Hacker News new | past | comments | ask | show | jobs | submit login
The case for unique email addresses (2020) (tychi.me)
58 points by ivanvas on June 20, 2022 | hide | past | favorite | 84 comments



The email address I give out to companies is theircompanyname@myserver.com - this has most of the privacy benefits the author describes. But frankly, I did it just to find out who sells my personal info to spammers. Turns out quite a few do, and whenever I get a spam email, i just look at the to-address and I know who betrayed me.

Edit: multiple typos


I do the same. In addition to the security and privacy benefits, the traceability have been helpful. Years ago my Netflix account was hacked, and they refused to believe it was on their end. They were sure someone had accessed my email. I was not able to convince them that netflix@myserver.com was not a thing you could log into. But having a unique email was one of the clues that led me to be confident that my email had not been hacked, and it must have been something purely on the netflix side.


Playing devil's advocate - it could've been your Netflix password that was compromised, or someone you shared your Netflix password with (if you do it).


I used to keep it that simple but some companies are catching on and blocking the account in the name of "fraud" but really they are just upset. Instead I use a realistic looking canary that maps to their company without their company name being in the email address.


Companies that do not respect RFC email addresses are simply breaking the internet. Email addresses are not unilaterally specified by your marketing department, they are at this point, internet infrastructure.

https://datatracker.ietf.org/doc/html/rfc5322


Agreed but I don't think they care about RFC's. Rather they want to be able to track people and be able to sell or leak, but really sell your email address and email canaries put a stop to that behavior and they don't like it.


I spell their name backwards to thwart this filtering.


Oh, you mean VMWare... one of their CSR's they did that to me.


You can just spell it vwmare.


I too do it, although occasionally an hickup occurs. Last week, I signed up for something, and their system was unable to send an account activation email at theirCompanyName@myDomain.com I spent about 30 minutes with customer service on chat, and they were like, no, it's impossible to have them@my domain email. If I have, I should send them an email. I did it, sent email, and they were still not believing it.


This is what I do as well, and its real nice to be able to black hole a specific to email address vs trying to unsubscribe from every piece of spam email sent to your one email address.


I'm not sure I've ever found any indication of someone selling my address, but I've discovered multiple services that have been hacked.

One of them, Avvo, has yet to admit it... but it's quite clear.


Tesla did it to me, because I have had the same approach as grandparent forever (well, for 30 or so years, anyway).

Recently I had a text message to my phone number asking me if I wanted life insurance, and whether I preferred to be contacted at ‘tesla@<myserver.net>‘ or continue our conversation via text. I have plenty of life-insurance through my company…

Funnily enough, Elon didn’t reply to my tweet asking him if this was standard Tesla policy… Never did like that rat-bastard.


We should do something with phone numbers too.


It's not much better than "Your.Full.Name+company@example.com" in practice tho.


I'd say its one level beyond. Since "+" is so widely used, as talked about in the article, its trivial to remove. However with a non-standard domain and inconsistent username its not as easy to remove. These are some of the formats I use, they all offer exactly what I need (uniqueness, hard to programmatically attach to another, and culpability):

lyft@account.example.com

liftcarshare@example.com

email@lyft.com.example.com

example.com@com.lyft.example.com


I would personally go one level further.

Generate random email addresses so you can't easily guess what others I might have given out. Then keep track of the mapping.

A service like simplelogin.io makes this easy.


FastMail does something like this. Their Masked Emails are two random words plus a four digit number.


Been using this feature since they introduced it and can say that I'm very pleased with it so far in combination with it's 1password integration.

When creating an account somewhere, fastmail automatically generates a new email for the site via an API in one click.

Highly recommend.


What I usually do is servicename + 6 to 10 random numbers. This way I can see the intended recipient whilst avoiding people being able to check where I've signed up.


Why not use the numbers to encode the creation date?


You certainly could, though I don't particularly care about the creation date - additionally, this is something that I can do easily by hand.

E: Ah, I didn't see the schema one of the parent commenters suggested - your question makes a lot more sense now. I still don't really care about the creation date, though, but I do care about the email having a random component, since if someone were to figure out my naming schema, they could check whether I've signed up for any given service.


What about base58 encoding their company name.


Caesar cypher.


icloud and also fastmail do this for you


Great idea with the subdomain! May I ask how you do it? Also, one idea for you: how about using created20220621@company.example.com?


Fastmail allows for wildcat (J)IMAP addresses. It a *.example.com MAIL record in dns with a supported (J)IMAP server.


Removing the +company is not cool. When I give you myname+yourcompany@mydomain.something, I'm authorizing you to mail to that address, not myname@mydomain.something. If you don't respect the recipient, you'll be rewarded with unsubscribes, at best, and spam reports at worst.


But we're talking about the same companies who will sell your data for a fraction of a cent. I don't think they care about being "not cool"


IME some may accept the plus address at sign up then break it at sign in or substitute for another character. A major US insurance company did this, which could have allowed hijacking if one had registered the address with the plus replaced with their substitute character.


Lots of company don't allow you to enter the + symbol in their signup field.


I do this too, and lots of companies also don't allow you to use THEIR company name in the email address that you give them.

Sometimes their front-end is not aware of this restriction and will let you register, but then you'll have unresolvable issues. I've spent some time on tech support phone calls with companies that have this issue.

Occasionally a company will implement blocking their own name in a user-provided email after the user is already registered. I've had this happen a few times too. Suddenly the account will disappear without explanation.


A spammer can just filter the +company bit out.


Yes, but the fraction of users using the +company part would be similar to the fraction of linux desktop users on the internet.

The way we don't see most software companies supporting linux desktop users simply because it is not profitable, we can hypothesize that the spammers won't spend time-energy-money on getting the +company filtered out.


This is common enough that many sign-up forms reject the +. Spammers can definitely do that much.


Same here. It's fun getting doctors offices coming back and asking me "Do we have your email right?"


What tools do you use to create so many email addresses/aliases on the fly, and to keep a check on them?


Here's my strategy with fastmail. I think it's the best:

1. I allow wildcards only on a subdomain. The friendly alias on the top level domain is only for real human beings I want to talk to, not robots or marketers. I don't allow cold messages to the subdomain into my inbox because of issues I've had with spammers in the past.

2. I use a random username as the address and store it in bitwarden. It isn't named after the company but I can match it there if I ever need to. Recently BW added a generator for this, but I was already doing it manually by freehanding on the keyboard.

3. Seive rules. I put newsletters in a reading list folder, receipts in a receipt folder, etc. Everything else sent to that subdomain gets sent to a purgatory folder that deletes anything older than 90 days, so I don't accumulate a bunch of garbage. If I am signing up for a newsletter that I don't care about enough to tune the rule, then I probably wasn't going to read it anyways.

As a result I have not had a low value message reach a high value folder in probably 5 years. Skimming the folder I can see that Illinois politicians are still trading my address around even though I moved out of the state 4 years ago.


Account creation doesn't happen on the fly, does it?


I do the same but I have never ever caught anybody selling my email to spam companies.


Same. Did this for years and never found anything. Ended up going back to a single email address.


I did similar things for many years, but at the end of the day I found that I was just adding friction for myself and not getting any real benefit. Yeah, I can see who has sold (or inadvertently leaked) my information, but then what? Don't do business with them again? Fine, but it's too late. And so many companies have problems like this that if you refuse to do business with any of them, you're going to find yourself very limited.

In a broader sense, as I learned to grow out of my 1990s-era rage about spam, I've found that my online life has gotten a lot less stressful. No, I still do not like commercial email in my inbox. But constantly being angry about it and trying to fight it did not result in me getting any less of it. All it did was made me a bitter person. Something something accept the things I cannot change...


> Don't do business with them again? Fine, but it's too late.

Well no, not if you have assigned them a unique address. That is the whole point of the exercise, no? Stop doing business with them _and_ block their unique address.


"Stop doing business with them" is not always a feasible option, or the cost is very high (more than many are willing to pay); that's the problem.


If you are committed to using the leaker, change your email for them from company@myserver.com to company2@myserver.com and block company@myserver.com. It gets the benefit of spam blocking and leaker traceability in one easy step.


Honestly, I can't help but be suspicious about postings like this because they are way too common. They introduce no real new information and only serve to offer, "it's too much work, so just accept it".

It's completely disingenuous to say that you can't do anything with the information gained from learning who is selling, sharing or otherwise allowing email address lists to be compromised. It's almost maliciously disingenuous.

You can do infinitely more with this information than you can about any other kind of spam:

1) you can demand to know how and why your address was shared with third parties

2) you can insist on disclosure, particularly if you live in a state or country that mandates it, for any breach they may blame it on

3) if they ignore you, you can publicly shame them on social media and inform others

4) most importantly, you can STOP accepting email at that unique address, and stop any future spam.

I really wonder these naysayers want. They clearly want the rest of us to not expend the tiniest bit of energy to maintain any agency in the control of our own email, but why? I really wish I knew. They're not helping people by telling them to save - what? - minutes of time per month? I'm so curious.


> They clearly want the rest of us to not expend the tiniest bit of energy to maintain any agency in the control of our own email, but why?

No one is telling you what to do, they're just saying that they didn't find it valuable for them personally. My experiences are similar.

You can do whatever you want with your email (...except send me spam...)


So on the US side of things (EU is better):

You're going to need a hell of a lot of freetime to do all that.

I think it's a fucking travesty how quickly society rolled over on privacy and tracking because a bunch of short sighted people think its ok for companies to buy and sell your data, but it's such a common practice, and it's not like ANY of the above things are going to change shit.

To be blunt:

1) This going to be AFTER a daisy chain of emails/calls/both to get to ANYONE who feels like giving you an answer, and it's basically going to boil down to "oh its part of the TOS. Sue us or fuck off". The TOS is likely bullshit, but I hope you've got millions to prove it.

2) Again, even getting to this point takes a dizzying amount of time, and for what? To know they're greedy fucks selling your data to the highest bidder? You knew that the moment you got spam.

3) Uh huh. The kind of people who care already know. My experience with informing others about this has mostly been "so what". I spent waaay to long convincing people who HATE the current administration (from literally either side) that maybe it's not so great that amazon/facebook/etc knows damn near every single thing about them if they're one government request away from having it the hands of the people they despise. It's preaching to the choir at best.

4) Or you can just give out a junk account to start with and let them send as much spam as they want. If you really want to actually hurt them you should probably write a small script to hit a vpn, then open the email, then delete it (as clickthrough metrics are what they're looking at).

As for what "naysayers" want, well i can only speak for myself, and it's "real legal options". I think a lot of this is "security theater" with the amount of fingerprinting and other nonsense going on. You can spend all day trying to be the invisible man on the net and still have MORE than enough known about you because a friend or family member can't be bothered to care.


"hell of a lot of freetime"

Absolutely wrong.

Go ahead and keep arguing for giving up. Good for you. And go ahead and bring up all sorts of incorrect or completely irrelevant stuff. Good for you.

The point is that I don't understand apologists like you who want everyone to just give up. Are you a paid shill?


This is the worst written article I've seen in a while. It gets very lost in the weeds, struggles to make any points, just sort of wanders about.

There's no actual discussion of what a unique email should be. Or how that could possibly work and be practical given that any payment related site will also need your real name and address.


I disagree. This article is about the authors thoughts and experiences related to privacy and working in the information sector. It's not primarily about email. Criticizing the title is fair I think.


It's more than just the title. It feels extremely unfocused because the author doesn't connect the different parts very well. The author starts with a very small focus (email addresses) and then goes on tangents while randomly interrupting with headings like "I swear this is still about email". It doesn't flow.

Which is unfortunately because the topics are very relevant to the modern discussion about privacy, and I think there are ideas in there that are worth telling, but in this form it's just hard to follow


Previously:

Oct 2020, 19 comments https://news.ycombinator.com/item?id=24814029

Related recent quasi-dupeversation:

Using a catch-all domain is a mistake, 18 days ago, 296 comments https://news.ycombinator.com/item?id=31585463


My problem with this is that it conflicts with identity ownership. If I give every company someunqiueaddress@someservice.com, I no longer have the ability to switch email providers, especially if I only decide to switch after losing my someservice.com account. If I give every company someuniqueaddress@mydomain.org, then I’m still ID’d by mydomain.org. Maybe in a way that automatic linkers miss, for now, but maybe not: how hard is it, really, to automatically determine with decent confidence that mydomain.org is a personal domain, and strip the entire username and subdomain part in the existing normalization step?

It can be some secret mydomain.org, but that still links all my profiles together.

I could buy a different domain for every company, but that’s cost prohibitive, and also piercing WHOIS privacy is just another data sharing agreement away.

Posting this because I’m hoping somebody has a better answer.


For icloud hide my email they just forward on to another domain. You don’t need to use icloud for your email.

https://support.apple.com/guide/icloud/create-and-edit-addre...

> Change the forwarding address Every unique, random address you create with Hide My Email is forwarded to the same email address. You can change the forwarding address at any time. On iCloud.com, go to Account Settings, then click Manage in the Hide My Email section. Scroll to the “Forward to” section, then choose a different address. The “Forward to” section is below your list of active addresses and above your inactive addresses.

what many sites don’t let you change is the address associated with your account, but that’s not the fault of the email provider.


I've been doing this for 20 years now, and Apple or DuckDuckGo have made it accessible to normal people. The day I started receiving pornographic spam addressed to dell@majid.fm (no longer the domain I use, BTW), I knew Dell's security was worthless and they had been breached.

BTW I build a simple spreadsheet-like GUI for Postfix to manage the list, as it's grown quite large:

https://github.com/fazalmajid/postmapweb


I don't really think that getting an email at dell@domain.com means that a provider's security has been compromised. Not only do you need to use unique email addresses but they should be uncommon. Otherwise it doesn't really do a lot to address the issue. Might I also suggest using subdomains as well.


I disagree. I've been doing this for decades and occasionally I'll get spam/porn to one of the unique addresses I've created. In the past, I would notify the entity of their breach, but they almost never take me seriously so now I just delete their email address.


I've engaged with the breached companies a few times, and when they responded, it turned out in both cases it was actually an email service provider they entrusted with their mailing list that was breached. Companies don't realize how outsourcing can jeopardize their own reputation.


Yes. It's usually an inside job. Some under-paid third-world contractor employee will typically grab the email database and sell it for a few dollars.


Yeah, they don't take you seriously if you wonder why you might be getting spam at obvious@domain.com


Surprised not to see Apple's Hide My Email mentioned. I was moving towards using my_email+short_company_name@my_domain when it was released.

I found problems with the + syntax occasionally, where I could sign up with that address but wasn't able to log in because their code stripped the + or the + and anything after that.

Now I do 3 levels:

1) use Hide My Email with most companies

2) use me@my_domain with people I want to talk to

3) use my gmail address with Advanced Protection for really important things.

I was going to use my_domain for really important things but it has 2 attack surfaces (registrar and Apple (I use their MX service)) whereas Gmail only has one. And there was an old (2014) article [0] here posted recently about how someone lost their Instagram handle because somebody social engineered GoDaddy into giving the attacker control of the person's domain.

[0] https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...


Back in the time when email was important, I considered doing something similar. Now, I just use one personal mail address that I share only with real-world friends, and one other for all my online accounts.

At this point, I don't even bother whether I receive spam on that email or not, since it's just something I'm probably not going to read. I mean, who cares about LinkedIn notification or Amazon receipts, if I need them, I know where to find them. The default spam filter of my mail provider and a few custom filters based on from domain names are enough to keep my inbox manageable.

And even private mail is not that important anymore, given that most of the communication with real people is now done through various messengers.


Except typically when you do receive an email, it's a more important message and is more likely to contain important attachments or other information you need to retain vs messages via social media/ online messaging services, even if it's from friends/family. Worse, not scanning your junk email regularly can lead to missing key information that you've been sent. The current situation in general with how messaging is done online seems far from ideal, but it's hard to see too many good ways forward. Logically though if there were a reliable way to track who you've given out your details too, it should be possible to simply block messages that aren't from such sources.


Important email just doesn’t come suddenly anymore. Nowadays people will just message me to check my email address before sending an important email, although it didn’t change for years. And then, they’ll message me to ask if I actually received an email. So no important private mail gets lost ;)

Or I just receive booking confirmation minutes after booking. Even if I don’t read it or save immediately, it’s still there in inbox ready to be searched for and found if needed.

The only exception is business mail, but there I usually communicate only with people from my company or my address book, so there’s no spam problem there.


I can easily give 5-10 examples of personal emails I received recently which had critical info I had to act on, and/or documents I need to retain for future reference, none of which were anticipated. One was an airline canceling a flight!


I have been doing this for ~ 10 years or more. It is trivial to do if you own your own email domain, and only slightly more difficult with GMail.

There are other benefits that the article author does not cover, that become clear when you think about how threat actors analyze breach data.


My email provider limits the amount of aliases I can register with them but they let me have a catchall and Sieve filters. So I wrote a script that generates "normal-looking" email aliases, then builds a Sieve filter out of that. Everything that goes to an existing alias reaches my inbox, everything else goes straight to the Junk folder.

I've uploaded it to my GitHub: https://github.com/t0astbread/sievegen

Of course that's not a perfect approach in terms of privacy but for most purposes, it strikes the right balance between privacy and "hard to accidentally lose control of" for me.


I've done this for some time. <companyname>@<mydomain>.com makes it easy to see who sold my address, easy to make a filter for that inbound address if needed.

Maybe there are security benefits? If every site has both a unique email and PW I figure automated attacks are a bit less likely. Could someone figure my clever email scheme out? Easily.

My thinking is it's like being chased by a bear when out hiking with friends. You don't have to outrun the bear, just one of your friends. I'm probably not willing to achieve perfect security, but if I can be slightly more difficult to figure out than <next person on the list> maybe that helps?


I do something similar with my passwords, where I include the name of the website in there in some manner. Definitely not very secure, but probably better than simply using the same password everywhere.


I remember something tangentially similar from a long time ago. I used to use a bookmarklet that would act as a kind of password manager, by generating a unique password for each service based on the domain name and some user input as a seed. So you just have to remember a single “password” that gets added to the seed, and which never actually leaves your computer.

Edit: nothing to do with spam or even emails really, but here it is: http://www.angel.net/~nic/passwd.sha1.html


There are a couple of websites that let you do this without running your own email server.

https://33mail.com is one, for instance (disclaimer: happy customer here.)


Hmm, just try to send an email to their support email. and found this:

>>SMTP Error (450): Failed to add recipient "support@33mail.com" (4.1.8 <xxx@xxx.com>: Sender address rejected: Domain not found).

Hmmm don't even know how to contact them.


The best approach is to buy a domain name and set up your mail host with a catchall address. For example, I use Fastmail for mail hosting, and they support this at a reasonable priced tier -- but I can switch to another mail host if I want, and keep all my addresses. With 33mail it sounds like you'd be locked in.


This is why Apple's Hide My Email feature is incredible.

If you don't know, it generates a random email that forwards to your real iCloud account. You have full control on both deactivating the email (pausing it) or deleting it (permanent).

Apple will automatically suggest one of these emails when filling in an email form element which makes it even easier.

Incredibly helpful when signing up for new accounts or any other purpose.


I've been doing this since 2013 and the only spam I ever get is from the one email I put on my websites.

Spam filters are so good that the spam never sees my inbox (I use RunBox.com email because of their extreme privacy).

The only downside: I have to keep this domain FOREVER. If I sell it, and someone else connects it to a mail service, they will have access to all of my email addresses.


What happens when you die?


Good question. I'm actually working on a project to address that. Stay tuned.


Could you share practical tips on how to implement this with reasonable effort? Email providers that let you create aliases on-the-fly? Tools and workflows for automatically creating them on your own domain? For different OS (Windows, Linux, MacOS) and hosting providers?


The article talks a lot about imagining how Facebook can track you with your email. You don’t have to imagine, just go to “Off Facebook activity” in the settings. You will see a list of companies that have uploaded your email address to Facebook so that they can target ads at you.


I'll toss in a mention of yggdrasil [0], which would put every computer on the network at a unique address.

[0] https://yggdrasil-network.github.io/


I always use unique email as well. Just recently I started getting spam at newrelic@domain.com. It was easy to see where spam came from and add New Relic to the list of companies I’d not do business with.


or install https://wildduck.email or mail in the box type of server, just host it yourself. Wildduck web interface allows you to make unlimited alias already.


I wrote about these concepts, and have lived with my system since 2004:

https://www.vsta.org/spam/Traveler.html

(Ancient formatting, use reader mode if you're in Firefox.)

tl;dr Mail is broken because there's no authorization. Make your address act as an authorization token which is (1) transitive, and (2) revocable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: