[petcat]

> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.

[overlordalex]

The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like service@custom.com, and that way when service@ starts receiving spam you know exactly where it comes from

[ValentineC]

^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.

Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.

[tamimio]

> up "oh, do you work at <company> too"?

Oh boy, I had many of these conversations and especially non technical people never grasp the concept, I had some cases where they demanded to change it and use a “real email like gmail!!”, one time I bought shoes and the store guy asked me the email to signup for whatever, so I read the shoe’s name and added the custom domain, gave me the the look as if I am bullshitting him. Another at a government connected agency and she thought “I work there because I have the agency email” despite it is the alias not the domain.

But similar to OP, few times I found the service is leaking my email, or they got compromised who knew.

[anonymousiam]

I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).

Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.

Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.

I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.

[fmajid]

Wildcard email addresses will subject you to a torrent of spam when spammers try dictionary attacks against your domain. It's better to explicitly create aliases, I built a web UI for Postfix to do this for myself and family (https://GitHub.com/fazalmajid/postmapweb)

[aendruk]

> checks to see if the email server is a catchall

How is this possible? Do they test sending to a few random addresses?

[fmajid]

I am more specific: if I start receiving pornographic spam like I did to the address I gave Dell, I will know they have been hacked.

I will also not hold my breath waiting for the legally required breach notification they are supposed to send.

[aaomidi]

Take it a step further and do uuid@

[fragmede]

yes, but service is too guessable, so append a randomly generated nonce as well, eg service_rjfh34@example.com. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.

[QuantumNomad_]

iCloud has a great feature that allows you to generate unique aliases on the fly quickly and easily. For example when signing up for new services via the web browser on iOS, you can generate a new address with the click of a button.

Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.

[sdevonoes]

The downside of such iCloud aliases is that you cannot send emails from there (you can only reply to emails, and ofc receive emails)

[QuantumNomad_]

True, and there has been a time or two where that has been inconvenient for me as well.

Initial account creation confirmation email, and maybe even some newsletters, were sent from noreply@ some domain. Responding to such an email address directly will likely either bounce or be silently dropped on their side, as indicated by them using noreply as the sender address.

The website might say to email support@ their domain. But because like you point out iCloud alias addresses cannot be used as sender when composing a new message, and I don’t have any past received emails from that address, I can’t email them using the same alias email address that I used to create an account.

And of course if the account belongs to jumping.carrot-1j@icloud.com and I instead send an email to them from a different sender address, then they will be sceptical about whether it really is the account owner trying to get in touch or some impostor. Assuming they don’t completely ignore the email on that grounds, you might eventually get support if you are able to either answer questions from them about past invoice amounts and dates or similar, or if they are willing to email the original account owner address from their support address. But it’s extra hassle, if they even bother to respond at all.

Fortunately most websites have a contact form or similar to get in touch with their support, but there are a few sites that have an email address as the only way to contact their support.

[mjlee]

I use Fastmail with my own domain and 1Password. Together they give me a “masked email” button for forms that generates a random enough email address (two common words and four digits) and records the domain it was for. You can also create them ad-hoc from Fastmail’s interface.

As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?

[garciansmith]

Yeah, Fastmail's aliases are great. I used to do things described by some other commenters, like myemail+nameofservice@ and whatnot, but this way the email is automatically generated and you don't have to put any thought into it.

[Jaxan]

I just do <website>@<myhost.tld>. It is sometimes confusing by when interacting with customer support ;-)

[OptionOfT]

Yes ma'am, my email address really is bofa.com@<optionoft's-lastname>.com

No I'm not trying to hack you.

Which in hindsight is also what a hacker would say. I can't win...

[zephen]

Where, of course, 'bofa' is merely short for 'bofetada.'

[jnettome]

On top of it my email address is .me so is very common to when I finish spelling my e-mail, people waiting for .com

[noAnswer]

There are some big brain companies who will block you if their name appears in the email address. Like Discord. You can create an account, with discrod@example.com. But a seconde later you will get an email that your account got band.

They know their way around IT security! /s

[anonymousiam]

What you say is often true, but in the case of Discord, at least in my case, you are wrong. My Discord email address is discord@xxx.com, and I am still receiving emails from them.

[noAnswer]

It happend to me when i created my account in 2025. Within seconds of verifying the address I got a email that my account was band for TOS violation. I than created a seconds account (within minutes from the same IP) only writing "dc" instead of "discord" and that worked. ¯\_(ツ)_/¯

[anonymousiam]

Apparently they (unlike other entities I've dealt with) did not go back and review all of the existing, valid email addresses in their user database.

It's always an unpleasant surprise when some company terminates a years-old, active and valid account because of a stupid policy change on their part.

[Semaphor]

I had one website forward my mail to their legal department who asked me why I’m impersonating them :D Only required a short explanation though.

[Kab1r]

I've had this a couple times too

[phyzome]

I often get asked whether I'm a fellow employee.

[theandrewbailey]

I have an account just like that at Best Buy with my domain. The teenage cashier I gave it to thought it was cool.

[fg137]

Of course. I use Firefox Relay to generate a unique email address for every site where I have to use an email. That method hasn't failed me so far.

[tvbusy]

I use DuckDuckGo Email and it generates unique addresses that I can both receive emails (obviously) and reply to from that email. There's also an option to shutdown that address and never receive spam again.

[gruez]

> So unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.

Even if it's a "new" alias, I often see people[1] using simple schemes to derive the address, eg. facebook@mydomain.example. With cheap LLMs it's not hard to automatically guess what the underlying pattern is.

edit:

[1] ie. in this very thread

[nick-sta]

I personally do x@mydomain.com. It makes it very obvious when you start getting spam (I’m looking at you dji).