leak.

I sore it in a password manager, so remembering the address is no problem.

[77pt77]

Sub-addressing is an easier way to do that.

If you use a "regular" character like "." as a separator virtually all sites will accept the email as valid vs using something like "+".

[sakawa]

I always loved gmail for this. Still, I'd love also in my private email. How can I setup this?

[77pt77]

Highly dependant on the setup you have.

[astrostl]

It's also a nightmare if/when you sell your domain, because you have to go clean up all those accounts. You can get one email forwarded by the new owner, but N is a no-go.

[nialv7]

You are not solving the privacy problem. You can be easily identified by your custom domain, unless there're a couple thousand people using it.

[secmax]

That depends on your definition of "solution". The scheme protects you (to a certain degree) from automated creation of inter-site profiles. The reason is, only very few people employ (a variant of) this strategy, so trying to "deanonymize" is costly and usually not worth it economically.

[beefsack]

> I wound up with hard to remember email logins

You could easily argue this is a symptom of a different problem.

[ekianjo]

with gmail you can do something similar without all that hassle. lets say your email is johndoe@gmail.com you can register any email as johndoe+whatever@gmail.com and Gmail will always ignore the + and route to your johndoe@gmail.com address.

[phire]

I'm sure anyone selling their user's email addresses will o know about this and strip out the + suffix from any gmail addresses in their list.

[RustingSword]

Some websites consider email addresses containing "+" as invalid.

[awqrre]

Doesn't BCC render this solution mostly useless anyways?

[Jaruzel]

The mail has to get to you somehow. The way SMTP works is that there are two places your email address is usually used during email delivery:

1. Before the actual sending of the mail data, the sending server connects to your mail server and after a polite introduction sends 'RCPT TO: xxxx@yyyy.com'. This is where your unique-for-that-site email address is used.

2. Later on during the transmission, all the 'real' mail headers are sent, and this is where the To, From, Subject, and CC headers are set. If you were BCC'd there is no 'BCC' header, so the 'To' header normally has the mail address of the original 'To' recipient. Or in a lot of cases the 'To' header is omitted entirely. Depending on your mail client, you will either see your name in the To field, or something like 'Undisclosed Recipients'.

Spammers typically shake it all up, so that the 'To' header rarely matches the 'RCPT TO:' value.

In my bespoke anti-spam system, I re-inject the 'RCPT TO:' and 'MAIL FROM:' into the mail headers (prefixed with X-) so i can easily see in my client what is actually going on.

[NicoJuicy]

lol. I have nico+domainname@domain.com , it's a standard alias used by google apps to forward to nico@domain.com

It's worth it and only 1 password

[Sohcahtoa82]

I'd think spammers would have caught on to that and would either start sending e-mail to nico@domain.com or nico+someotherdomainname@domain.com

[cakedoggie]

You think spammers are people going through emails? It is all automated.

[morninj]

    s/+.*@/@/g

[krangu]

I don't think that would work, something like /(.)\+.(@.\..)/g might

[Sohcahtoa82]

Well obviously it's automated. I didn't mean manually finding name+domain@mydomain.com e-mail addresses and manually editing them to just name@mydomain.com.

[cJ0th]

I also use the respective domainname but instead of my given name I generate a short random sequence with pwgen.