[OmarAssadi]

While it doesn't stop spam, I have been using a catch-all email system for a while now.

The benefit is that I know where someone got my email from, and I can then try to figure out whether the place has been compromised, or whether they're selling my email, etc. And I can just blacklist that particular address forever as well.

Previously, I just did whatever@mydomain.tld, but I've switched to something similar to blame.email [1].

This makes my emails look a little weirder, but it has stopped the weird looks I'd get when walking into a physical place, like my doctor, and telling them "Yeah, email me at <doctor's name>@<first><last>.com".

It also makes it less obvious that its effectively a throwaway email, particularly combined with my domain; it looks fitting. And since each address is salted and hashed, it pretty much eliminates the risk of someone successfullying trying to phish me by sending me an email to something like `paypal@<first><last>.com`.

Lastly, on my HN profile and elsewhere, I've got my "email", but despite them being unique, I still don't want to have to rotate it if it gets picked up by a spambot, so I've tried to do some plaintext simple "obfuscation" like in the article.

I went for <address> ~АТ~ <domain>.<tld> -- with the "AT" being Cyrillic rather than Latin - I figure at least some will get tripped up by not being able to use purely English regex.

So far, I have yet to receive any spam with that strategy. Maybe I'm lucky or just not getting indexed, or maybe it's working a little.

Still torn about how to handle Git or copyright/license headers, though; those addresses need to last a long time, in case anyone needs to reach out and ask for re-licensing/etc, and I figure it'd be annoying doing different emails for each repo.

[1]: https://news.ycombinator.com/item?id=31820502 / https://blame.email/

[shhsshs]

I have been using a catch-all for about 2 years now with great results. I hadn't thought of hashing/obfuscating the emails though. I think since I use a password manager anyway, I could just generate a random 6-8 character prefix when signing up for a new account, and since it's saved in my password manager it's easy to look up again later (no need for a true hash).

[OmarAssadi]

> I think since I use a password manager anyway, I could just generate a random 6-8 character prefix when signing up for a new account, and since it's saved in my password manager it's easy to look up again later (no need for a true hash).

Yeah, same. I store all the addresses in KeePass.

The main reason I don't just totally randomize them is just that there have been a few moments where I do have my salt somehow, but for whatever reason, it is either inconvenient or impossible to immediately open up the password manager and add a new entry.

In those moments, being able to deterministically generate the address and then add it at my leisure without having to double-check what I used is nice.

It also likely wouldn't happen to me, but should I ever somehow lose/lose access to both my old emails and my password manager, as long as I have my salt, I can still "remember" my email addresses for important services (e.g., PayPal or whatever) to re-generate the addresses and reset my passwords.

Whatever route you go, be it randomized addresses or hashed addresses, even though I think I am more vigilant and careful than most, it's still nice having an extra-layer to the catch-all that can't easily be targeted by someone malicious without first either somehow obtaining your salt, compromising the service, etc; it's handy being able to immediately filter and flag anything relating to my bank or whatever else if it isn't sent to the right address.

[mbirth]

I just append 4 random characters to the email, e.g. domain.com-xy3j@myname.mail . I have to explicitly configure an alias for each of these addresses - this prevents someone from guessing a correct address for a different domain.

If Spam arrives, I can block that specific address and use different random characters to live in peace again.

Keeping the domain readable makes it easier to explain to people that they must’ve “lost” my email address somehow.

[noahjk]

This is something I think about a lot too. I’m interested how you handle verbally communicating an address? Most people probably don’t expect a completely random string. I wonder if there could be an easy “word-sounding” generator that could be integrated into something to manage emails?

[OmarAssadi]

> I’m interested how you handle verbally communicating an address?

It depends on how off-guard I'm caught and how important it is to me. I usually have my phone, which has my KeePass and email salt inside, and I usually have at least enough battery to last a conversation, so it's rare that I can't generate the proper email address in <30 seconds in most scenarios.

But yes, having like, 5e5ee440@<domain>.<tld>, has definitely resulted in a few "can you repeat that?" or "just to confirm?" moments (especially over the phone since audio quality often sucks). That said, for whatever reason, people are still seemingly less surprised by "5e5ee440@" vs. "<your place of work>@".

On the rarer occasions where I don't at least have my phone or something, if it's something I know I can update later, I'll tell them whatever is easy to input and remember; I separate emails to unknown recipient addresses, but I don't completely reject them outright, so it's not usually an issue pulling out the confirmation email or whatever later, and then updating the address.

However, if I don't have my phone, and I don't know how easily I could update the email, then it depends more. For example, my doctor wants an email on file for whatever record-keeping reason and for sending appointment confirmations and such. In that scenario, I don't know that I'd necessarily be able to easily change it without going in/calling them.

The first time, I did give them <doctor's practice>@domain.tld, because I figure, despite being an important email, it's unlikely that it'd get abused; if someone somehow knows my GP's full name and practice, and is using it maliciously, I've probably got bigger worries than getting a phishing email sent to it or whatever else.

The second time, though, I just asked her to email me the contact update form and told her I'd send it back with the proper email inside.

> I wonder if there could be an easy “word-sounding” generator that could be integrated into something to manage emails?

I figure you could do something similar to like the horse-battery-stapler XKCD meme or bitcoin wallet seed phrases, if you wanted to avoid the "sorry, can you repeat that?" moments.

But it might be slightly more annoying to deterministically generate those, if you care about that aspect, compared to simply salt+hash & truncate. If you find a good method, let me know, though.

[apitman]

I've been doing this for a few years and I think I've had a single organization use the email in a way I was surprised about (used car dealer gave it to Sirius radio and they spammed me). I get far more spam directly from orgs, which is annoying but expected, and they usually honor unsubscribes, so I've never blocked one of my addresses. At the end of the day I don't think it's been worth the effort, and I'm considering switching to a single public email address that I just expect to receive spam.

[jowea]

This is all making me wonder if email should have been more like some modern messaging systems with friend requests that aren't transferable from one person to another (i.e. a friend can't tell someone else your handle and let someone else message you) rather than the phone system of "if you know the number you can call".