The email address I give out to companies is theircompanyname@myserver.com - this has most of the privacy benefits the author describes. But frankly, I did it just to find out who sells my personal info to spammers. Turns out quite a few do, and whenever I get a spam email, i just look at the to-address and I know who betrayed me.
I do the same. In addition to the security and privacy benefits, the traceability have been helpful.
Years ago my Netflix account was hacked, and they refused to believe it was on their end. They were sure someone had accessed my email. I was not able to convince them that netflix@myserver.com was not a thing you could log into. But having a unique email was one of the clues that led me to be confident that my email had not been hacked, and it must have been something purely on the netflix side.
Playing devil's advocate - it could've been your Netflix password that was compromised, or someone you shared your Netflix password with (if you do it).
I used to keep it that simple but some companies are catching on and blocking the account in the name of "fraud" but really they are just upset. Instead I use a realistic looking canary that maps to their company without their company name being in the email address.
Companies that do not respect RFC email addresses are simply breaking the internet. Email addresses are not unilaterally specified by your marketing department, they are at this point, internet infrastructure.
Agreed but I don't think they care about RFC's. Rather they want to be able to track people and be able to sell or leak, but really sell your email address and email canaries put a stop to that behavior and they don't like it.
I too do it, although occasionally an hickup occurs. Last week, I signed up for something, and their system was unable to send an account activation email at theirCompanyName@myDomain.com I spent about 30 minutes with customer service on chat, and they were like, no, it's impossible to have them@my domain email. If I have, I should send them an email. I did it, sent email, and they were still not believing it.
This is what I do as well, and its real nice to be able to black hole a specific to email address vs trying to unsubscribe from every piece of spam email sent to your one email address.
Tesla did it to me, because I have had the same approach as grandparent forever (well, for 30 or so years, anyway).
Recently I had a text message to my phone number asking me if I wanted life insurance, and whether I preferred to be contacted at ‘tesla@<myserver.net>‘ or continue our conversation via text. I have plenty of life-insurance through my company…
Funnily enough, Elon didn’t reply to my tweet asking him if this was standard Tesla policy… Never did like that rat-bastard.
I'd say its one level beyond. Since "+" is so widely used, as talked about in the article, its trivial to remove. However with a non-standard domain and inconsistent username its not as easy to remove. These are some of the formats I use, they all offer exactly what I need (uniqueness, hard to programmatically attach to another, and culpability):
What I usually do is servicename + 6 to 10 random numbers. This way I can see the intended recipient whilst avoiding people being able to check where I've signed up.
You certainly could, though I don't particularly care about the creation date - additionally, this is something that I can do easily by hand.
E: Ah, I didn't see the schema one of the parent commenters suggested - your question makes a lot more sense now. I still don't really care about the creation date, though, but I do care about the email having a random component, since if someone were to figure out my naming schema, they could check whether I've signed up for any given service.
Removing the +company is not cool. When I give you myname+yourcompany@mydomain.something, I'm authorizing you to mail to that address, not myname@mydomain.something. If you don't respect the recipient, you'll be rewarded with unsubscribes, at best, and spam reports at worst.
IME some may accept the plus address at sign up then break it at sign in or substitute for another character. A major US insurance company did this, which could have allowed hijacking if one had registered the address with the plus replaced with their substitute character.
I do this too, and lots of companies also don't allow you to use THEIR company name in the email address that you give them.
Sometimes their front-end is not aware of this restriction and will let you register, but then you'll have unresolvable issues. I've spent some time on tech support phone calls with companies that have this issue.
Occasionally a company will implement blocking their own name in a user-provided email after the user is already registered. I've had this happen a few times too. Suddenly the account will disappear without explanation.
Yes, but the fraction of users using the +company part would be similar to the fraction of linux desktop users on the internet.
The way we don't see most software companies supporting linux desktop users simply because it is not profitable, we can hypothesize that the spammers won't spend time-energy-money on getting the +company filtered out.
Here's my strategy with fastmail. I think it's the best:
1. I allow wildcards only on a subdomain. The friendly alias on the top level domain is only for real human beings I want to talk to, not robots or marketers. I don't allow cold messages to the subdomain into my inbox because of issues I've had with spammers in the past.
2. I use a random username as the address and store it in bitwarden. It isn't named after the company but I can match it there if I ever need to. Recently BW added a generator for this, but I was already doing it manually by freehanding on the keyboard.
3. Seive rules. I put newsletters in a reading list folder, receipts in a receipt folder, etc. Everything else sent to that subdomain gets sent to a purgatory folder that deletes anything older than 90 days, so I don't accumulate a bunch of garbage. If I am signing up for a newsletter that I don't care about enough to tune the rule, then I probably wasn't going to read it anyways.
As a result I have not had a low value message reach a high value folder in probably 5 years. Skimming the folder I can see that Illinois politicians are still trading my address around even though I moved out of the state 4 years ago.
I did similar things for many years, but at the end of the day I found that I was just adding friction for myself and not getting any real benefit. Yeah, I can see who has sold (or inadvertently leaked) my information, but then what? Don't do business with them again? Fine, but it's too late. And so many companies have problems like this that if you refuse to do business with any of them, you're going to find yourself very limited.
In a broader sense, as I learned to grow out of my 1990s-era rage about spam, I've found that my online life has gotten a lot less stressful. No, I still do not like commercial email in my inbox. But constantly being angry about it and trying to fight it did not result in me getting any less of it. All it did was made me a bitter person. Something something accept the things I cannot change...
> Don't do business with them again? Fine, but it's too late.
Well no, not if you have assigned them a unique address. That is the whole point of the exercise, no? Stop doing business with them _and_ block their unique address.
If you are committed to using the leaker, change your email for them from company@myserver.com to company2@myserver.com and block company@myserver.com. It gets the benefit of spam blocking and leaker traceability in one easy step.
Honestly, I can't help but be suspicious about postings like this because they are way too common. They introduce no real new information and only serve to offer, "it's too much work, so just accept it".
It's completely disingenuous to say that you can't do anything with the information gained from learning who is selling, sharing or otherwise allowing email address lists to be compromised. It's almost maliciously disingenuous.
You can do infinitely more with this information than you can about any other kind of spam:
1) you can demand to know how and why your address was shared with third parties
2) you can insist on disclosure, particularly if you live in a state or country that mandates it, for any breach they may blame it on
3) if they ignore you, you can publicly shame them on social media and inform others
4) most importantly, you can STOP accepting email at that unique address, and stop any future spam.
I really wonder these naysayers want. They clearly want the rest of us to not expend the tiniest bit of energy to maintain any agency in the control of our own email, but why? I really wish I knew. They're not helping people by telling them to save - what? - minutes of time per month? I'm so curious.
You're going to need a hell of a lot of freetime to do all that.
I think it's a fucking travesty how quickly society rolled over on privacy and tracking because a bunch of short sighted people think its ok for companies to buy and sell your data, but it's such a common practice, and it's not like ANY of the above things are going to change shit.
To be blunt:
1) This going to be AFTER a daisy chain of emails/calls/both to get to ANYONE who feels like giving you an answer, and it's basically going to boil down to "oh its part of the TOS. Sue us or fuck off". The TOS is likely bullshit, but I hope you've got millions to prove it.
2) Again, even getting to this point takes a dizzying amount of time, and for what? To know they're greedy fucks selling your data to the highest bidder? You knew that the moment you got spam.
3) Uh huh. The kind of people who care already know. My experience with informing others about this has mostly been "so what". I spent waaay to long convincing people who HATE the current administration (from literally either side) that maybe it's not so great that amazon/facebook/etc knows damn near every single thing about them if they're one government request away from having it the hands of the people they despise. It's preaching to the choir at best.
4) Or you can just give out a junk account to start with and let them send as much spam as they want. If you really want to actually hurt them you should probably write a small script to hit a vpn, then open the email, then delete it (as clickthrough metrics are what they're looking at).
As for what "naysayers" want, well i can only speak for myself, and it's "real legal options". I think a lot of this is "security theater" with the amount of fingerprinting and other nonsense going on. You can spend all day trying to be the invisible man on the net and still have MORE than enough known about you because a friend or family member can't be bothered to care.
This is the worst written article I've seen in a while. It gets very lost in the weeds, struggles to make any points, just sort of wanders about.
There's no actual discussion of what a unique email should be. Or how that could possibly work and be practical given that any payment related site will also need your real name and address.
I disagree. This article is about the authors thoughts and experiences related to privacy and working in the information sector. It's not primarily about email. Criticizing the title is fair I think.
It's more than just the title. It feels extremely unfocused because the author doesn't connect the different parts very well. The author starts with a very small focus (email addresses) and then goes on tangents while randomly interrupting with headings like "I swear this is still about email". It doesn't flow.
Which is unfortunately because the topics are very relevant to the modern discussion about privacy, and I think there are ideas in there that are worth telling, but in this form it's just hard to follow
My problem with this is that it conflicts with identity ownership. If I give every company someunqiueaddress@someservice.com, I no longer have the ability to switch email providers, especially if I only decide to switch after losing my someservice.com account. If I give every company someuniqueaddress@mydomain.org, then I’m still ID’d by mydomain.org. Maybe in a way that automatic linkers miss, for now, but maybe not: how hard is it, really, to automatically determine with decent confidence that mydomain.org is a personal domain, and strip the entire username and subdomain part in the existing normalization step?
It can be some secret mydomain.org, but that still links all my profiles together.
I could buy a different domain for every company, but that’s cost prohibitive, and also piercing WHOIS privacy is just another data sharing agreement away.
Posting this because I’m hoping somebody has a better answer.
> Change the forwarding address
Every unique, random address you create with Hide My Email is forwarded to the same email address. You can change the forwarding address at any time.
On iCloud.com, go to Account Settings, then click Manage in the Hide My Email section.
Scroll to the “Forward to” section, then choose a different address.
The “Forward to” section is below your list of active addresses and above your inactive addresses.
what many sites don’t let you change is the address associated with your account, but that’s not the fault of the email provider.
I've been doing this for 20 years now, and Apple or DuckDuckGo have made it accessible to normal people. The day I started receiving pornographic spam addressed to dell@majid.fm (no longer the domain I use, BTW), I knew Dell's security was worthless and they had been breached.
BTW I build a simple spreadsheet-like GUI for Postfix to manage the list, as it's grown quite large:
I don't really think that getting an email at dell@domain.com means that a provider's security has been compromised. Not only do you need to use unique email addresses but they should be uncommon. Otherwise it doesn't really do a lot to address the issue. Might I also suggest using subdomains as well.
I disagree. I've been doing this for decades and occasionally I'll get spam/porn to one of the unique addresses I've created. In the past, I would notify the entity of their breach, but they almost never take me seriously so now I just delete their email address.
I've engaged with the breached companies a few times, and when they responded, it turned out in both cases it was actually an email service provider they entrusted with their mailing list that was breached. Companies don't realize how outsourcing can jeopardize their own reputation.
Surprised not to see Apple's Hide My Email mentioned. I was moving towards using my_email+short_company_name@my_domain when it was released.
I found problems with the + syntax occasionally, where I could sign up with that address but wasn't able to log in because their code stripped the + or the + and anything after that.
Now I do 3 levels:
1) use Hide My Email with most companies
2) use me@my_domain with people I want to talk to
3) use my gmail address with Advanced Protection for really important things.
I was going to use my_domain for really important things but it has 2 attack surfaces (registrar and Apple (I use their MX service)) whereas Gmail only has one. And there was an old (2014) article [0] here posted recently about how someone lost their Instagram handle because somebody social engineered GoDaddy into giving the attacker control of the person's domain.
Back in the time when email was important, I considered doing something similar. Now, I just use one personal mail address that I share only with real-world friends, and one other for all my online accounts.
At this point, I don't even bother whether I receive spam on that email or not, since it's just something I'm probably not going to read. I mean, who cares about LinkedIn notification or Amazon receipts, if I need them, I know where to find them. The default spam filter of my mail provider and a few custom filters based on from domain names are enough to keep my inbox manageable.
And even private mail is not that important anymore, given that most of the communication with real people is now done through various messengers.
Except typically when you do receive an email, it's a more important message and is more likely to contain important attachments or other information you need to retain vs messages via social media/ online messaging services, even if it's from friends/family.
Worse, not scanning your junk email regularly can lead to missing key information that you've been sent.
The current situation in general with how messaging is done online seems far from ideal, but it's hard to see too many good ways forward. Logically though if there were a reliable way to track who you've given out your details too, it should be possible to simply block messages that aren't from such sources.
Important email just doesn’t come suddenly anymore. Nowadays people will just message me to check my email address before sending an important email, although it didn’t change for years. And then, they’ll message me to ask if I actually received an email. So no important private mail gets lost ;)
Or I just receive booking confirmation minutes after booking. Even if I don’t read it or save immediately, it’s still there in inbox ready to be searched for and found if needed.
The only exception is business mail, but there I usually communicate only with people from my company or my address book, so there’s no spam problem there.
I can easily give 5-10 examples of personal emails I received recently which had critical info I had to act on, and/or documents I need to retain for future reference, none of which were anticipated. One was an airline canceling a flight!
My email provider limits the amount of aliases I can register with them but they let me have a catchall and Sieve filters. So I wrote a script that generates "normal-looking" email aliases, then builds a Sieve filter out of that. Everything that goes to an existing alias reaches my inbox, everything else goes straight to the Junk folder.
Of course that's not a perfect approach in terms of privacy but for most purposes, it strikes the right balance between privacy and "hard to accidentally lose control of" for me.
I've done this for some time. <companyname>@<mydomain>.com makes it easy to see who sold my address, easy to make a filter for that inbound address if needed.
Maybe there are security benefits? If every site has both a unique email and PW I figure automated attacks are a bit less likely. Could someone figure my clever email scheme out? Easily.
My thinking is it's like being chased by a bear when out hiking with friends. You don't have to outrun the bear, just one of your friends. I'm probably not willing to achieve perfect security, but if I can be slightly more difficult to figure out than <next person on the list> maybe that helps?
I do something similar with my passwords, where I include the name of the website in there in some manner. Definitely not very secure, but probably better than simply using the same password everywhere.
I remember something tangentially similar from a long time ago.
I used to use a bookmarklet that would act as a kind of password manager, by generating a unique password for each service based on the domain name and some user input as a seed.
So you just have to remember a single “password” that gets added to the seed, and which never actually leaves your computer.
The best approach is to buy a domain name and set up your mail host with a catchall address. For example, I use Fastmail for mail hosting, and they support this at a reasonable priced tier -- but I can switch to another mail host if I want, and keep all my addresses. With 33mail it sounds like you'd be locked in.
This is why Apple's Hide My Email feature is incredible.
If you don't know, it generates a random email that forwards to your real iCloud account. You have full control on both deactivating the email (pausing it) or deleting it (permanent).
Apple will automatically suggest one of these emails when filling in an email form element which makes it even easier.
Incredibly helpful when signing up for new accounts or any other purpose.
I've been doing this since 2013 and the only spam I ever get is from the one email I put on my websites.
Spam filters are so good that the spam never sees my inbox (I use RunBox.com email because of their extreme privacy).
The only downside: I have to keep this domain FOREVER. If I sell it, and someone else connects it to a mail service, they will have access to all of my email addresses.
Could you share practical tips on how to implement this with reasonable effort? Email providers that let you create aliases on-the-fly? Tools and workflows for automatically creating them on your own domain? For different OS (Windows, Linux, MacOS) and hosting providers?
The article talks a lot about imagining how Facebook can track you with your email. You don’t have to imagine, just go to “Off Facebook activity” in the settings. You will see a list of companies that have uploaded your email address to Facebook so that they can target ads at you.
I always use unique email as well. Just recently I started getting spam at newrelic@domain.com. It was easy to see where spam came from and add New Relic to the list of companies I’d not do business with.
or install https://wildduck.email or mail in the box type of server, just host it yourself. Wildduck web interface allows you to make unlimited alias already.
Edit: multiple typos