Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: After 10 years of experiments, custom username emails receive no spam
377 points by sbf501 on Aug 15, 2022 | hide | past | favorite | 351 comments
For 10 years I've been using a custom email for every retailer I shop at that asks for an email address, always in the form of "company@mydomain.com". I did not keep track of how many custom emails I used (hundreds, easily), but I have received spam from exactly zero of these accounts.

The only account that I received is one I used on my public website as a "mailto:" link. 100% of my spam comes from this address. I host on runbox.com.

Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

I would argue the former since I still get 30 spam emails a day from my website email address, and zero from companies that ask for them.




Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

Email databases for sale are not always for spam or malware. They are often used for tracking and cross marketing calculations. Placing a companies name in the address will signal a canary and they may likely filter your contact out of their database or at least flag it and treat it differently.

I've been using email canaries for decades but recently had to adjust my canaries to be less obvious. A few vendors got upset that I had their name in the address and one even accused me of fraud and canceled my $500 gift card. That was the Tractor Supply Company.

Either way I will continue using canaries and multiple domains as it is a good way to be filtered out of some cross marketing databases and to avoid some behavioral tracking and some machine learning. It is also useful to find companies that get upset. This is an indicator to me they lack integrity and should be avoided. Canaries are also a good indicator to detect if a company has been compromised.


> A few vendors got upset that I had their name in the address

A few years ago I created an account with a freemium publisher with the email address their.domain@my.domain and as soon as I logged into my account I had full unlimited access to all content.

I suspect their system had a routine that detected staff accounts based on a string search for their domain.


I've seen this bug in prod while consulting. Bad regex.


Just adding an @ to the string match would make it a bit more robust. (Would still be vulnerable to jim@their.domain.my.domain, so add a $ on the end if it’s a regexp.)

But even with the most rudimentary web-dev languages you can replace the inner string match with a lowercase transform, split on @ and perform an exact string compare. Insanely simple stuff. Probably still a one-liner in any sane/productive framework.


Frameworks usually have some sort of email parser. Email parsing is non trivial. But I agree matching .*?@domain.com$ would probably work fine.


Definitely use a real email address parser if it’s available, easy and/or you’re dealing with unknown email addresses. But absent any strange circumstances there’s also nothing wrong with basic string manipulation if it’s done properly (e.g. split on @ and test for an exact string match, case insensitive). As personal preference, I’d choose that over regexp.


Hackers deliberately create strange circumstances, it's the primary way to find exploits. Any code that relies on a lack of strange circumstances is a time-bomb.


There aren't too many strange circumstances for a properly written split/test routine. Described more precisely:—

  1. Split on @
  2. Get last string from array
  3. Convert to lowercase
  4. Perform exact string compare against target domain
It's possible that there's some window for obscure unicode hijinks, but I'd posit that a regexp parser or a "proper" email parsing library is just as at-risk. Possibly more so as those would be significantly more complicated and involve significantly more code.


What is the purpose of the ? here?


It makes the preceding * less "greedy". I don't think it has any effect on the set of strings matched by this regexp, though, which is a simple string suffix check.


I agree, but the dot should be escaped because it matches any character, so "@domain\.com$" should just works for.


Or use [.] so it's super clear on the a-human-is-reading-it parse.


I don't think that's clearer because for [.] I need to remember that . does not need to be escaped in character classes whereas \. is quite clearly an escaped literal character without any advanced regexp knowledge.


I dunno, but I've seen a bug like this in prod while consulting.


Non-greedy match (match what's necessary nothing more.)

The default is greedy... match match match nom nom nom!


> A few vendors got upset that I had their name in the address

I have had this happen a few times.

> Canaries are also a good indicator to detect if a company has been compromised.

Yep, this is a fantastic use case.


This is exactly my use-case and experience after many years of custom catch-all'ing.

I've noticed a couple breaches, and also a few unexpected transfers of my email address between semi-related parties.

Just once it appeared an address was sold via a marketing list, after filling out a lead-form for a free online conference hosted by multiple companies that you've seen on HN.

Surprisingly, unsubscribing tends to stop emails from everyone.


Slightly easier* than running a domain, i've had luck with myemail+CompanyX@gmail.com when signing up to CompanyX. Gmail handles the '+' transparently (in the same way as it ignores '.') and delivers the email to myemail@gmail.com.

It is fun to receive a survey about "an anonymous company you have used in the past"... sent to myemail+uber@gmail.com.

*yet less reliable, '+' in email addresses isn't always accepted, and when it is sometimes only partly, e.g. signup works but password reset doesn't


Wouldn’t it trivial for them to strip out all values from + to @ prior to selling your address?


Yes. I've written code that does this for parsing leaked email lists before as part of a normalizing step.


I imagine the challenge is knowing what parsing rules apply to which domains. Gmail supports the + thing, but that's non-standard. Is that something you tried to handle in a general way?


> Gmail supports the + thing, but that's non-standard

Plusaddressing is valid and has been since 1982[1]. It's part of RFC822 and the subsequent RFC2822.

The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.

[1] https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-a...


> The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.

Or just sanity.

I am totally onboard (https://news.ycombinator.com/item?id=31797121#31822961) with having compliant parsers (or just not using them)

But the RFC from what I can recall is _wild_. I can't find the part so maybe I am mixing something else up, but I believe you can embed comments into an email address.

All I am saying is that the possible scope of valid email addresses is likely so large, trying to write a parser for them is a sign of an underexperienced team rather than not having one at all.


Sorry, I should have been clearer. Gmail will place messages for user@gmail.com and user+foo@gmail.com in the same mailbox. The grandparent comment talks about normalizing the address by removing stuff after the +. This sort of deduplicates the addresses. Other platforms may have distinct mailboxes for user and user+foo, so you can't strip it on those platforms. The mapping of user+foo to user is non-standard.

There won't be a general approach to deduplicating addresses that map to the same mailbox as the mapping rules aren't always public. But for Gmail, the rule is public, so a best effort deduplication could strip the +.


Malicious actors are probably going to implement the Gmail parsing rules before they even look at the standard.


Not sure why this is downvoted. I can imagine non-nefarious reasons to collect these lists.


Why do people downvote stuff that simply triggers them? This is useful info


Because it's cruise control for not needing to justify their point of view whilst still pushing their perspective. Sick, right? Votes and e-peen points have to be the worst aspect of HN and Reddit.


It's spam detection evasion.

Also, depending on the legislative framework, it might be illegal: If I give company my email address with a plus and an identifier in it, I give them permission to contact me under that specific email (with the plus on it). If I as a result receive emails under another address (without the plus on it), this might be a GDPR violation.


The original post never said they were using these lists to send unsolicited emails. It's your assumption they are a spammer; while I said I can imagine non-nefarious reasons to collect these lists.

For example: A lot of pentesting companies offer "darknet research" as part of their engagement; these have a non-nefarious use for these leaks, including private addresses: Given a list of customer's employees it's easy to guess some obvious Gmail/GMX/Yahoo/... addresses and check if they might be affected by any leaks (password reuse is pretty popular, especially with the not so technically minded). Troy Hunt, who runs haveibeenpwned, uses these lists as well; I suppose he normalizes Gmail, too.

Yes, OP could still be an evil /dudett/..., but while "innocent until proven guilty" might not be a HN rule, it's still something I like to assume about random people in the internet.


Hm, just saw: Something ate the "evil dude slash dudette slash ...".


I don't see how it's a GDPR violation, but it does turn any contact into spam - the +less address didn't solicit any contact.

Not that spam laws are enforced or particularly enforceable.


It's a violation because you have to get explicit permission for each and every way of communication. So giving permission to be contacted through a single email address doesn't mean you gave permission for the phone or in this case another email address.


True, though there are marketing comms laws that predate GDPR (at least in the UK) that cover that too - that's what I meant by it being unsolicited spam.

In either case, the existence of the different authorised email address is irrelevant.


it should be trivial, i don't know if many do it - iirc haveibeenpwned.com doesn't


Tbh with GSuite + a 5$ domain I get catch alls for minimal effort.

I used to use + addressing schemes, but abandoned it for the reasons you mentioned (websites breaking horribly).


Exactly. Catch-all setup on Google Workspace/G Suite/too-many-renames is usually obtuse but it’s a one-time tutorial effort.


I wonder if there's a way to script setting it up to be honest, I end up about an hour deep in help docs each time I set up a new domain+email trying to work out how to make a catch all and how to configure the thing so replies come from the right email.


Oh, I’ve never realized replies could be made to come from the right email. I manually add addresses as-needed (once a month or so).

I think there’s an unofficial Terraform provider but I haven’t looked recently.


I can attest to the unstable handling of '+' suffixed emails. UPS allowed me to ship a package as guest with myemail+ups@gmail.com but wouldn't let me create an account with the same email ID. I had no way to track the package pickup onwards.


Can confirm; once signed up as foo+bar@example.com, everything worked (including the confirmation mail)… and then the address was automatically normalized (‽) as foobar@example.com and I could no longer receive any mail (since that's a different account altogether).


There's also the unstable handling of . symbol (dot or dots) in email address before @ symbol. Gmail allows dots in email address before @ and normalizes them, so the same address with or without dots works. This leads to funny behavior such as unlimited account creation with the same email address (yes, + symbol would also work for this but that works almost everywhere and is better known) or my wife thinking she does not have an account while she does, creating a new one instead.


> unlimited account creation

Nice, hadn't thought about :-)


Sometimes it's only partly supported, in the sense that the website will just break if your email has a `+`. I'm pretty sure I encountered that one with both Disney and Royal Caribbean reservation workflows just flat out breaking.


I switched to '-' instead of '+' which was a trivial change in exim.conf and saved my sanity because there was just too many places which either break on '+' or refuse to accept it in the first place.


> I'm pretty sure I encountered that one with both Disney and Royal Caribbean reservation workflows just flat out breaking.

My favourite is services that let you sign up with a + in the address but then break when you try and login or reset your password.


I used to do this, until I had to reply to an automated email for some customer support system. It rejected all my replies because the From: didn't match.


You can send emails with any From: header you wish.


Not from within Gmail's web interface.

I personally use Thunderbird and AWS SES to send mail, but many people who grew up on web interfaces are intimidated by Thunderbird.


> many people who grew up on web interfaces are intimidated by Thunderbird.

That surprises me; it's web interfaces that intimidate me.


Yes, I also prefer Thunderbird. But almost nobody that I've introduced it to was interested in using it.


Yeah you can, you can default it to send from the address the email you're replying to was sent to too.

It's the only thing I missed when I switched to Fastmail. (Which has since added it too, but not before I left in favour of my own SES-based solution.)


I'm certain this didn't exist back when I had this issue.


I'd love to know how. Tips welcome, thank you.


Sorry, it's many years since I've used gmail, don't have an account to check and describe exactly. I suppose I should've said 'you certainly used to be able to', I don't know for sure you still can.. would be dumb to remove that though.

Iirc there was a section of settings called 'sending & receiving', and there was a drop-down to select 'reply from same address' or similar.


That option is only for fixed addresses, not catchall addresses.

I.e. if your main email address is ojford@ojford.com but you're also preconfigured e.g. foobar@ojford.com you could set that option to have Gmail use either ojford@ojford.com or foobar@ojford.com as your return address, depending on the originating email's TO address. However, if you _also_ have a catchall address and somebody sends to newservice@ojford.com, even with the setting set your return address would be ojford@ojford.com.


Hm.. ok, I thought it worked but perhaps not - it has been a long time. I use my own client now, so obviously it behaves exactly as I want :) (which is as you describe).


Does thurnderbird let you change the from on an ad-hoc basis, or do you have to manually add different identities?


Current Thunderbird does enable the From address to be edited in the Compose window, and can fill in that field from the TO address of the message being replied to. Previous Thunderbird versions needed an Addon called Virtual Identities to do this.


How did they expect you to respond to a survey about an anonymous company?


I assume it was a more general survey. Uber might want to know what people are doing for transportation even when it's not Ubering.


I used this to determine that Xfinity was compromise, yet still no acknowledgement despite reporting the issue to them and they went through some spiel about how I received the email by mistake and continue to receive emails by mistake at <randomword>_<randomword>@<customdomain>. The only person I shared that email with was them, and never had the issue with another provider.


If I have to provide an address to get a download link, that address will be either postmaster@aol.com or abuse@domain-of-the-company . EMailing the link to the provided address will probably just make me seek out different software. Make software that users want to sign up to hear more about; don't force them to opt in to marketing just to try something. It's the first impression and sets the tone with your company.


> fantastic use case

How does it work?

If a company to which you have provided an email address, gets compromised, it's likely that you'll start getting automated pishing emails to that address? And that the address ends up in... some "warning" database like Have I Been Pawned, and you'll get notified?

Or something else?

Seems like a good idea :-)


> A few vendors got upset that I had their name in the address

When it happens, I say "this is because your company is so important to me that it has its own mailbox to be prioritized accordingly"

It worked every single time :)


Same, though go with “I use the incoming address name to file things into the right folder, so work things, banking things, shopping, and such, are separated” – I don't butter them up by making them sound important enough that I created a mail inbox just for them.

If they still object then I don't sign up. I've had web form refuse to accept an email address with their company name in, so that sale went elsewhere, and one physical retail store wouldn't let me sign up to their prize draw with such an address, so I didn't. In neither case do I suspect anything of value was lost by myself!


I guess ROT13 could also be a last resort if signing up is important enough.


Slightly mangling the name (e.g. target => trget) is another way.


I had a funny interaction with a financial institution about this at one point. They were having a lot of trouble understanding that company@mydomain.com was the correct email address.

Eventually the conversation went like:

"So you're saying you created a new email address just to use with us?"

"Sure, yeah."

"...That's weird."


The weirdest of these i had were support agents who thought I was a colleague because I usually use <theirdomain>@<mydomain>


I did that for one of my amazon accounts a few years back when i registered at an amazon conference (probably aws reinvent)- i.e. amazon@mydomain.com - and for about 6 months I got onto some internal email list at amazon/aws, definitely not intended for the public, likely because someone queried for all email address that had 'amazon' in the address from this registration list - thought it was pretty funny, but eventually they stopped - someone probably figured out what they did wrong.

Also have one for thifty@mydomain.com (the car rental company) - when they saw my email address at the counter they gave me the employee discount rate - I didn't correct them :)


I got cc'd into internal discussions at the management company for my flat block, about the block.


Fastmail offers a masked email feature for one-time email addresses: https://www.fastmail.help/hc/en-us/articles/4406536368911-Ma...


Yes, and they recently enabled one time emails with your own custom domain, which really helps get around folks trying to identify and prevent this.

This is a killer feature, I love Fastmail.


I wish they'd open this up to use a subdomain, rather than the main domain.


I've seen sites that disallow auto-generated addresses, super lame and makes me not want to use them, not sure how common that is today.


I've seen sites that disallow auto-generated addresses, super lame and makes me not want to use them, not sure how common that is today.

Expect this to change, if Apple's anonymous e-mail forwarding becomes popular.

Just like when IT departments (including the one at my company) insisted that everyone use Blackberries because iPhones weren't suitable for a corporate environment.

Once enough C-levels start using any feature, it spreads like wildfire.


> Expect this to change, if Apple's anonymous e-mail forwarding becomes popular.

They'll continue to block the non-apple ones regardless.


They can't easily filter Apples or Fastmails addresses, since they have @icloud.com / @fastmail.com domains.


How do they disallow it?


I'm not sure if this is the same thing, but I think there are published lists of domains used by e.g. mailinator, so if they see a match they just reject you with a "please use a valid email address" message.


But it makes it very difficult to ever switch to a different provider...


The 1Password integration doesn’t work for me. Not sure why :-(


Works fine for me. Maybe you have some conflicting settings enabled?


I wonder what settings would that be.


> Placing a companies name in the address will signal a canary and they may likely filter

Oh, good point. I guess I may have invalidated all my research! :|


But you’ve stumbled on an even better solution! Now you are spam free + tracking free.


On the other hand, your address is being filtered out, so... win? :D


If you're interested in getting "true" results, perhaps you could do something like this:

name1@website.com

name2@website.com

etc.

In a spreadsheet, you have one column with the number, and another with the company name. You might want to change this up, putting the identifier in different parts of the email address, to avoid similar "canary" signals.

Personally, I use BitWarden to generate usernames for each website, to help keep my fingerprint (somewhat) scrambled. LastPass also has a good username generator. [1] I would just avoid using complete non-sense words, since there might be some amount of human review.

[1] https://www.lastpass.com/features/username-generator


Reading these over the phone to dinosaur financial institutions is pretty unfun though. I was doing something similar with generated usernames, had to call in to reset my password because some places operate like it's still 1983, and the person helping me probably thought I was nuts with my 30+chr random username.


Sounds like you use Bank of America, too!

I had to read my e-mail address to someone there just last week.


I had this experience with a different bank (with an embarrassing email address). I wonder if there's some compliance thing here for banks.


Just writing their name in reverse would probably work, and be less time consuming.


Only if you actually want to receive their spam for research purposes.


> A few vendors got upset that I had their name in the address

rot13 FTW


I’m not sure what encoding this is, but sometimes I do QWERTY shifts.

Google becomes hpphar.

Easy to [en/de]code on the fly by looking at your keyboard.


That's a simple monoalphabetic substitution cypher, as would be any one-to-one fixed mapping.


too much work to remember each time for logins if it's something frequently used. The iCloud way of generating emails is great but only works well on my iDevices. I used to use endjunk.com for everything, and it was the same kind of "anything@you.endjunk.com" setup, but one day they just disappeared with no warning and I lost a few accounts because of that. Learned my lesson and just switched to GMail.


>> too much work to remember

You don't use a password manager?


You probably want to stay upset and explain why they are. I feel working around the issue is counter to the point.


> A few vendors got upset that I had their name in the address

I've had more confused than upset, but Samsung straight-up refuses to accept email addresses with "samsung" in them. I'm not sure what they think they're accomplishing.

I think I get more spam from hacked/leaked email databases than sold ones. Dropbox is the worst (signed up and used it briefly over a decade ago, and now suffer an eternity of spam).


You should've just changed the address to 'spamsung'.


I was offered a few employee discounts by front line associate because of using an email address with a company name. I declined but found it awkward to explain the details.


I also follow this system and have had this. It's disconcerting when companies who manage your PII don't understand the format of an email address.


I added @lists. to the email address and found that it lessened the need to explain.


> A few vendors got upset that I had their name in the address

Kinda annoying of then, maybe I would go for an opaque (or maybe just a simplified) canary. Like the initials or abbreviation


> few vendors got upset that I had their name in the address

No one got upset, but a record label was confused and asked me about it, and another company had their legal department ask me under what license I use their TM ;) In both cases a simple explanation was the end of it.


> another company had their legal department ask me under what license I use their TM

Please name!, or give details of size.

Not for shame — for curiosity!


TÜV Nord [0], 12k employees, 1.37 million € revenue

As I said, one quick explanation of single-use emails cleared everything up.

[0]: https://en.wikipedia.org/wiki/T%C3%9CV_Nord


I have been thinking about using some sort of UUID-generator ([UUID]@mydomain.xz) whenever I sign up for a new site, but I just can not think of a _good_ way to keep track of them.


If only there were some convenient software for keeping track of your unique login names and passwords for each site you use.


If you mean password manager, sure. But I was thinking of e-mails received, how would I know if the emails came from the "right" sites? Would have to open up a text file, or login to my password manager, just to check. I do not think that is a great way to keep track of it.


Seen masked email integration in 1password https://1password.com/fastmail/ Or iCloud https://support.apple.com/en-us/HT210425


Generated algorithmically from their domain.

I believe sqrl uses a system like that.


Database? Text file?


1Password?


I've heard that fraud sentiment several times from friends of mine who do exactly that with the company name in the email address. They've since moved on to a randomly generated string of alphanumeric characters, this is put into a spreadsheet, and they write down when and where they used it.

I'd like to start doing this, but wondering what I would do if I figured out someone had passed the address on or been compromised.


I've had this happen a few times, but I was able to resolve them all except one cadre. Stitch Fix shut down my account abruptly, informing me of "security concerns" and disabled my account without any recourse after I'd spent a bunch of time setting it up. No offering of personal verification mattered. It was disappointing.


Someone should sign up for all the mailing lists with a email address used nowhere else and track the cross-mailings. Maybe a bubble babble hash of the company name as the email prefix, and a big mailer like gmail or protonmail as the server. When the email is leaked and the company does not inform the user, report the company via GDPR.


> Someone should sign up for all the mailing lists with a email address used nowhere else and track the cross-mailings.

I may be misreading your comment, but if not, it sounds like the OP (of this Tell HN) did exactly that.


We used to have one of the top range email marketing software at work. Emails, such as info@, contact@ and some others are automatically excluded and you can't even send any marketing to those.


I'm glad you had a good experience. I had a different one.

I've ran my own domain for longer than you have, and many emails have been compromised.

Some are 100% from companies selling the emails to sister companies.

The majority, though, is from a company itself being compromised by hackers / database access / etc. LinkedIn, Neopets, ProFlowers, TeeSpring, etc. I can go on.


Similar here. I don't recall when I started doing it, but it's been at least 20 years. I get a fair amount of spam from "well, what did you expect?" addresses (social sites, mostly) and some from addresses that are hard to pin down (paypal address might be shared to a seller; amazon address is definitely shared to sellers).

The most surprising one is ongoing spam (and semi-legitimate contacts from recruiters) to an address that I only (intentionally) used at O'reilly. I just checked HIBP and that address was exposed in the July 2018 Apollo exposure.


I'd love a wall of shame that collected all these bad examples.

It would have to somehow be protected against bad actors scrubbing themselves by any other means than no longer being bad actors.


The worst offender for me is an email address I used to get a fishing license from the state fish and wildlife group. As soon as I did that, I started getting advertisements from some outfitter/prepper type places. Not sure if they bought the address or if licensee info is public in my state.


I made the mistake of using my primary address when I decided to get my real estate license years ago.

It’s on another level now.


Probably public. In NJ, you get snail mail solicitations when you register stuff at the DMV.


I have a similar experience. I've been using this system for about 15 years, and have to block one or two address a year due to spam. A couple were due to first party spam that I could not manage to unsubscribe from (Cooks Illustrated, I'm looking at you), and a few scraped from forums (didn't realize the email would be public when signing up). The rest appeared to be due to an account compromise (based on breadth of low quality spam) - oh and less than 1/4 of those sites notified me of a compromise. I don't think I've ever received spam from what appears to be a "legitimate" "business partner" which is what I would expect from emails that were sold.

I also get a handful of spams a month from default addresses (hostmaster, etc), all of which come from Chinese IPs. I don't have any email address posted on my websites to scrape from (mailto: or otherwise), so I don't get any spam from that.

The end result is pretty much no spam. I assumed when I first setup my domain I'd have to configure spam assassin at some point, but that point has never come, thankfully.


Compromises are 99% of those I see (similar setup) - the last 1% is acquired companies that have pivoted/do something else.

It's not quite spam, it's not quite illegitimate, but it's not what I signed up for.


I've seen a shift. Between 2005-2010, I used [company]@[mydomain.com], and I noticed that I would get spam in the form of [gibberish]@[mydomain.com], presumably from spammers who were just targeting email addresses with a catch-call filter. In fact, around that time, my hosting provider, Dreamhost, started restricting email catch-alls to deal with this problem.

But then from around 2010 onward, that type of spam became much less common, and nowadays it's as you say. The vast majority, probably 90%, come from compromised accounts, like linkedin@[mydomain.com]. The rest hit the unique email addresses I have submitted in domain registration forms.

That's even more surprising considering that I've since shifted to using [username]+[company]@[mydomain.com]. Spammers could pretty easily strip off the `+[company]`, but I haven't seen that happen much.


The gibberish name ones may be targeting backscatter. They might have a reply-to with the address they're really targeting.

And that may have dropped off because there was a concerted effort to make it harder to do that around then. In particular, that's kind of what killed qmail as an in-vogue MTA, because it wasn't being updated and you had to use awkward patches to stop backscatter.


We've successfully pushed spam down hard enough that the only people spamming are people who never even see your email address; it's all computerized and they just don't care at all to try to do anything to clean up the lists.


>It's not quite spam, it's not quite illegitimate, but it's not what I signed up for.

If it's not what you signed up for, isn't that pretty much the definition of spam?


You usually sign up for "company updates" or some such nomenclature, but after Bob's Discount Swords pivots to Improved Plowshares™, it's not really relevant anymore.

Then again, I actually fill out that little question after unsubscribing. The above I consider "legit" as long as unsubscribe works.


In my experience, you don't sign up for anything, but are automatically added to mailing lists against your will just for the sin of purchasing something. I never want to get emails from any company just because I purchased 1 item from them. Most people I know tell me they feel the same way, but instead of unsubscribing, they just mark it as spam and eventually it stops showing up in their inbox.

If I want emails from you, I will explicitly ask to be added to your mailing list. Anything else is spam as far as I'm concerned.


> just for the sin of purchasing something

Ah: prior commercial relationship. That's not spam, unless they ignore your unsubscribe request.

I hope you're not notifying the world that your preferred supplier of [X] is a spammer. I like to stay on good terms with my preferred suppliers.


illegal spam ⊆ spam

If I didn’t ask for it, it’s spam, regardless of whatever holes the US has punched in its definition to keep business owners happy.


> If it's not what you signed up for, isn't that pretty much the definition of spam?

Nope. There's not much point in relying on a "definition" of spam that is essentially subjective. "Hey, I signed up for your newsletter, but what you've sent me isn't news to me, or I just don't like it; so it's spam".


No,I don't think so. If you signed up to receive email, then it's going to be hard to show that you received email that's different from what you signed-up for. And if it's not Bulk, then it's simply email - not bulk, and not unsolicited.

That's why it's important that spam continues to be defined as Unsolicited Bulk Email.


>If you signed up to receive email, then it's going to be hard to show that you received email that's different from what you signed-up for.

At least in the EU, if you make a complaint, it falls on the sender to assert the legal basis for sending the email, so it's on them to prove informed consent (if that's the basis they're relying on).

> That's why it's important that spam continues to be defined as Unsolicited Bulk Email.

I'm not sure you've made the case that's important. In the EU, spam has been long defined as unsolicited commercial communications (since the E-privacy Directive in 2002) - no requirement for it to be in bulk.


> In the EU, spam has been long defined as unsolicited commercial communications

True. But spam has existed since long before EU regulators got interested; one type of spam that isn't covered by the EU rules is political spam. At one time I used to get a lot of political spam from US politicians and parties. I've never been a US citizen, and I don't get to vote in US elections - these politicians were spamming mailing lists.

The EU rules specifically exclude spam that isn't trying to sell you something for money. Why? Possibly because the rules are made by politicians, who prefer that their own spam isn't included.


Had the same experience when TD Ameritrade had an employee selling email addresses. My scheme is company+10 random digits, it was clearly not guessed.


I've noticed a lot of "mid size" compromises.

The pizza place down the street uses a third party digital order system, that was compromised. One of the first emails I actually had to blackhole due to the insane volume of spam and attacks that started coming to it.

Also.. my previous landlord. His computer or account got compromised at some point, and that was another email I had to blackhole due to the insane volume of porn spam that started coming to it.


Exactly my experience. The leaked emails are pretty much always related to hacks/leaks of said companies.

I have a couple of addresses that look to have been sold (e.g. addresses used in cheap kickstarter campaigns), but that is more rare.


Seconding this.

And to compound this after doing a half ass job of what OP has done, I recently moved my custom google apps free domain to have a second reception domain i use JUST for this with a `.email` TLD (side note: the amount of tools that don't see modern TLD's as valid is enraging)>

I made the (maybe poor) choice of donating to political campaigns before the last US election using these emails

- `Biden-campaign@` - `democrats@` - `<specific local race@`

All of those I've had to unsubscribe from about 2-3 dozen total OTHER email lists as those emails are literally sold/given out to other campaigns. the biden one being the worst.

Also if you have your own business you'll start getting solicitations, LOTS of solicitations. And god forbid your email is on an old resume, or somewhere else.

Now, is any of this "technically" spam? Maybe but not really. Do I consider it worthless? yes.

But to site your last specific one. I did a search for an address I know was on a compromised product. Specifically a game Heroes of Newerth. They were hacked in I believe 2015 and the list was sold. My email was my old method `name+hon@email.domain`. I get like 20~ emails to that a year and all of them go to spam or are flagged as spam automatically.


Yeah, HoN was the first of my catch-alls to receive spam. Idiots didn't even acknowledge that they have been compromised and insisted that obviously I did use hon@mail.mydomain.tld somewhere else. These days I'd use the opportunity to check how well GDPR works in practice.


Yes, I have been doing exactly the same for at least 15 years now and have had a wide variety of throwaway/registration emails compromised.


Same. I get spam/phishing at a number of the custom email addresses I've used. Including adobe@, elance@, etc.


Let's consider a few things:

1) Just because it hasn't happened to you, that doesn't mean it doesn't happen. I have quite a few examples of companies selling or otherwise sharing, whether intentionally or through compromise, my email addresses.

2) If someone (some company) is going to sell email addresses, it's not unreasonable to imagine that they'd want to remove any addresses that would directly link those addresses to their source, so a quick search to remove any address with the word "adobe" in it when selling Adobe mailing lists would not be unexpected in the least.

Years ago I set out to learn more about the "missing sock" problem (https://en.wikipedia.org/wiki/Missing_sock). I bought a dozen pair of brand new socks and I ironed on labels identifying each and every sock. Guess what? The labeled socks never went missing. The act of labeling the socks dramatically affected the experiment.

Perhaps using companies' names in our email addresses is affecting our results.


> remove any address with the word "adobe" in it when selling Adobe mailing lists

That's a good explanation.


I wonder if OP's custom domain is making it "not valuable" for sale. Consider a buyer only interested in collecting Gmail addresses.


For point 2, at least it's a form of personal protection? Sufficient a reason for me to use it if I'd be excluded from leaks.


This is not my experience, I too have been doing this for 10 years.

In my experience, I got tons of spam, especially after a leak.

By far, the _most_ spam I get to is get to government agencies and medical facilities. I started getting male enhancement messages to my parknyc (NYC parking meters) address in under a week after registering.

Since my addresses are never used for more than one service, I can be reasonable sure they had a leak of some sort, but it is also not suffice evidence to actually report it.


I've had CCs stolen because DMV + FasTrak required CC info and can't use PayPal. PayPal / Shop are great because they don't share your actual CC info with the merchant, only a one-time token for that specific transaction. All credit cards should work this way, where you'd log into your bank or 2FA with your bank (or Visa / MasterCard) and they'd provide the merchant with an auth code or something just for that transaction for that invoice to that merchant, instead of giving them the keys to the actual card.

They even do have something called "Visa Secure" and "Mastercard Identity Check" ( see https://stripe.com/guides/3d-secure-2 ) but I've never seen this come up in practice. I guess it's easier for them to just let merchants assume the fraud risk. We need some laws that put the burden on the card issuers to get them to actually care about CC fraud, but obviously the ones benefiting from the current system are very well-funded and have lots of sway with lawmakers.


All European credit and debit cards have a 2FA enabled. You cannot pay online without authorization from (bank) app.


My Capital One card has virtual card numbers you can generate and you can kill them whenever you need to (or have them only work once). I use them any time I'm buying something outside the major markets like Amazon.


Maybe not 3rd party spam, but definitely first party spam.

I gave a custom username email to a in-person store (big chain) with a rewards program because they were offering a huge discount if you did. Since then they've sent at least 1 email a day, with an average of about two (I've redirected all their emails to a folder I never look at). Which is a particularly remarkably obnoxious rate of sending emails...

I've also split my email addresses in to a public one (displayed in my profile here, on github, on a website, etc) and a private one. The public one gets a spam email or two a week.

Incidentally, I was surprised to discover that pinterest forbids you from having the word pinterest in your email (or did when I signed up).


So just unsubscribe from the mailing list then?

Why are you setting up these custom filters instead of just clicking the link and opting out?


> So just unsubscribe from the mailing list then?

I've encountered many companies that let you unsubscribe, then add you to a 'new' mailing list a few months later. You can usually identify these companies because when you click to unsubscribe they take you to a page with a dozen or more 'newsletters' that you have to uncheck to remove yourself from if you can't find the 'all' link.


Unsubscribe also frequently doesn't carry over when a company is sold to another, who then harvests every email ever mentioned anywhere to send new spam to.


Because it's faster to set up a custom filter than search in the email for a link... I couldn't even tell you if there is an unsubscribe link (I mean I suppose I could go look, but I definitely never did).

Also after getting home and already having multiple marketing emails I was sort of curious about just how many they were going to send, which is why it's in its own folder.


I had custom filters for a while but I stopped using them, it became unmaintainable and caused some false positives.

I then resorted to unsubscribing, but in my experience that doesn't always seem to work. I could be wrong here as I haven't kept track of who I unsubscribe from and if I would still get newsletters after the fact. But I've experienced receiving newsletters from some company I could've sworn I just unsubscribed from a few times.

However it wouldn't be surprising if some website's unsubscribe feature was buggy. I can also imagine it's not being reported. Or if it was it, and you could figure out where to report to, the report would get lost on its way customer support to the people responsible.


I wasn't counting 1st party spam as spam because in many cases I like the information I get (usually sales on things I buy). I should have pointed that out in my post. Thanks for making the distinction.


I work as an administrator to an email marketing server. I'd like to think I can speak on some authority on this subject.

> Is the fear of "people selling your email to spammers" a modern myth

100% absolutely. Your email address itself is not valuable or interesting in any way.

I can't imagine there being an internet black market for random email addresses, but if I had to guess what they would be worth, it would be fractions of a fraction of a cent per email. Meanwhile, Mailchimp charges ~$0.02 per month for every email contact you hold onto. It makes absolutely no financial sense for your average retailer or newsletter to be selling your email addresses.

However, your contact information might get sold if it is attached to high value sales activities. Like if you signed up for a quote on a $50k HVAC system or indicate you are a big donor to certain political causes. Your email address/phone number are valuable in that they are now attached to some pretty valuable purchasing intent. This is where less than scrupulous sites will live to harvest your data.

This is still a bit of an outlier activity. If I sell expensive HVAC systems, the only people interested in this data would be direct competitors. If the information is actually valuable, it will be less likely to be widely disseminated.


> Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

A decade ago I worked for a service that let you send bulk emails.

Any time we thought a customer was using a purchased email list, we came down on them hard or booted them off the platform. Same for other forms of spamming, not including an unsubscribe link, etc.

This wasn't necessarily altruistic: if their emails were marked as spam it would poison the reputation of our sending IPs and threaten the business.

It's clearly imperfect, but the industry's incentives seem to help.


Are people really inconvenienced by email spam anymore? My email is posted publicly all over the internet, it's been used to make hundreds of accounts for various other companies, it's been in innumerable data breaches, and I haven't changed addresses since GMail launched in 2004. In a bad week I might get two spam messages in my inbox. Each one is dealt with in probably around three seconds. On average I get less, probably around one per month.

I really enjoy that the spam filter catches borderline messages like promotional newsletters from companies I do business with that I didn't intend to sign up for. And I can count on one hand the number of times since 2004 that an email that actually mattered was sent to my spam folder by mistake.

Every form of communication I use has spam and most are much worse than email. I get SMS spam, phone call spam, snail mail spam, WhatsApp spam, phone notification spam. In most cases the spam is harder to deal with and a larger percentage of the total. Phone call spam and snail mail spam in particular are way above 50% for me. Even after doing all the marketing opt-outs I can find.


> And I can count on one hand the number of times since 2004 that an email that actually mattered was sent to my spam folder by mistake.

How often do you check? I see a few false positives a week.


Not often, but when I do check I don't find any so I don't see a need to check more often. And I don't later discover that I missed anything either.


> Are people really inconvenienced by email spam anymore?

Now we get inconvenienced by spam in the form of overactive spam filters that take critically important messages from people we've been communicating with for years and files them as spam.


I've been doing this for about two decades, and I've had to block a fair few addresses for spam over that time.

In almost all cases with companies of any significant size/reputation it was entities that either publicly admitted or were publicly called out as having been hacked – so incompetence or the bad luck rather than deliberately selling my details on.

In a few of cases (a couple of hosting providers, a physical-store electronics retailer) it has been a business that had failed before the spam started, so presumably their contacts were sold as an asset as part of the winding down.

I give different addresses to any online forum too — they have seen a much higher rate of addresses needing to be dropped due to spam.

If you use a catch-all address rather than setting up each alias individually then you may get “dictionary” attacks at some point. Early on when I used <varies-by-company-or-other>@domain.tld I saw that a few times, with someone sending to alan@, alana@, alvin@, … Since moving over to <varies-by-company-or-other>@sub.domain.tld (where “sub” is a static sub domain operating as catch-all, with only a whitelist of addresses on the main domain now accepted) I've not seen this again. I don't know if that is because name dictionary attacks like that are simply rare, are not attempted on more complex addresses, or never really worked so spammers don't use the technique at all any more.

Where an address ends in a number, I've seen guesses that increment that number – so as well as getting junk to somecompany2@sub.domain.tld I get junk to somecompany3@sub.domain.tld and so on. I assume this is an address farmer bulking out their database.

One place where passing on of your email address seems rife is kickstarter and indigogo projects. I'm on several mailing lists I've never subscribed to on those addresses, and another appears every couple of months — I don't know if it is the projects themselves or the survey management third parties that are to blame, I suppose I could test that by cycling the address but I'm not been bothered enough to make that effort. I have messages from those lists auto-filed into a folder, and if I'm tempted to support a project I search that folder first – if they have been carried by one of the spammy mailing lists I won't be giving them any of my money. I've saved money on three projects thus far with this. A petty victory perhaps, but I like my petty little victories!


There’s a single reason that I gave up on this method: having to send outbound mail to these companies.

You sign up for a health plan using healthplan@example.com. Great, until you need to send them a document. You send it from myrealaddress@example.com, and they write back and say hey, that’s not the account on file, etc.

So now you have to set up healthplan@example.com, configure it in your mail client, etc. And now you have this long list of special addresses to remember to have to send from, depending on the situation.

Email is already something I loathe. Why would I make it harder on myself?


Fastmail allows sending from any address, the client supports it easily. There is also a few self-hostable mail clients that allow it.

Historically I used a more convoluted method. When I used to use migadu (dont use them) I had a little script that would check the first line of any email I sent myself for a target email and resend it from the receive address. It was janky but worked.


> (dont use them)

Are you able to share what made you stop using them? I've been contemplating trying them out :-)


Here is a fullish comment thread involving me and a migadu employee on the matter. Note he still claims some kind of email was sent at the end (it wasn't). https://news.ycombinator.com/item?id=24974369

There are a few other threads on HN about them as well.

Essentially they are a bargain basement supplier and expect them to treat you as accordingly. If you're happy with that then its fine!


FWIW I use Migadu and think they're great.

But I have few needs. I set mailboxes up, I IMAP to them, that works. They're great value. Job done.


I had some issues with my iCloud "Hide my email" once too when trying to contact support. Either they weren't getting my emails or they were purposefully ignoring my refund requests until I contacted my card company. It is an extra step to worry about, but if your setup is good enough (e.g. use iCloud and use Mail.app), then it's probably going to be easier.


Email alias services can make this process a little easier, though certainly not painless, by letting you create reverse sending email addresses [1].

1: https://simplelogin.io/docs/getting-started/reverse-alias/


Depends on your setup I suppose. I use FastMail for this purpose and it both automatically sets the `From` based on the `To` of the email I'm responding to and allows me to click in to the `From` email and type in whatever I want for the local part before sending.


Ah that’s cool. I don’t think it did that when I used them, and I use Mail.app anyway.


I've been doing this for over 10 years, but I do get spam on some of them.

It comes in two forms.

One is that companies subscribe to the marketing emails without asking. When this happens, they tend to re-offend on unsubscription, so they had to be blocked by blacklisting.

The second form is that they do in fact share my email address with others. Not two months ago booked a hotel in Europe and got a spam from some other company before I got a booking confirmation. So this happens.

That all said, the point of using per-company emails is less about spam and more about denying them an option of collating my online activity. The fact that you don't get spam doesn't mean your email address (+ relevant personal details) aren't getting resold, shared and otherwise vacuumed by the data collectors. That's them I more worried about than an occasional spam.


I too have done this for almost years and it's magical. So easy to see who has been compromised. Also a great protection against phishing because "You need to update your Capital One password" that isn't addressed to "capitalone@mydomain.com" is an instant red flag.


I've been doing it for 20 years. Yes, or conversely, seeing "You need to update your Capital One password" being sent to my custom addresses for AAA, Telecom, Linkedin, etc.


As an additional datapoint, my main email address is publicly available (I obfuscate it when typing out of anti-spam research force-of-habit but it's all over the Internet, public records, people's inboxes, company customer lists, etc etc), in continuous use for 15+ years, and I receive less than a handful of spam per week, almost all of the "Hello owner of $DOMAIN would you like you buy our SEO/etc services" genre rather than garden-variety spam.

Possible confounding factor: I try to keep my personal and professional lives ~separate and so the retailers/etc most likely to be compromised get a personal email address (whose inbox is virtually unusable due to amount of commercial email it receives, though relatively little of that is spam per se).


The vast majority of my spam comes from the bad old days of desktop pc viruses and people using outlook express (say 15+ years ago).

Back then, my college required us to forward our university email to a personal account. That's fine as our personal addresses were hidden and not public.

What was not fine was one day the IT department changed everyone's public email address to their private address. They also changed mailing lists from BCC to CC so that you got to see everyone's email who received the email.

A few hours later after these changes, the spam started rolling in. At first it was a moderate amount of spam, a few messages a day, but it quickly increased. At one point it was up to 200-300 spam messages a day and stayed that way for several years. In any given month my gmail spam count sat between 3,000 to 6,000.

Over the past 10 years, as botnets have been taken down, those numbers have come down an order of magnitude. I still get between 20 - 30 spam messages a day on that account.


I use [company]@[mydomain] when signing up for things. So far the only offender is a porn site I paid for for a while. I was getting weird scam emails sent to that address daily, with text like "Hi [name of site], How are things? Is this your new email?". Surprisingly, when I cancelled my subscription, the scam emails stopped.


Well, after doing this for 30+ years, but not actually trying to run any experiments, I have found the opposite. Of the 1670 email aliases that I've created, I've received spam at about 5% of them. Sometimes it happens years after any interaction, possibly from a sale of assets after a shutdown. Sometimes it happens immediately (within a day or two of being created). Sometimes it's from a breach that the other party may not be aware of (yet). Sometimes it's from a dictionary email attack. Just last week I was spammed from South America to an email address I only ever provided to my local police station.

I have no idea what "hot" email addresses sell for on the dark nets, but it's probably something greater than $0, which means the outsourced third-world CRM workers will scrape and sell them whenever possible.


I'm legitmately baffled by this but thats because its not an actual experiment. You've limited your sample collection to retailers you in particular shop at. They could genuinely be good companies that aren't uncrupulous with your email. Meanwhile, I have no public website and no mailto: links for robots to crawl, yet I get plenty of spam I have no reason to ever receive. For example just looking at my gmail junk mail now I have a message from "ADT security" but coming from this email address which is obviously not their domain: adt45444@vne6bziks1jt25.w1123-4293.norelaut.us


Donate to a political candidate or large non-profit. Those are where I see the most sharing of addresses. I have been doing the same sort of custom emails.


Yup, one donation and I get a never ending stream of different political campaigns messaging me. Unsubscribe from one and a different one emails me the next day.

Marking them all as spam seems to be helping more than unsubscribing.


Seriously. Donate to planned parenthood once and you basically ensure that the company spends more over the next 10 years bothering you than your donation was worth.

And I like PP but goddamn, emails coming from a swath of domains, a neverending stream of physical mail.

I won't donate to them again because the amount of contact they try to have with me is absurd.


Huh, I donated about a year back and, while I think I did get some messages, I unsubscribed and haven't seen any since. How long ago was your donation?


Donate to a political candidate or large non-profit

Can confirm.

Joined an art museum in a major city.

Within a month, the unique e-mail address was getting spam from the aquarium, the science museum, the local PBS television station, and some museums I never even knew existed.


I should have specified that it was only retail, not social media or politics.


Very few legitimate companies will sell lists of raw email addresses, to anyone. There's very little money in it (email lists are cheap) and the potential upside of keeping the email addresses is way bigger, particularly when your email address is married up with behavioral data like what you bought, what pages you visited, what bank you use, etc.

Retailers make money from your email address by trying to use it to get you to spend more money with them. That can be as simple as sending you marketing emails--which many people consider spam! So when you hear people complain about "spam" from retailers, it's often this: real marketing emails that they are mad about getting.

Companies can also use customer email addresses as tokens for targeting in ad networks. In doing so, they may upload your email address to the ad platform. In that case they are sharing it with another company, but it won't result in spam. It will result in greater correlation between the otherwise separate tracking of your behavior across companies. In this case, using company-specific email addresses may actually be an advantage in terms of foiling such correlation.


> Retailers make money from your email address by trying to use it to get you to spend more money with them. That can be as simple as sending you marketing emails--which many people consider spam! So when you hear people complain about "spam" from retailers, it's often this: real marketing emails that they are mad about getting.

This is written like it's "not spam", but I'd consider that unsolicited marketing emails because I bought something once to be clearly spam - the only way these emails would not be spam to me would be if there was some sort of affirmative, opt in that was clear about what you're opting in for.


One big exception to this is political campaigns and non profits who will sell all the info they possible can on you for 2 cents to as many people as they can.


FWIW, I've been running a similar experiment (granted, for only 2 years) only instead of specifying the company name I'm using a random term (e.g. purplerabbit@domain.com) and found similar results. No 3rd party spam thus far (though I found a few companies that continue to send marketing materials, etc. even after using all available unsubscribe options).


I have been doing the same thing, for about the same amount of time.

The only "actual" spam I ever get are for email addresses where the marketplace has shared my email address with the seller. Ebay, especially. I have to rotate my ebay email address periodically and block the old one in order to keep the spam down to a reasonable level.

However, I still use custom email addresses when signing up with various companies/services because the trend over the last five years has been for every company (large and small) to automatically subscribe you to their asinine daily newsletters and other marketing crap even when you specifically opted-out on signup. Yes, the emails themselves _usually_ have unsubscribe links, but those only have a 50% success rate in my experience. And this is from otherwise reputable companies. Easiest to just block the whole email address and move on with my day.


Buying a house. Lender immediately sold my email and phone number and I’ve been getting about a dozen aggressive sales messages a day. But hey, maybe it’s just a few bad apples.


Phone, physical mail, e-mail too. Buying a house probably netted me more spam than anything I've ever signed up for online.


They call this “Life event marketing” - one of the companies posting physical mail to me declared the name of the company that they got my details from so I could then contact them and ask them to take me off the list.


I’ve been doing this for over 20 years, and have the same results. The only spam I get is to a few addresses where there was a data breach (LinkedIn). I have another account where I don’t do this, and it gets around a dozen messages per day from the completely illegal spammers (no opt-out, etc).

However, it’s entirely possible I’m not seeing many messages that are getting blocked by spam controls (gmail), so I hesitate to draw any sweeping conclusions about it.

I’m also very cautious about what I sign up for. I can say that from what I’ve seen with others, the amount of spam and phishing is very dependent on what you do. For example marketing people need to go widely distribute their addresses as part of their job, and I definitely see them receiving far more spam/phishing than others.


After doing the same since 2003, out of ~200 email addresses used 18 are listed on HIBP, ~15 receive dozens of spam emails a day (or rather: would receive if I hadn't completely blocked them) and ~10 see almost non-stop login attempts from all around the world via IMAP and SMTP.

Address linked with "mailto:" on a contact page had to be blocked after a few years. Same with WHOIS addresses (published before there were sane privacy rules for those). Address with "@" and "." replaced with "at" and "dot" receive no spam at all.

Summed up, there are a few hundred inbound messages a day. Spamassassin and some basic postfix rules filters almost all of them. One or two a month get through.


This is a very bad idea which I have also done and am currently in the long process of undoing. I have >800 email addresses on my own domain. What happens if I do not renew the domain name - either by accidentally missing the renewal date or in the extreme example, if I die? At that point anyone can register the domain and can receive (and send) email for all my accounts, very likely leading to the accounts being compromised. Even if I'm dead I still don't want my mortgage or bank accounts being hacked, I want them in the hands of my heirs. So yeah... very bad idea or at the very least, not worth the minor reduction in spam for the risk.


I think spam to email addresses found in data breaches is more likely.

An address I used only for Comcast Xfinity gets a surprisingly large amount of spam. (I'm no longer a customer and have disabled the address.) I'm not the only one to suspect they've had a data breach:

https://news.ycombinator.com/item?id=30062511

https://news.ycombinator.com/item?id=30980625

https://news.ycombinator.com/item?id=31118355


Having your email in a mailto: link is no longer the spam vector that it used to be. I’ve had my writing email posted as such on my website for over a decade and it gets no more than one spam per week and those are all caught by the gmail filter.


Krebs recently had an article on email aliases[1], and one thing I found interesting is the report that spam list managers actively remove obvious aliases completely because those addresses are low quality (they want to sell their lists, so they promote that their lists are higher quality) plus the aliases can result in being the first tip that a database has been leaked.

I've had obvious aliases at a number of compromised databases and so far none of those generate any spam. In fact, recently I received an email from some white hat that my address was part of a site that has been hacked twice and the site-owners have not reported it, so the white hat was sending out email blasts to tell people. I've never been spammed to that address.

Where I've seen one alias spread when it somehow ended up on some political list. A non-political blogger's newsletter address has spread from here to kingdom come and I suspect that the blogger had someone else managing the sending of that newsletter who decided to borrow the list, and the people he gave it to decided to do some more sharing.

[1] https://krebsonsecurity.com/2022/08/the-security-pros-and-co...


It's not just spam, but it being passed around between businesses without your consent (or maybe if you read some massive terms with a lawyer hat on you did).

E.g. I bought insurance after looking at a comparison site, used different email addresses for each, and then found out the comparison site must've passed on 'my email address' to the insurance company when I got a later email, that turned out to be from a third company contracted to do part of their business; to whom they'd given the wrong email from my file, the one I didn't know they had.

It's not a huge problem, but it makes you aware of these things.


I do this and I definitely get spam to addresses associated with e-mails leaked or sold in bulk to the highest bidder. I rarely _see_ it as most of the time "unsubscribe" link works (for sold e-mail lists, as the buyers usually try to maintain some sort of decency) and for those where it is useless (shameless "enlargement" type emails, usually from stolen email databases) it is usually classified correctly as spam by an e-mail provider or e-mail client.

So, I never had to explicitly filter e-mails out by "To:" field, but using this system still gives me some sense of control.


I wrote a blog post[1] about my experiences with custom usernames and how I regret it. It was previously covered on HN here[2].

I came to the same conclusion as you, but additionally decided it has been a major waste of time and I'm slowly trying to undo it

[1] https://www.notcheckmark.com/2022/06/catch-all-domain/ [2] https://news.ycombinator.com/item?id=31585463


This is exactly my experience. Had I seen your HN post I wouldn't have bothered, because you've summed it up nicely. Especially the looks of disbelief I get when I say my email is their company name. Did it at a pet store recently and the cashier said to me: "You don't have to give me a fake email, just say you don't want to give me your email."

There's no real need to undo it now, however. It is more of after thought.

(I also didn't realize that I now must own this domain FOREVER because if I sell it, the next owner will have all of my email addresses for password resets.)


Since 2005 I have been using unique randomly generated email addresses for every retailer, rebate, forum, SaaS, etc. Out of these ~550 unguessable addresses I have deactivated ~15 due to security incidents on the other end. Notables from this short list:

- digikey.com (Feb. 2021)

- gamasutra.com (Jun. 2017)

- buydig.com

- kickstarter.com (May 2017)

- seagate.com (2016)

Of course this doesn't include the addresses I have had to disable because companies either started sending me "legitimate" promotional emails I did not request or they did not respect my unsubscribe requests (I believe this is what we used to call "ham").


I've been doing the same for so long I can't even remember when I started. Yes, I do get spam to some of those emails, and yes, it is nice to block them. That said, the thing that's kept me doing this so long is this: on two occasions, an address given to a financial institution started getting spam - clearly they were hacked or had an internal user selling emails (I remember when that was worth good money - I doubt it is anymore).

It was an early warning for me to change my password at that bank (this was pre-2fa), so the practice has kinda stuck with me.


Where I'm getting (or rather was getting) spam, apart from my main address:

- My Kickstarter address (well-known leak).

- My Paypal address (probably leaked through a web shop).

Both email addresses have been blocked since then. I also got a spam mail through one address I used for a forum, though the forum owner denied that they were ever hacked, and it stayed at that one single mail, so... not sure what happened there. So yeah, it does happen, and when it happens it's nice being able to just block that address completely within seconds and use a new one.


I had a Yahoo account created in year 2002, the time when most of the sites including Yahoo Mail (I suppose) did not support HTTPS. Not sure if that was the reason but with every email exchanged, I found the number of spam messages kept increasing. Later in around 2015, I started using Yahoo's 'Disposable Email Addresses' features but the spam load on my original email address was too high that I had to create a new user account in a year or two later.

I still use Yahoo Mail primarily because of its 'Disposable Email Addresses' super-feature. For my new Yahoo account, I have maintained the habit of creating new disposable email addresses for every site I need to register with. The disposable addresses always contain the name of site/organization I am registering with. I have also kept a few pre-created email addresses at my disposal :) in case I need to provide one on a retail store.

In last five years, there hasn't been a single spam message on any of these disposable addresses. I always had the option to delete these addresses as soon as I start receiving spams on them but until date, I never needed to exercise them. The messages that are moved to Spam folder are always false positives, so in a way, I don't lose sight of any message just because the mailing service decided to mark it as spam.


I have a similarish story - I went to New York once (I didn’t book it). I connected to the hotel WiFi and any other free WiFi in the area. I wasn’t using TLS. I received a lot of New York related spam for a while.. it dropped off after a while - I guess these lists have a shelf-life.


I use an alternate spam filter process. I use a "+" sign in my gmail address. So I would subscribe to a promotion/giveaway with username+company@gmail.com. This is a great way to catch which promotion/company sells your email address to unwanted companies.

Caveat, sometimes an unsubscribe website can't handle the "+" symbol in an email and you'll continue to get spam. So, just add a filter for that "TO" email to forward to the spam/trash folder.


What's stopping websites from just removing '+company' from 'username+company@gmail.com' and emailing you at 'username@gmail.com'?

Even if the website you provide it to doesn't do that. Anyone who buys it can.

I'm guessing the answer is, "Most companies are too lazy", but that seems like a weak behavior to depend on.


My guess is that they're too dumb to send marketing emails to people who are obviously taking trouble to NOT receicve marketing emails.

Sending emails to everyone on the planet is one thing; but taking pains to send emails to people who are clearly trying to dodge them seems terminally stupid, and I'd fire anyone who was trying to spend my money on an effort like that.


From having experience in email marketing, I highly doubt companies are editing email addresses before send. But you are right though, I have had signups that denied the "+" via JS.


Most recently Chatbooks sold my email to some T-shirt companies. Or maybe they were pwnd. Either way, I wouldn’t call this a “modern myth.” You’re fortunate to be so spam-free.


I've done the same for about 20 years, usually using <company>@<mydomain> or <theirdomain>@<mydomain>

When I start receiving spam at one of these aliases, I'll update my email address with the relevant site(s), then after a cooldown period to ensure no more legitimate mail arrives at the original alias, I'll use the original alias as a spam trap - any mail sent to it is learned as spam, then accepted and discarded by my MTA.


Maybe its the spammers' filters that explain this? company@mydomain.com might be stripped from their mailing list because lots of folks do this. Me for instance.


I've done the same for decades, and I definitely receive spam from some of them.

The most spammy of them has been equifax, but that one was so publicly hacked that I didn't need spam to know about it. Confirmation has its value I guess. It'd be nice to know if equifax sold the information and got hacked, that's entirely ambiguous and now equifax has plausible deniability thanks to the hack. Le sigh.


Given your results it certainly seems so. However, I know of quite a few companies who required people to sign up with their email addresses to play their free games and then sold their addresses to marketers. Perhaps you wouldn't count that as spam since the emails sent had some substance? Or perhaps you only reveal your email to trustworthy sites and not to free gaming sites and such?


I've done this as well for over two decades, but with no spam filter besides mailavenger/greylisting for a time.

I've gotten spam to places that have had their databases leaked and widely reported. Off the top of my head, Zynga and Consumerist.

I've also gotten spam from individual eBay vendors (etc), to my ebay@ and paypal@ address. But there's no way to particularly stop that, beyond knowing that ebay and paypal leak my email address.

I get a lot of spam to an admin@ address on a domain I bought that was evidently in use previously.

I also get spam from companies I used quite a while ago, and were either acquired and renamed, or are still in business. I haven't purchased or even signed into the website of "PCB Fab Express" in over 15 years, but they still see fit to email me.

In general I don't find it that much of a hassle to hit 'd' on spam, hence not particularly caring about a spam filter, or not setting up a procmail recipe that bounces the spammy businesses.

FWIW I actually don't get much spam any more to the first category of email leaks. I'm sure it goes in waves with whatever lists are in vogue.

I still do find the custom email addresses nice for creating a small impediment to cross-referencing surveillance data, and don't see any reason to stop them. If the saying "YourCompany@" to a Your Company rep was really that awkward, I'd switch to opaque shorter handles, but it hasn't been a problem. Sometimes I'll just own it and say I do this so I know when companies sell my email address to spammers.

Also, I read my email with mutt in a terminal, possibly passing it through lynx when I need to. If my client loaded image bugs or other html nonsense, my experience might be much different.


I do the same and it's true that those receive little spam. Not zero however; I just received minutes ago spam that was sent to britishairways@<mycompany> for example.

The bigest spam magnet is the email address one leaves with a registrar; that is horrible.

Then come contact@, webmaster@, and other generic accounts that spammers can guess for each domain.


I have a feeling LinkedIn is the new spam abuser. I have no direct proof (it could be me signing up to a shady conference / email list) but the moment I got a new company email address and a co-founder title, the floodgates got opened, I get 4-5 "handcrafted" (automated to look like ones) emails plus the "following up to make sure you got my email" or "bringing it up your mailbox", most have no unsubscribe links and have a "let us know if you don't want to hear from us again". From legal services, graphic design, off shore hiring / staff augmentation, financial services.

I get it that people need to sell to stay in business, so does my company, but it's starting to be a nuisance, especially since it many times passes the spam filters, and each email gets 2-3 "just following up" emails.


Hi there,

On August 8th, 2022, DigitalOcean discovered that our Mailchimp account had been compromised as part of a wider Mailchimp Security Incident. As a result, a number of DigitalOcean customer email addresses may have been viewed by an unauthorized individual.

Impact to you No customer information other than email address was impacted


It happens sometimes. Most recently, an email address I supplied for a dog-dna testing service I used almost 10 years ago (https://www.wisdompanel.com/) received spam about some unrelated service called "okta"


I've been doing the same for 20+ years (started in 2001, at the time hosting my own sendmail), so I have used custom email aliases in thousands of sites, from retailers, banks, government websites, and everything else you can possibly imagine. My recent experience has been similar to yours, but it is a more recent development.

In the beginning I used to receive a lot of spam -- sometimes dozens per day. I'd frequently get blasted with dozens of the same spam, to every possible alias they had access to. Sometimes they would use randomized From: addresses or other small customizations to trick spam filters, but frequently not even that.

Also I remember receiving spam on addresses used for companies which had never publicly disclosed they'd been hacked (looking at you, NYC MTA [1]). A few times I tried reaching out to the company to alert them, but it was always met with skepticism, plain denial, or outright passive-aggressiveness (e.g., "_How do you know?_", potentially implying I was involved). Fool's errand.

At some point I moved to Gmail when they started offering Google Apps for Business with custom domains. At the beginning their spam filter was very weak, but it got progressively better.

Over the last 5-6 years, the volume decreased dramatically. At most I get a couple of dozen emails per week (almost all flagged as Spam). I'd imagine the combination of IP filtering, email authentication (DMARC, SPF, DKIM), and ML-based spam filtering got so good that spam isn't profitable for anymore.

I also monitor my domains with Have I Been Pwned [2]. As of today, I have 59 of my aliases in leaked databases -- which is a small fraction of the leaks I've experienced firsthand over the years.

[1] https://twitter.com/GuiAmbros/status/1555358970516328449

[2] https://haveibeenpwned


I only have 2 addresses that receive spam:

1- An address I used for buying an RPi from a french retailer (kubii.fr) which seems to have had a data breach

2- An address I used at Decathlon when I signed up for 4x payment plan. They seem to share the address you use with Sofinco which keeps spamming me even after unsubscribing.


It's not just companies selling your email address to third parties, it's also companies that keep your email on file and then get compromised.

Most of the spam/phishing I get is from companies that stored my personal details and then got hacked.

I would say it's likely you just got lucky.


I've been doing this for about 5 years. So far none of my company specific email addresses have been leaked, but it has let me black hole some emails (eg Intel) because their unsubscribe systems are broken.

I wish I'd been more aggressive at switching to it as the one account I got the most spam from was Kickstarter when they got compromised. I'd say 70% of all my spam came from that one breach. That unfortunately was an email address I can't burn.

I use SimpleLogin.io now after hand rolling a solution for a few years after I saw it linked from a HN post. The caveat is that my family members that hang off one of my domains struggle to understand it, despite them only seeing the personal Gmail account I created to receive their email to.


I also do this and my emails appeared on DB breaches so I got spam there.


I had to abandon an email address for similar reasons. I added a mailto link on my website and within weeks started to notice some spam. I then removed the mailto link and replaced in the format of, "me [at] domain [dot] com" but it didn't help much.

Eventually I created a new email address and just used that all high priority stuff that I needed to read. All was good for a while but then a couple of companies that have my email address got hacked and I guess my info must have been sold because since then I've started receiving spam emails again. It's manageable at the moment, but I wonder if there will again come a time that I have to start over with a new email address.


Side note: if you’re an engineer that implements your sign up to force email from a “real domain”, screw you. I’ve run into multiple sites that force you to have a Gmail, Yahoo, or whatever else account and it’s obnoxious. It does nothing. Stop.


This happens time and time again, enumeration, outright breaches etc - I've used aliases for as long as I can remember (2 decades maybe) and it's always the people you least expect - probably the most annoying one is where an azure specific alias was somehow enumerated and gets nonsense daily, mailgun also had an unacknowledged problem where you could enumerate domains during verification.

These days I'm moving to a completely randomized not human memorable model, because often the obvious aliases are also tried.

Incidentally I don't think I've ever had aliases shared they're typically just harvested as part of breaches or incompetence.


I use the same strategy. Same as you, the only email address I get spammed on is `contact@domain.com` because I link to it directly in my personal site. I would prefer to use randomly generated UUIDs instead, but keeping track of which service is what would be a huge headache.

That being said, this alone seems to work great! I've always been curious about how many tracking companies have sophisticated-enough logic that they can tell two email addresses from the same domain belong to the same person. Probably not many, since it's such a niche solution.

Now I need to get better at using random names instead of my own, when possible.


> Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

My experience with generated one-per-contact addresses is similar. I think pretty much 100% spam came from the ones I use for Usenet.

In my case, mail destined for these addresses bypasses all anti-spam checks, so I know it's not the spam filters: there are none.

(Filtering mail destined for generated addresses is counterproductive; you often need them in situations where maximum deliverly reliability is paramount. Plus, such a system is a complete anti-spam scheme; it doesn't need to be combined with any other.


The problem is not bad intentions or selling your information.

The problem is that they copy it into a DB and it is a globally unique identifier. Once this happens you have lost control. You can never ungive that GUID. Your only recourse becomes spam filtering or migrating to another email GUID and waiting until the new one gets leaked all over the intarwebs and then doing it again. Phone numbers are even worse.

The solution is fairly simple, as discovered by the OP. Don't give out the same GUIDs when you sign up for an online "relationship".

It is a shame this pattern exists, people should stop designing accounts like this.


This has been exactly my experience. I have use custom email addresses online for at least 13 year and I have (almost) never gotten spam to these addresses. I have no spam filter on my account, so if I received spam email I would know.

There have been a few random incidents. I did get one spam message to my kickstarter email address, presumably because some project I funded did not protect my address. I also once got spam from a reservation I made for brunch at a local jazz club.


My biggest spam vector is an email address that is old enough that I used it on usenet back in the day. Pretty much any email that was used on email ended up in every spam mailing list.


Just don’t ever donate to a non-profit or political campaign. There is no unsubscribing, ever. I mean, they have unsubscribe links, but those don’t actually do anything AFAICT.

You also can’t stop them from sending you postal mail.

Fortunately non-profits and politicians are lazy and they all use just a few emailers which you can identify via the headers, so a couple Fastmail rules catch most of it. NGP VAN is the worst offender on the Democratic side, and can be identified by “Return-Path:” contains “bounce.myngp.com”.


I've been doing this for a few years (first manually, now via FastMail's MaskedEmail feature) with good success. The only issues I've had are when one service gives the address allocated to them to another, related service. An example of this that recently occurred was when a service I wanted to use only offered GitHub SSO. That service was then handed my GitHub-only email address. I've had the same thing happen at Kickstarter. Overall a win, but still annoying.


I do the same but regularly get spam. I just got a spam email today for automobile insurance and the source was an automotive buying company I used about a month ago. The businesses don't appear to be related in any way.

The strangest one ever was an email address given to a boutique spa hotel in Oregon showing up on spam announcing a new production from a local California community musical theatre. I must have given the hotel my zipcode as well so the email was sold based upon my location.


I have 31 addresses (of hundreds-thousands) over a similar 10 year period 2012-2022. My guess is that most of these are things where there's been a database leak (often these appear in the hibp database).

> Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

If your spam filter is catching something, then you're receiving spam, it's just not being delivered.

For the most part, I get more ham (false positives) than negatives (actual spam).


You got lucky. Somehow you managed to avoid any one of those retailers being hacked and ending up in an email dump. Somehow you also avoided any website that does marketing or promotional emails (idk how?) Many companies put it in their ToS that they will send promotional emails by using their service. I'd wager next to no one wants a marketing email but businesses still delude themselves into thinking their customers won't hate them for it.


You know what received spam till I blocked it? ledgerwallet@domain.tld

I don’t think any half-way decent sites are selling your mails to spammer, but hacks and breaches happen, as they did to ledger [0].

Besides that, there’s a chinese store and a vaping store that both have no easy unsubscribe, so those addresses are also blocked.

[0]: https://haveibeenpwned.com/PwnedWebsites#Ledger


I've been doing this for 2-3 years. Probably also in the hundreds of emails given. I have had one such email used for spam.

Edit to add: I have no spam filters on those accounts.


Depends if they get breached haveibeenpwned.com style. I definitely and clearly get spam from several breaches. Some is generic (it’s on some big spam list) and some of it is targeted - like crowd funding campaigns spamming the hacked list of kickstarter accounts - which I am surprised how much of I get given how community driven such things often but I guess are not always.

Some of these addresses were the unique style you mentioned.

So I guess you’re just lucky.


I have similar experiences in general, however I've been unlucky enough to be a victim of a couple of leaks like Adobe, Invision and Gfycat. Some marketplace retailers also leaked my email and couple of smaller stores too. Totally worth to know this. That said - my general info@ email that's semi publicly (simple js obfuscation) available on the website is orders of magnitude more spammed than those leaked ones.


So has anyone discovered a simple way to track all your canary emails in a tool like haveIbeenPwned ? That's been the only reason I don't 100% of the time generate an email per site.

I've also found burnermail to be a super useful tool, they have a chrome extension which lets you generate a site/day specific alias and have it forward to your inbox, you can block them in their site too.


If you own your own domain, haveibeenpwned can show all compromised addresses for the entire domain. I don't know if it supports wildcard/pattern emails for things like gmail's plus addressing feature.


I’ve noticed the same, I wonder if they filter out emails that contain the company name when selling lists?

I do often get asked if I work for said company when giving it in person or over the phone, and I just say it’s so I know if it gets sold or leaked I know where it came from.

I seem to remember a few years ago I couldn’t sign up to a service with the company name in the email, but that’s the only time I came across that.


Email is a lot less valuable these days, exactly because of how good the spam/categorization filters have become – huge kudos to gmail for this.

Phone number on the other hand – it is a nightmare – how every service (office front desk, apartment front desk, car wash, restaurant, barbershop etc) takes your phone number and uploads it to some spam database and then you get so many spam sms and calls.


I’ve done the same, and there have been a dozen or so online shops, usually smaller-sized ones, for whose associated custom addresses I’m receiving spam. I don’t think they are selling their data, rather, they are getting hacked by third parties.

There’s also cases like Dropbox who had a data breach a few years back, and for whose associated addresses I’m receiving some spam since.


I do the same thing with my email and have actually gotten a few spam mails as a result. I have of course contact said companies and told them about it. None of them seems to be blatant selling of data, though.

However, I am receiving a _bunch_ of spam email to "first.lastname@mydomain.xz". I do have one default inbox everything goes into, if it does not match a filter.


Meanwhile I do basically the same thing (different provider)

I could (and should) shame at least a dozen decently well-known organizations, just ridiculously low on my list to go digging again.

Surely partly due to filters, but also our activities/circles - and the control over their data. A lot of compromises lead to leaked lists of addresses to both spam and target for gaining access


I did that for years, and probably need to do some digging into the "catchall" mailbox they all dump into. I've had a few start receiving spam, which is how I knew when those companies had had some sort of data breach (looking at you, United Airlines, happened at least twice!) even if it was only via a third party marketing firm or the like.


I've been doing a similar thing and I do occasionally see things. I've recently been getting spam from my Mackie email, for instance—They were either compromised or sold off their email list.

More often I've had to directly block companies whose unsubscribe links just wouldn't work. I have a very low tolerance for that—If I unsubscribe I mean it.


I use fastmail and I have created many aliases. Some in order to avoid spam, others to help organize my inbox.

One of my aliases was clearly compromised and it is now sent a lot of spam.

Do I simply delete the alias and retire it and update my email with whatever services I care to hear from?

As an aside, I have found the spam filter on Fastmail to be pretty bad. Anyone else have this experience?


> others to help organize my inbox

This is a big one for me. Some companies will send me mails from a bunch of different email addresses, sometimes with different domains. So much easier to have one rule for one of my email addresses than a bunch of rules for a bunch of theirs that I don't even know of yet.


Right, exactly. Aliases are unlimited so I err on the side of creating too many rather than having too few.


As an aside, I have found the spam filter on Fastmail to be pretty bad. Anyone else have this experience?

Same. I love Fastmail, but even after almost a decade of training, spam filtering is quite bad compared to eg. Google Mail.


I have Fastmail fetch email from my Gmail inbox. Spam that clears Gmail's filter and lands in my inbox, that Fastmail then retreives, ends up in my Fastmail spam folder.

Fastmail catches what Gmail does not in my case. Though the reverse has not been tested.


Totally, I think I forgot how big of a deal Gmail's spam filtering was especially when it first came on the scene. I remember now :)


Similar experience here, although I have only been doing it for about a year or two.

I have received exactly one spam email where I could identify who sold the db (or maybe it was leaked and they haven't owned up yet).

Most of the spam I receive is to an address I used before that leaked in some hack a while ago, so that one is truly for sale everywhere at this point.


I actually also do this and get into funny episodes because people think I work for the company when giving out the email address in physical stores.

One time I actually got my phone fixed faster because the receptionist thought I was Samsung worker (samsung@m.....pt) and their store were Samsung partners.

Anyway, I also do not receive any spam on the custom ones.


Do any password managers support you having your own email domain and automatically creating an email address when you create a new account (ideally not just using the company’s name but something random perhaps to not give this away)? Like in a sign up form it could generate “helloworld99@domain.com” as well as a password.


Afaik 1password together with Fastmail, see https://1password.com/fastmail/ or https://www.fastmail.com/1password/, respectively.


This is a good idea and something I've been looking into, it should be easy enough to do but I'm not sure you can hook things like auto fill in browsers and I'd imagine it could be easily abused (that is, trigger on another extensions auto fill)

I actually have a service in the works that has a simple API to create aliases etc, with hosted imap though not forwarding because forwarding is stupid. The main issue though is by itself it's not useful, it needs browser integration etc


> Is the fear of "people selling your email to spammers" a modern myth, or are spam filters that good?

I've been using custom email for a couple of decades. Definitely get spam on a bunch of them, including recently.

The worst though is the email I registered with the county clerk for voting. That one gets a ton of spam.


Ironically, my "spam-magnet" email doesn't get spam, but my "official" email gets tons of spam. It started out with people that bought my email address specifically to spam a different person with my name. Now I also get generic spam, probably as a result of scraping it from my pdf resume.


checks spam folder

godaddy@kraln.com allwinner10@kraln.com couponmom@kraln.com ppcgeeks@kraln.com

Each one either directly or indirectly related to a known breach (i.e. haveibeenpwned). It's not just selling your email that could happen, but also careless IT security resulting in your email getting in the hands of spammers.


That's absolutely not my experience. I still receive spam sent to adobe@<my custom domain>, following their data breach in 2013.

It's not exactly Adobe selling my email to a spammer, but a data breach, and then marketers decided that would be a good target to blast their marketing emails.


Fastmail user here. I can testify to this strategy. I consistently keep my inbox zero and almost zero spam. Either way, the Fastmail spam filter is excellent. This is from a non-technical user who doesn't use sieve rules (which are even better and more granular)!


I've also used company@mydomain type emails for about 6 years and my experience is different. I've had to close down several addresses due to spam. The worst offenders have been PartyPoker and Skrill, which appear to frequently sell my email address to unrelated gambling spammers.


I do the same, and so far I've had two leak through:

1. keen.io when they sold to a PE firm 2. 1password - we're not sure why this one happened, 1password's security team worked with me to dig into it and it's likely that the name I used was just too generic and landed on a keyword list.


I have. Signed up at MyFitnessPal with a unique handcrafted address (alias), ended up getting spam a few months later (and still do, several years later).

Confronted them about it and got accused of being sloppy and hacked... I am certainly not the smartest person alive, but I'm not a complete clown.


I have the same setup since forever but I do occasionally find one of the custom emails being used as SPAM (when this happens, I either delete it or replace with a new one). So it's very clear to me that those companies in specific either sold or had it's data stolen somehow.


You should try signing up for a few chinese pcb manifacturers, your email will end up all over the place.


I do the same thing for the last several years and the only email that was spammed is the mailbox used for Digital Ocean. Seems like they had some leak (or may be sold that data, not sure), but I received spam emails with some sketchy links only on that email.


It seems it can happen in Australia. Only a sample size of 1, but I took a trip to Melbourne earlier in the year. Prior to that, I hadn't received any Melbourne-centric spam. At some point during the trip, I started receiving spam from various Melbourne businesses.


Another anecdote, but after visiting https://apiworld.co/ conference I receive a couple spam software sales emails a day. I unsubscribed to all of them for awhile but still get them years later.


Been using Hide My Email from Apple’s iCloud and I’ve been really loving it!

Semi permanent fake addresses ending in @icloud.com that forward to my gmail address. Apple is also one of the few companies I’d probably trust to the task.

Wish it was a standalone app rather than buried in the settings menu.


> Wish it was a standalone app rather than buried in the settings menu.

I could say the same about Passwords. I'm happy that they * finally * got passwords out of that relic called Keychain Access and into the System Preferences, but they could do even more.

I hope to see an actual "online security" center on iOS and macOS within 2 years, with passwords, temporary emails, even learning material.


I also wish they had a standalone app to help manage the addresses. Like so many of their good features, eg password management, it can be a bit too hidden for those up us who want some control!


I signed up for a magazine subscription, and was added to a ton of spam email offers. So maybe not retailers but there are plenty of businesses that will sell your email. Charities are another good example, they make a lot of their money selling their donor lists.


I’ve been doing the same for thirty years. I do get spam to these addresses.

The most frequent recipients are the ones I rotate annually for LinkedIn. Mostly UCE rather than scams. Anecdotally it looks like 2019-2020 was a lousy period for their information security.


People that have sold my account immediately:

- my last lettings agency. Lettings agencies are scum.

People that have been compromised:

- an aws account (!) - local city council

I use a <service>.<date>.<nonce>@<domain> setup, the nonce has only protected from various colleagues being major PITAs.


One sure way to start getting spam with ANY email, is to publish an application on Google Play Store. You'll start getting emails not only from advertising offers, shady SDKs, or Android development, but event for unrelated products from China.


Usually event organizers keep selling your e-mail address after you gave it to them. Some events are explicit about it, others not really. It's not like they really ask you, it's more or less a condition to join the event in most cases.


A simpler way to do this is to append the company name to whatever gmail you're using e.g. if my email is bob@gmail.com you could use bob+amazon@gmail.com. No matter what you put after the '+' it'll still get sent to you


The problem is that plenty of poorly-coded signup forms reject the plus character as invalid within an email address.


It's also easy to strip with a regex


What email service are you using?


After Robinhood's data breach, I get tons of cryptocurrency-related phishing emails sent to "robinhood@mydomain.com". I've had a few other vendors sell / lose my email, such as an escape room in another city.


I do the same thing. A few of them (Adobe, linkedin) have gotten hacked and spammed to the gills (so I black hole them) them but it’s often rare and I’m realizing it’s not worth the effort to micromanage email aliases in this way.


Isn't using company@mydomain.com a clear indicator that there is a catch all adress on @mydomain.com? Which makes it even harder to avoid spam once it is obvious that you can send to whichever email you want on that domain?


Disabling “Load Remote Content” setting in email clients seems to reduce spam too.


Email spam is the bottom of the barrel compared to tracking people on Facebook.


I have regularly used two gmail accounts for 13+ years. One of them receives tons of spam every day and has two dozen haveibeenpwned entries. The other one receives little spam and has no haveibeenpwned entries.


This is bad timing since this has dropped off the first page of HN but just today I got a scam email to my home loan address cenlar@whatever. So the fools either sold my address or were hacked.


I think it might be related to the loading of remote image / tracking pixel, but since I started using mutt, my spam has been reduced by about 30%. I don't think I have changed anything else.


I have gotten random spam email to one so far from https://parkmobile.io/ and it came from them getting breached.


I too do this, yet I occasionally receive evidence that my address was sold or stolen. I've confronted one company about the problem, and they outright denied that they had any part in it.


I've been doing the same (also for about 10 years). A quick scan of my spam folder from the last few days shows drizly@, eventbrite@, homechef@, and sunany@ were all leaked at some point.


I don't care if someone sells my data, I care if some company gets compromised and doesn't tell me. And it makes it harder for bots to crack the same account at multiple places.


I get spam on three emails: public one listed on a website (obfuscated by JS), one that got accidentally published on a WHOIS record, and the one I use for recruiters & career websites.


I did the same thing. I noticed that every now and then some dodgy site would sell on the email and I would get spam from those for a year or so. Then they would stop emailing those emails.


I have no spam on my gmail account. All I do is every time some new spam shows up I immediately unsubscribe. I might get new spam maybe once a month but that’s easy to unsubscribe from.


I've been doing the same thing and also have gotten no spam to the non-main address. That said, I don't get much spam at all. I recently decided to stop the practice.


Is this not what “+” addresses are for?

Many email providers automatically create a folder with the “plus” name.

For example: youremail+company@yourdomain.com

Creates a folder named “company” and puts those received emails into it.


If they do sell the emails it'd be a simple job to clean them first (i.e remove any that explicitly mention their company name) Spammers are a pain in the ass, but not stupid.


Spam is just any unwanted email, and I'm sure you're receiving plenty of those. I assume what you haven't received are phishing emails with malicious links?


Do you have an automation system to create the aliases that you can use ad-hoc without being in front of a terminal? Or do you just use + in the email address?


If you rely on a web-based generator, be sure to find an in-browser implementation. If I had one on the server-side, I wonder what passively collected secrets would float by.


If you can program rules into your email server, you can easily just ignore anything to company@mydomain.com that does not originate from something@company.com


I am doing the same exact thing with my domain and getting spam to accounts such as ParkNYC (NYC parking payment app) and other companies that should be safe.


I also use email aliases to identify companies who sell my data. A few did it, and keep doing it, despite my many complaints. Definitely will continue doing so.


Try having common firstname.lastname@gmail.com and using that address for a decade+, the spam is a constant deluge that very often gets by the spam filters.


I've done this since 1998 and generally agree with you, although I've had a handful that get spammed. Maybe I sign up to more dubious sites.


Another data point - I do the same thing. Out of the 100's I've done it for, about maybe 3 seem to have been compromised.


I've received spam to seven different addresses, all of which followed breaches which were previously or later publicized.

Just adding a sample.


I get physical mail spam to unique names in billing addresses I have used for retailers.

It's definitely a problem for postal mail addresses.


> or are spam filters that good?

Do know if you are getting _any_ spam or just that all of your spam is marked as such not reaching your inbox?


I definitely get spam at special addresses. Minted (data breach) is one, and another company sold my info for similar interests.


What does your email setup look like stack wise btw? Always curious to hear from people who are hosting their own email server.


You can program your email server to simply drop anything to company@myDomain.com that does not originate from company.com


i think the last time this discussion came up on HN, the conclusion was similar: https://news.ycombinator.com/item?id=30491518

they're not really spam sources but the other criticisms of email tracking/cross marketing apply.


I’ve been doing the same thing for 5 years and the only problem I’ve had is people scraping my email from LinkedIn.


I've definitely had spam to some of mine -- Especially t-mobile after they had a compromize some years back.


Same here. What's funny is that T-Mobile announced that they were going to use a McAfee anti-phishing solution to compensate for the breach. So the thieves who got a hold of the customer data have been using that to target customers with their real names through email, giving them fake invoices for "McAfee services" and links to where they can make payments


Not a myth. 20 years on, still receiving spam to an email address I used to order a male enhancement product.


still receiving spam to an email address I used to order a male enhancement product

Encyclopedia Britannica?


Those were sold in physical form, no email required)


There is another folder for those custom emails: Promotions. Gmail does a pretty good job of categorization.


I use a catchall as well and can confirm your experience. No spam from one-off addresses given to companies.


I never had any spam come to my =@domain email address, despite being scrapeable on the web. ;)


I'd be willing to bet you've not given your email to any political candidate or campaign.


One counter example is MyFitnessPal.

I am doing the same thing as you do, and I am getting spammed on this address.


Catch-alls are fun. Sometimes when I delete and purge an account somewhere (digitalocean for example, the checkbox is literally called 'purge'), all they do is change the user part of the email address:

me@example.org -> _me@example.org. "Yup now the account is deleted, we hope to see you again soon!"

It's too bad the GDPR authority in the Netherlands is much too swamped to care about a literal purge option doing literally nothing. In both instances, I was still able to login to the account with the original password (clearly not information necessary for tax record reasons, or whatever excuse they might come up with). I don't always check the developer console for the API response that might hint at this, and don't delete accounts that often to begin with, so it wouldn't even surprise me if a majority of services turned out to do something similar under the hood.

Screenshot: https://snipboard.io/Y2MpbU.jpg (DigitalOcean's account deletion page, this is the option I checked but was still able to log in. The other offender, I don't want to even give the benefit of free negative publicity.)

---

Catch-alls are fun. Sometimes when I email a company, like Contoso@mydomain.example.org, I will subsequently receive business email from their vendor (helpdesk or IT or whatever service they provide that made my email end up in the autocomplete) that was intended for their contact person at Contoso. I've always let them know but it feels rather awkward and they never reply to me :)


I did the same. The one I used for my Adobe Creative Cloud subscription was drowning in spam.


Another thing guaranteed to attract spam is a public contact email on a domain name.


I get spam to a certain company email. I can only assume it was due to a breach.


my email address is very guessable. I've been using iCloud's anonymous email feature since it rolled out a couple versions of MacOS ago, and my spam has decreased dramatically.


can I ask how you did the custom emails, did you use a password manager to keep track? I have been doing this recently (in the last year) and I'm very happy to see a post about this!


oh, but have you tried applying for a job with custom emails? pretty sure recuriters (inhouse and external) dgaf and will readily sell it


I do the same and on some I get spam


I do the same thing. I've received span on a a few.

Interestingly Gary Johnson (the Libertarian candidate for president) sold my email to Scott Walker (the right-wing Wisconsin governor). That shows you something. Also my United Airlines email got out there in the spam world. I think there were a few others. I finally stopped doing it out of laziness.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: