
Avoiding Spam with Email Aliasing - shawndumas
http://www.macdrifter.com/2013/12/avoiding-spam-with-email-aliasing.html
======
dazzla
For many years I've used my own domain for emails with a wild card forward to
whatever my current email address is. So whenever I'm asked for an email
address I use company@myemaildomain.com. So I don't have to worry about
support for the + and no part of my actual email address is ever revealed. It
also makes it easy for me to switch email providers.

~~~
riobard
I use the same approach. The only unfortunately side effect of doing so is
that I have to deal with spams targeting at randomly generated addresses at my
domain. Luckily Gmail's spam filter finishes most of them after some training.

~~~
agwa
Tip: use a subdomain as your catchall (e.g. company@mail.example.com). I've
been doing this for five years and haven't gotten a single spam to a random
address. While there are various ways to learn about a domain's existence,
subdomains fly under the radar.

~~~
ChuckMcM
That is an awesome tip. I stopped using a catch all when folks were doing
reflected spam (trying to get my mail server to 'bounce' the email back to the
spam target).

~~~
rahimnathwani
I'm curious: did you lose any emails when you turned off catch-all? I would
like to turn off catch-all, but I receive a lot of (mostly automated) email to
various addresses, and I don't want to set up a long list of email aliases.

~~~
ChuckMcM
My catch all dumps the from line and the subject line and date into a log.
I've got a perl script that scans it once a week for anyone in my contacts
list. I did create a set of ecommerce/web site aliases which are all
structured similarly (prefix-vendor@maildaomin.com) which are processed
separately.

------
mike-cardwell
I built a system years ago for automatically expiring email addresses:
[https://grepular.com/Automatically_Expiring_Email_Addresses](https://grepular.com/Automatically_Expiring_Email_Addresses)

You can email any address of the format "YY-MM-DD"@tmp.grepular.com and it
will work, but only if the YY-MM-DD date is in the future. Ie,
2013-12-25@tmp.grepular.com will work from now until Christmas and will bounce
after that date.

It's really useful for signing up to services that I don't intend to use after
that day, or for entering competitions etc. Competition draw is in a month?
I'll pick an email address which expires in about 2 months and enter with that
one.

------
jimueller
Personally, I have used both the Gmail alias and the company@example.com
strategies. I have since given up both as I found it too hard to remember what
address I used where.

The main reason I quit doing this is because Gmail's spam filtering kept spam
out of my inbox and I never cared if one of those aliases were "compromised"
and it wasn't worth the effort. I guess it was a solution to a problem I never
had.

I still use a spam@example.com for those sites that I may need to provide an
email address and I don't want to give them my real address, such as forums
that make you sign in to see an answer.

------
gallerytungsten
If you run your own mail server, this whole process is much easier. Just set
up an alias name specific to whoever you're giving the address to; then
forward it to your real email. If spam starts, you just delete the alias.

~~~
TheCowboy
It's also fun to use aliases specific to which source it is being provided.
You eventually get some surprises about the integrity of some sites when you
start receiving a spam on an alias only used for that site, revealing that
your information was sold or stolen.

~~~
csmuk
This is especially true of recruitment agents who appear, at least in the UK,
to sell your address to anyone.

------
error54
I use the user+company@gmail.com alias when I can but MANY websites don't
support that as a valid email address. Even tech companies that should know
better.

~~~
rahimnathwani
They _do_ know better (i.e. they know you use it for filtering) and that's why
they don't accept it.

I don't like it either, but it's a reasonable choice for them to make.

~~~
chinpokomon
I completely disagree! This is not a reasonable choice. Email forms must
confirm to the RFC standards or else there is no standard. The biggest
offender I've run into is Yahoo. Yahoo's email address filtering won't allow
me to use my email address because they reject my TLD. Even lousier, their
technical support form also rejects my email address, so I can't even send
them email to have them correct the problem.

~~~
rahimnathwani
I presume you mean the SMTP RFC standards. If so, then it would be
unreasonable to respond with 501 (Syntax error in parameters or arguments),
just because they don't like your email address format or TLD.

However, if I'm offering a service and collecting email addresses as part of
that service, my mail form could do additional validation (e.g. I might not
want to collect email addresses from the UK ( _.co.uk) or from_.edu or from
people with 'john' in their email address.

I'm not violating an RFC with my email form, which may provide some benefit
(e.g. stop fake email addresses, reject customers I don't care about) at the
expense of losing/angering some other customers. That's a business question,
not a standards issue.

(BTW - I've never restricted email addresses on a form in this way, but can
empathise with those who do)

------
vsviridov
I use this approach in conjunction with server-side sieve, that sorts messages
into individual folders.

if envelope :detail :matches "to" "*" { set :lower :upperfirst "name" "${1}";
fileinto :create "INBOX.${name}"; stop; }

------
yogin
I have my domains hooked up with google apps (there was a time when it was
free, still is if you got in early), and they allow you to have a catch-all
for email addresses that you can redirect to one of your user accounts. So
each time I need an email for a site, I just put <site_name>@some_domain.com.

This way there's no need for the +alias in the user part, and some site tend
to block this because they know it's used for aliases.

Doing this, I know exactly where this email was used. Been doing this for
years, and works great.

~~~
stormbrew
Have you actually encountered a site blocking + in email addresses? Because
that's just categorically wrong behaviour.

My mail server (running qmail) uses - for this. Have been doing this trick for
at least a decade now with it. I've never had a site complain about it.

------
applecore
What's stopping spammers from ignoring what comes after the plus?

~~~
vsviridov
Too much effort. They mostly go for fire-and-forget strategy. Any additional
processing time means less sent emails = less profit.

~~~
joosters
What? It's minimal effort. 'Found' a gmail address? Drop everything after the
+ sign.

Spammers spend a lot of processing time on their emails (e.g. testing them
against spam filters to tweak them to get through), so this extra step is so
small as to be insignificant.

------
gprasanth
Obligatory link to xkcd: [http://xkcd.com/1279/](http://xkcd.com/1279/)

------
neil_s
I use a free service called Gishpuppy, which operates kind of similarly to the
fastmail aliases, except it just forwards the email to your Gmail, so you
don't have to stop using Gmail. When you get spam, you simply cancel the alias
and it becomes a blackhole instead of forwarding email to your real address.

------
pbreit
With gmail spam filtering and the new tabs I find all this junk a waste of
time. And who wants to use all these different addresses for logging in?

