Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

this isn't a good anti-spam filter though. + addressing (even the fastmail kind) is trivial to parse and I'm 100% sure email harvesters are aware of it.


They can filter out the boxname part of temporal+boxname@mytld.com, but they can't, in general, filter out boxname@temporal.mytld.com - it would break too many things. I guess it's possible to recognize mail for mytld.com is handled by FastMail, but I'm not sure anyone bothers. In my case, almost all spam I get comes to an alias I have in my Facebook profile, and the rest of it to an alias I put on my website - so in both cases, I assume spammers just scrapped the e-mail address.


Fastmail also lets you use aliases to protect your main address. I only give out an alias with an alt domain - something like spam@jm4.eml.cc, linkedin@jm4.eml.cc, etc. No one has my real address. I basically only use it as my username. I give an alias to family. I just delete the alias or filter it to the trash if I have problems with it.

I'd be surprised if many harvesters are going to bother with rules just for Fastmail domains. First of all, they have a bunch of them. Second, the spammers' objective is to get email into your mailbox. They don't care if they use an alias to get there. Bad actors who got your info in a data breach are a different story, but there's probably some safety in numbers. There could potentially be millions of accounts to go after before they start thinking about reversing my Fastmail alias. Besides, if you use one of the generic ones like qq.com or eml.cc - or even better yet, your own domain - they're not likely to notice anyway.


This isn’t to prevent spam, it is to identify the original leak. If the unique email address you gave to company X is used for solicitations by company Y, company X must have given it away.


Then what?


Depending on my mood and whether the company is local, write a complaint to the company that leaked the address or to an appropriate government institution. In my country, a local computer security news site started a tradition of telling the offending companies that they can either apologize and donate some money to a charity (and send back the proof of payment), or you'll bring the issue up with Personal Data Protection Office, which will be more than happy to fine them.


I usually go for <company>@example.com where <company> is the company I’m handing my address to. After a breach I route that address to /dev/null


That's trivially easy to guess -- and game.

You want something that is sufficiently random that it can't be easily guessed or gamed, but can be quickly and easily determined on your side.

Salted cryptographic hashes might be a good place to start.


Most spammers won't go through the of "gaming" it. There's no upside. There are far easier targets to focus on than sending more mail to a single recipient who is more sophisticated.


After a breach of <company>@example.com, forward it to support@<company.com>.


Don’t give me ideas.


If you live in Europe, you might have a case.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: