
Ask HN: Do you post your email address publicly? - mavsman
If you do, specifically on a personal website, how do you protect yourself from getting spammed all the time. Do you have another secret email address or special email filters you use?
======
avian
Yes. Years ago I realized that hiding simply doesn't work and now I just
assume that any existing email address is known to the spammers. I also assume
people's address books get scraped by malware, since I've seen email addresses
get spammed that were never published anywhere on the web.

------
patio11
Yes. For years I used a trivial brainpower challenge to prevent automated
scrapers from getting it ("My first name @kalzumeus.com"), but I added the
actual string last year and have no perceptible increase in spam as a result
net of Google Apps filtering.

------
muppetman
Spam filters have rendered the "Don't post your email in public" advice to a
relic from 10 years ago.

~~~
RandomBacon
Except Gmail's spam filters still have false positives and false negatives,
meaning I have to go through the spam folder once a week or less to make sure
I'm not missing anything important. I still need to avoid how much spam I have
to scroll through.

~~~
PappaPatat
False positives? Since years I have not checked my gmail spam folders and
whatever I've missed, I did not miss it.

If your email triggers gmails spam filter, you're doing it wrong. YMMV.

------
bitmedley
Encoding your email address to hexadecimal may prevent some less sophisticated
crawlers from capturing your email address.

mailto: -> &#109;&#097;&#105;&#108;&#116;&#111;:

abc@gmail.com ->
&#097;&#098;&#099;&#064;&#103;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;

Then instead of:

<a href="mailto:abc@gmail.com">abc@gmail.com</a>

Use this:

<a
href="mailto:&#097;&#098;&#099;&#064;&#103;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;">
&#097;&#098;&#099;&#064;&#103;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;</a>

Or this ("mailto:" also encoded):

<a
href="&#109;&#097;&#105;&#108;&#116;&#111;:&#097;&#098;&#099;&#064;&#103;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;">
&#097;&#098;&#099;&#064;&#103;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;</a>

source:
[http://www.wbwip.com/wbw/emailencoder.html](http://www.wbwip.com/wbw/emailencoder.html)

~~~
sebazzz
Wouldn't any decent HTML library, probably already used by the crawler,
convert that back to plain text?

~~~
onion2k
If you're crawling the web _looking for email addresses_ you're probably not
bothering to parse the HTML. You don't need to: you can just grab the email
from the raw response from the web server, along with any new links to follow.

------
danShumway
Yes.

My strategy is to have multiple, disassociated email addresses for each
service, not to keep a single address secret. There are a couple of steps to
this.

A) I don't use Gmail. People bring up the + strategy to have multiple emails
through Gmail; I don't think that works. I think most spammers will be smart
enough to remove the plus, and some sites outright ban it from being part of
your address. Treat your Gmail address like you only have one.

B) I do own my own domain(s) and can receive official email there. I use this
when I don't care about making my identity known (ie, on a resume, or a
publicly facing website, but do want to be able to filter email). The _prefix_
(prefix@domain.com) is the part of my address that matters, and I don't use
wildcard prefixes. This means I can generate unique prefixes that I know only
some people have access to, which means more public prefixes can get auto-
sorted to lower-priority folders (or disabled entirely in the case of a
targeted attack) so it's harder for people to spam me.

C) I also make heavy, heavy use of Fastmail's aliases for 3rd-party services.
I don't use my own domain(s) to sign up for 3rd-party services, because my
domain is a unique identifier that ties all of those accounts together.
Fastmail is a shared domain, and lets you generate completely unique
addresses, so I can sign up for a Walmart account and give them something like
`ilovecats@fastmail.com`. There's no way (I know of) for them to tie that back
to another account, so if I start getting spam at that address, I know 100%
for sure where it originated from. Every 3rd-party service gets a completely
unique email address that can't be associated with my other addresses.

The setup is still evolving, I used to just use Gmail, and I'm still migrating
some accounts from Gmail. But I've seen a lot of benefits so far, and I expect
to see more benefits as I flesh everything out more.

At the risk of straying into shill territory, I really like Fastmail, a lot.
For $5 a month I get really good integration with custom domains, all of the
aliases I mentioned above, proper IMAP support, a web interface that is
pleasant to use, and my data isn't being mined for advertisers or AI.

Yes, they have the whole Australia problem, but my threat model for email
doesn't include the Australian government. I use end-to-end encrypted
messaging for that.

~~~
newscracker
On Fastmail, you should be cautious never to let your Fastmail domain
addresses go (deleting them because of spam). Fastmail and a few other email
providers recycle deleted addresses within a few months. If someone else snaps
up your address, they could end up getting emails intended for you. I’ve seen
companies not having a coordinated system for managing such information. So
just changing your address on a company’s website doesn’t necessarily mean
that it’s changed in all their internal systems.

------
LinuxBender
Yes. I have dozens of domains that I use for email. I create throw-away
addresses per-site, per-use-case. If one of them starts getting abused, I
either remove the alias, or set up filters to only allow specific content to
that address. One of them is in my profile here.

As a bonus side effect, I can tell when a business or organization has either
been "pwned" or has otherwise sold my email address to other entities.

Some domains I point to fastmail so that family members have an alternate to
gmail. The remaining just point to my VM that runs postfix and drops all the
email into virtual mailboxes and I read them from the shell. This has worked
great for decades.

------
kbouck
Although not a direct answer to the question, with gmail you can add a unique
identifying suffix/tag after a + in the name part of your email:

eg: first.last+walgreens@gmail.com

And emails to that address still wind up in your inbox.

This can help to identify which source ultimately divulged your email to a
spammer (intentionally or otherwise).

While it would be trivial for spammers to strip this tag off, i've found
numerous instances of spam eventually being sent to the unique email I only
ever used at eg. the sporting goods store.

~~~
0-_-0
You can also add dots into random places, which can't be stripped
automatically. So you can have the email as.dfg.h@gmail.com as your "official"
email, and put random dots when you sign up for something. E.g.
a.sd.fgh@gmail.com. Now you can filter out email sent to a.sd.fgh@gmail.com,
or to any email that's not as.dfg.h@gmail.com. The spammers won't be able to
discover your original address.

~~~
heavenlyblue
They’ll probably just spam the non-dotted address.

~~~
kadoban
That would require a person looking, or specific code written to handle this
case, and knowing where it will and won't break the address.

I also can also confirm that even more obvious schemes are not stripped by
spammers, from personal experience.

------
mod50ack
My main personal email (permanent address, essentially), I've got on my
website with a minimal brainpower test (essentially "[myname] @ [this
domain]") --- but I might get rid of that. My email is in its bare form on a
number of READMEs of things that I maintain. I've never had an issue with spam
because of it. I use Google Apps for hosting my domain's email.

------
s9w
I have mine in clear text on HN as well as on my personal site. And honestly I
barely get any spam at all. Maybe once a month or so. I don't know where
people get so much spam from.

~~~
avian
You’re using gmail which does the filtering for you.

~~~
s9w
I check my spam folder regularly. It's almost entirely false positives

~~~
avian
For a while now Google has been rejecting some mail they classify as spam at
SMTP delivery time. You don’t see mail they reject that way in your spam
folder.

~~~
s9w
huh, interesting

------
shivekkhurana
I have a separate public email address that forwards to my main Gmail.

It lets me know that the sender has scraped me from the public directory and I
prioritize those messages accordingly.

------
jvagner
I have a private email for close friends and family (note, I have no FB
account). I had layers of obfuscation on this over the years, which I’ve since
walked away from.

I run a few businesses, and have work email at each. These usually
cycle/evolve periodically over time.

And I have a public Gmail account. Few filters, most everything I sign up for
goes there. Lots of G logins.

I’m not on a lot of chat apps, but I use Slack for a few things. No telegram,
no WhatsApp, nothing else like that.

I was reviewing this recently and I’m pretty happy with it. The funnels for
work/business are effective enough to compartmentalize them. On my iPhone and
iPad I have a subset of some but not all of those email addresses. On my
desktop I use Outlook to consolidate every last email account and Mailplane to
cover my most important and active email accounts.

Truth is, few humans email me. It’s all business accounts, SaaS notifications,
etc.

Email isn’t really a daily high priority for me. And most of the important
emails are expected... the result of a conversation or initiation. When I know
an important email is coming, my attention to email elevates a bit. Otherwise,
email is only a medium priority for me anymore. I clear them weekly, but
probably pay attention to them 3x every two days.

Edit: the big burden of emails is calendar coverage and invites. For that, my
iOS devices are most important. I care more about what lands on my calendar
(Zoom conferences) than most other things (save, contracts I need to sign or
payments I have to take care of). I also tell everyone to call me anytime. I
hate juggling calendar invites for a ten minute phone call. That said, I do
encourage people not to leave voice mail. This is where things get a little
more... intentional/picky.

------
m_b
Using some console tools like echo and sed:
[https://mathilde.website](https://mathilde.website)

------
theobeers
If you use Cloudflare, they’ll obfuscate email addresses for you (i.e., from
scrapers), while maintaining clickability.

[https://support.cloudflare.com/hc/en-
us/articles/200170016-W...](https://support.cloudflare.com/hc/en-
us/articles/200170016-What-is-Email-Address-Obfuscation-)

------
tambre
I do. I think it's essential if you've a website/blog or occasionally someone
wants to contact you personally regarding one of your comments. I find it
extremely frustrating to read a blog post, notice an error or a technical
configuration issue with their website and then not be able to let the author
know. Please make yourself reachable.

I run my own email server and don't do any spam filtering, so I definitely
receive more spam than others (0–2 per day), but Thunderbird always puts them
into my spam folder.

I hope to eventually add a spam filter in Postfix to deny at the SMTP level.
However, configuring DMARC verification and requiring proper RDNS already cut
the spam to a third.

I also recently switched to the hexadecimal encoding explained by u/bitmedley
on my website. There's been no perceptible change in spam from that.

------
vithalreddy
Yes,I do post my email publically everywhere, Spam is handled mostly by google
spam filters and sometimes manually.

~~~
ajeet_dhaliwal
Same, the filters have gotten good.

------
jeroenhd
Right now, I have listed an email on my website above a contact form. To hide
the email from scrapers, I just concat different parts of it in javascript on
page load and insert it into the html.

I didn't expect that to work but a few years in I've barely seen any spam on
the listed email address. All spam I've received on my website has been done
through the contact form so it appears bot farms rather solve Google captcha
than try to use my email address.

This probably isn't enough for everyone but it might serve as a reminder not
to overthink this. The only downside is that users without javascript can't
get my email address but as I don't expect many people to visit my personal
website that's not an issue to me.

------
zAy0LfpBZLC8mAC
I think the problem is the "your email address" part. No, I don't post "my
email address", but I do post one of my email addresses.

But really, the primary spam problem is not with spammers crawling the web,
the primary spam problem is with companies that think because you bought
something from them you are keen on them getting on your nerves. So, the real
anti-spam measure is giving each and every company their own email address,
and just disabling any addresses that start getting spam, and those also are
exempted from the spam filter, so you don't ever get false positives on those.

------
alfiedotwtf
I use my "normal" email address to post to a very small number of mailing
lists. Even though they're all publicly accessible lists, I get in total about
5 spam emails a day - this is with zero spam filtering (not even SpamAssassin)
on my own Postfix instance.

For the past ~6 years, every time I sign up to a new web service (or even in
person paper signup), I generate a new 64 hex email prefix. This allows me to
know who either a) sold my address or b) got their database hacked. So far,
the only website I know of who either got hacked or sold my address was:

    
    
        coinmama.com

------
JohnFen
I have numerous email addresses, a couple of which are specifically intended
for use if I have to provide an email address that will be publicly viewable.
I look at the envelopes of the mail arriving at those addresses, and if one
looks not spammy, I'll actually open it. Otherwise, I just let that mail time
out (my mailserver deletes them automatically after 3 days).

I never list email addresses I use for real in a public forum, and almost
never use them when registering on sites, etc.

------
333c
My email address is posted publicly on my website. It isn't an alias or
anything, though my domain uses a wildcard to send every message to every
address to my inbox, so I have infinite aliases available to me should I want
them.

Surprisingly, I don't believe I've received a single spam message that made it
past my spam filter, despite my address being public. However, I think this
can largely be explained by the fact that my site receives basically zero
traffic.

------
aliceryhl
Yep! I have it on my personal site in plain text and I don't seem to be
receiving large amounts of spam. I just looked in my spam folder and the last
five spam mails I got were:

1\. 25th oct

2\. 22nd oct

3\. 21st oct

4\. 19th oct

5\. 18th oct

so I get less than one per day.

------
alkonaut
I use gmail (too late to change even though I have personal domains). I
register it everywhere and it’s probably searchable in many places. I think
gmail does a good job with spam, I don’t get more than 1 spam in my inbox or
one non-spam mail misidentified as spam in a year. So I’m completely happy and
feel it’s a solved problem. This could change in the future of course, but I
have had zero problems in the past decade.

------
wortelefant
I publish my email and phone number on my website. Spam is filtered and my
phone is in flight mode whenever I'm busy.

It is similar to still keeping a Facebook account, the upside of being found
by the right people is bigger than the privacy risk I perceive. I might regret
this later though, if the future becomes as dystopian as expected by some
people here.

------
chrisseaton
Spam just doesn’t seem to be much of a problem these days. My emails are in
plain text everywhere and I very rarely get any spam.

------
mindcrime
Yep: prhodes@fogbeam.com

I use GMail, and basically just rely on their spam filtering. It's not
perfect, but it's "good enough".

~~~
cryptography
Do you know that SSL certificate for www.fogbeam.com has expired?
[https://crt.sh/?q=www.fogbeam.com](https://crt.sh/?q=www.fogbeam.com)

~~~
mindcrime
Yeah, I forgot to schedule the cron-job to update the Let's Encrypt
certificate. Thanks for the reminder, I'll go run the script right now.

~~~
adonese
if you use certbot it automatically schedule cronjobs for you

~~~
mindcrime
Huh, interesting. I never knew anything about that. That said, I use cert-bot,
but not _only_ certbot, as I have a wrapper script which does some other
things as part of the process (converting the certificate to Java Keystore
format, for example) so not sure if that automation would apply.

Anyway, my script is setup now, so hopefully this won't be a problem going
forward.

------
dmd
Yes; I've been using the same address (dmd@3e.org) for 23 years now. I get
~100 spam/day, and GMail manages to catch every single one. I do a 30 second
scan through for false positives once a day - typically there's 1 or 2 a week,
and they're never something actually important.

------
robjan
My personal email address is publicly available. Fastmail filters about 99% of
the spam and the rest is quickly silenced by reporting spam. I receive maybe
one or two spams per week. Sadly there are a few false positives but usually
it's transactional emails that I don't care about.

------
fanf2
I have used my email address dot@dotat.at for open source development and
mailing list and Usenet discussions for 22 years. It helps make me more
memorable.

A few messages each day get through the spam filters, but that’s negligible
compared to the number of mailing list messages I delete unread.

~~~
333c
Wow, I love your email address! "Dot at dot at dot at"

~~~
porbelm
Even more clever than http colon slash slash slash dot dot org

------
anthony_doan
Yes.

You can add filters to gmail.

I add filter once a month or if the spams are getting out of hand.

It's not that bad. The political emails are the worst though, they spam you
regardless of your unsubscribe option. The second worst for me is
unsolicitated job from job agencies.

------
jay_kyburz
Yes. And I even have a catch all for my domain just go to my inbox.
(*@ironhlelmet). It's managed by gmail.

The only spam I get is an occasional email telling me that my page rank could
be improved if I pay some seo spammers.

------
breadandcrumbel
Yes, and when i do it (I put in in few of my profiles in text) I'm not getting
spam

I guess you can feel safe to do it, and in worst case you will get few emails
you will mark as spam right away

------
tmilard
Yes I do.On my web site. It is a Gmail address, so There are no spammed. As a
small company I choosed not to manage a personnal Web adress. And it works
fine.

------
jasonvorhe
Of course, for about 10 years or so. It's a means of communication. Why
shouldn't I publish it? Spam is being handled by G-Suite/Gmail.

------
omg4
I have this on my websites for years now: name@ __[THIS_Domain.com] __, where
[THIS_Domain.com] is <whatever the domain I'm using it on>.

So far, ZERO spam.

------
darkhorn
If you use only HTTP/2 and only TLS 1.3 then most of spam crawlers won't reach
to your web site.

------
csixty4
I've had mine public for years. The spam filters at Fastmail are good enough
that it's not an issue.

------
StanislavPetrov
What do you mean by "your email"? Does anyone really have only one email
address? I've cut down to three in the last few years. It amazes me that, in
the age of free addresses, everyone doesn't have at least one, separate
personal email address for friends and family apart from their public and/or
company email.

~~~
zokier
Does anyone use email to communicate with friends and family? To me it is
almost as quaint as sending snail mail.

~~~
mackrevinack
is quaint a bad thing now?

I like the pace of email better compared to instant-messaging where I usually
feel like I have to apologise if im replying a few days later.

email is also better for having multiple topics. if you try to ask somebody
about something off topic when using instant-messaging then it can easily get
pushed out of view and forgotten about since it's all just a single thread

I wouldn't attempt write any sort of long form communication using IM and I
wouldn't be cruel enough to make others read something like that

~~~
zokier
> is quaint a bad thing now?

Not at all, indeed I do like email as a communication form. It was merely an
observation that in practice using email for personal communication is
exceedingly rare, at least in my social circles.

> I wouldn't attempt write any sort of long form communication using IM

From what I can tell, people have not migrated their long form communication
to other platforms. Instead people seem to have abandoned long form
altogether, as sad as that might be.

------
dyingkneepad
I post it in a way that's obvious to humans but not to bots. Like:

Email: dyingkneepad # gmail * com

~~~
oliv__
Nice, I'll add the format to my crawler

~~~
muzani
Then he changes it to com # gmail * dyingkneepad

~~~
Moru
And the war is on :-)

------
avb333
I think having a separate email for business is better

------
josteink
I’ve had mine publicly posted for _decades_.

The spam goes in the spam folder. Not sure what the big deal is?

