
Catching Email Resellers with the + Sign - endyourif
http://www.endyourif.com/catching-email-resellers-with-the-sign/
======
Piskvorrr
Good idea; note however that not every site will let you input a valid e-mail
address when it contains a + sign. (This is always the site's fault, and
should be seen as a small red flag - perhaps they might be trying to evade
this technique?)

------
leephillips
This is one of many good reasons to set up your own mail server. You can
configure a "catchall" email address, then make up username components at
will, no "+" required. I make up a new email address for each organization
that requires one. This not only makes it easy to see who is selling your
address, it makes it simple to refuse mail to compromised addresses at the
early-stage SMTP level, or to trap machines attempting to send to those
addresses in a honeypot.

What has surprised me the most after doing this for many years is how _little_
address selling seems to be going on.

~~~
nexxer
I've been doing this for 7 years with great results and love the zero
configuration needed for registering at any site with a unique email address.

In the past few months, however, I've been getting spam that simply brute-
forces usernames across my entire domain, leading to hundreds and thousands of
spam emails per day. Gmail catches all of it but this makes looking for the
occasional false positive very difficult. I've lost a number of emails that
ended up in my spam folder between pages and pages of real spam.

~~~
leephillips
So you're using Gmail in conjunction with your own domain? I find that the
vast majority of spam comes from dynamic IPs and known spammers. Using the
spamhaus blacklist catches almost all of it.

------
codva
If you enable catch-all addresses on your email account, don't you open
yourself up to dictionary spam attacks on your domain? I've woken up to 20,000
incoming emails targeted at my domain. It's not fun. Granted, this was years
ago, maybe dictionary attacks are no longer in vogue? I just use
mailinator.com anytime I need a one-off email address for a web registration.

~~~
leephillips
Yes, that is a drawback. Running your own mail server means implementing anti-
spam strategies as well. I find that the spamhaus blacklist, which includes
blocking dynamic IPs, eliminates practically all spam.

------
dougb
I'm sure email resellers will start filtering out \\+.* from email address.

I run my own qmail. I have it configured to ignore everything after '.' Since
a lot of companies use first.last@company.com I'm pretty sure they can't just
remove \\..* from all the email addresses.

------
givan
I make any non critical signup with mailinator.com, they even have alternate
domain names for signup forms that check for mailinator emails.

I use my real email only on services that I trust that will not spam or sell
it.

