Many hackers will remove addresses that are obviously unique, including tags, to keep silent which database has been hacked, but it seems inconsistent.
I have checked and known my address was in a hack and it isn't there, while other times it is there. I also wonder if they start filtering out by domain, as they see a domain across multiple databases with unique addresses in each database exactly one time.
Yes, without exception. I want to know who is leaking/selling my address, and usually stop doing business with those who do. It also makes filtering really easy. People sometimes have strange reactions when I verbally give them an email address with their company name in it, especially when I'm a new customer.
All you need is a domain and an email provider that allows catch-all addresses, both of which are easy and cheap.
I always see people claiming they use this strategy, but I never ever ever see people blaming services saying "this and this company sold my data to spammers". Where are the name-and-shame people? Have you ever caught anybody doing anything?
It's hard to distinguish between leaking and selling, but I think leaking is much more common. Dropbox famously leaked a lot of emails in ~2012, including mine - I was never a paying customer and that put me off becoming one or using them (to this day most spam sent to my domain is to that Dropbox address). Two local PC parts companies leaked or sold my email. I confronted one about it and they claimed they hadn't had a data breach, so either they sold it, or they were too incompetent to know they'd been hacked, or they lied - I suspect incompetence but whatever happened they lost my business. A couple more incidents long ago too.
Real estate agents can be pretty aggressive with emailing, but IME respect unsubscribes and don't seem to share/leak emails. I kind of wish I'd used an address per agent instead of per company to see what was happening better.
Non-company uses can also reveal issues. I had an address scraped from a flatmate finding site, and one apparently lifted from a relative's contact list somehow (I only have one I use for family, so that was a concern, but spam to it petered out quickly).
Yes, I was one time suddebly getting whine ads on an E-Mail for a service I signed up. I contacted the service (rather unfriendly) and they apologized and the unwanted E-Mails stopped.
It's a separate address that can have its own mailbox if need be, but unless you want to keep meticulous records on the go, and refer to them constantly, some sort of pattern is required.
Yeah we run this on our own Proton Mail whitelabel, and for a few customers who have us manage it, mostly for the filtering aspect, and the occasional customer who has the wrong/mis-spelled address in their system and won't change it.
Same here, only issue I’ve ever had was when my email address had the name of the company in it in the format of spamlklcompanyname@domain.com
CS people are sometimes confused by that and I’ve been accused of attempting to hack them by a small shop online because of my email.
Major SMTP provider refused my email address as login because of this. Luckily my moaning eventually made its way to one of their developers who fixed it.
You can't sign up for a Samsung account with the name Samsung anywhere in your e-mail address. Aliexpress another offender. There my email is just spam@domain.
2. Buy a /24 ipv4 block with good reputation (maybe like $10k)
3. Get a rack in a nearby datacenter, rack up a BGP-capable router and your servers for redundancy to run email. Takes about $30k initial setup costs if you buy all new, and about $5k initial setup costs if you cut corners and buy used. It'll be $2k/mo after that, so less than the cost of 1 $100 avocado toast per day, quite affordable.
4. Setup your mailserver of choice, such as dovecot + postfix. Enable either a catch-all address, or use recipient_delimiters. The former means "anything@domain.com" works, and the latter means "user-anything@domain.com" works (assuming your recipiient_delimiters are '-'). I recommend using a real catchall.
5. Setup your spam setup, this is the hardest part. I have no guidance here.
6. Point your DNS over, setup SPF and DKIM records, test, and off you go! This should all take about 1 to 3 days if you know what you're doing.
7. Find out that some email will go to spam anyway because you're not using one of the big 4 email providers, but it can't be helped, and anyway no one uses email anymore.
And after that, for less than $30k/year, you have email with catchall or subadressing support. Nice and easy.
Then, after you do this, you can simply give internet archive the email address "internet-archive@mydomain.com", or generate a random string. If you forget the email you used, you can search your email history for the first email they sent you, and check the To field.
This is hacker news, we're all either founders who have 2 billion dollars in (illiquid) stock options, or FAANG employees making 600k/year, what else are we going to do if we want email?
Sure, you could pay fastmail $40/year for this, but that's not really the hacker news spirit, and no one on this site knows how to count as low as $40.
The real justifications you can give yourself:
Shared VPS hosting pretty much all bans email, AWS, DO, etc all have ToS that say "no email" as anti-spam measures.
Shared IP space will go straight to spam due to people having spammed on it in the past. Buy a /24 to ensure you don't go straight to spam.
Rackspace ensures you actually own your email, at least moreso than with other shared hosting, and owning your email is important.
For the “least painful” self-hosted email setup, you can’t be hosting on an IP in a subnet that’s ever sent spam, if you want to avoid being blackholed occasionally. This means you can’t have an IP allocated to you by a hosting provider, or a residential ISP, or a “business” ISP, or any cloud provider. That leaves very few options.
Note that I am speaking from personal experience here. I have been self-hosting email for over a decade, from the same IP, with (roughly) the same DNS records. Occasionally, for no reason, I will end up on the global spam list for Gmail, Outlook, or iCloud - never more than one at the same time, and never with a discernible reason. The best I can figure is that the IP is allocated to me by a hosting provider that occasionally sends out spam from its subnet (aka any hosting provider that doesn’t block smtp). I have also tried self-hosting a different mail server from a variety of residential IPs in different cities and countries, and ran into the same problem.
Some providers allow you to use Alias emails (I think google redirects mail to ia+mymail@gmail.com to mymail@gmail.com), and if you use your own domain, you can just use a catchall redirect and enter a random address (ia@mydomain.com which goes to catchall@mydomain.com).
1/ Buy a domain of your choice
2/ Register an account on Migadu.com and pay them $20/year
3/ Configure your domain nameserver with the settings provided by Migadu
4/ Done.
Voluntary sharing, since afaik they don't pay the criminals to get the data. Either the criminals share it directly (fat chance, usually), or someone else bought it and shared it either publicly, privately with HIBP, or privately with someone who then reported it to HIBP
How this specific instance unfolded, time will have to tell. The leak may have occurred in 2020 for all we know at this point
There is a strange dynamic between the threat actors who conduct these breaches and researchers.
When not used for extortion and for "status" in the hacking community, they share them with researchers (commonly HIBP) to warn people about a site's security and so that site is forced to fix things.