This is exactly my use-case and experience after many years of custom catch-all'ing.
I've noticed a couple breaches, and also a few unexpected transfers of my email address between semi-related parties.
Just once it appeared an address was sold via a marketing list, after filling out a lead-form for a free online conference hosted by multiple companies that you've seen on HN.
Surprisingly, unsubscribing tends to stop emails from everyone.
Slightly easier* than running a domain, i've had luck with myemail+CompanyX@gmail.com when signing up to CompanyX. Gmail handles the '+' transparently (in the same way as it ignores '.') and delivers the email to myemail@gmail.com.
It is fun to receive a survey about "an anonymous company you have used in the past"... sent to myemail+uber@gmail.com.
*yet less reliable, '+' in email addresses isn't always accepted, and when it is sometimes only partly, e.g. signup works but password reset doesn't
I imagine the challenge is knowing what parsing rules apply to which domains. Gmail supports the + thing, but that's non-standard. Is that something you tried to handle in a general way?
> Gmail supports the + thing, but that's non-standard
Plusaddressing is valid and has been since 1982[1]. It's part of RFC822 and the subsequent RFC2822.
The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.
> The fact that many websites do not allow + in an email address during validation is a common programming mistake and the sign of an undertrained engineer.
But the RFC from what I can recall is _wild_. I can't find the part so maybe I am mixing something else up, but I believe you can embed comments into an email address.
All I am saying is that the possible scope of valid email addresses is likely so large, trying to write a parser for them is a sign of an underexperienced team rather than not having one at all.
Sorry, I should have been clearer. Gmail will place messages for user@gmail.com and user+foo@gmail.com in the same mailbox. The grandparent comment talks about normalizing the address by removing stuff after the +. This sort of deduplicates the addresses. Other platforms may have distinct mailboxes for user and user+foo, so you can't strip it on those platforms. The mapping of user+foo to user is non-standard.
There won't be a general approach to deduplicating addresses that map to the same mailbox as the mapping rules aren't always public. But for Gmail, the rule is public, so a best effort deduplication could strip the +.
Because it's cruise control for not needing to justify their point of view whilst still pushing their perspective. Sick, right? Votes and e-peen points have to be the worst aspect of HN and Reddit.
Also, depending on the legislative framework, it might be illegal: If I give company my email address with a plus and an identifier in it, I give them permission to contact me under that specific email (with the plus on it). If I as a result receive emails under another address (without the plus on it), this might be a GDPR violation.
The original post never said they were using these lists to send unsolicited emails. It's your assumption they are a spammer; while I said I can imagine non-nefarious reasons to collect these lists.
For example: A lot of pentesting companies offer "darknet research" as part of their engagement; these have a non-nefarious use for these leaks, including private addresses: Given a list of customer's employees it's easy to guess some obvious Gmail/GMX/Yahoo/... addresses and check if they might be affected by any leaks (password reuse is pretty popular, especially with the not so technically minded).
Troy Hunt, who runs haveibeenpwned, uses these lists as well; I suppose he normalizes Gmail, too.
Yes, OP could still be an evil /dudett/..., but while "innocent until proven guilty" might not be a HN rule, it's still something I like to assume about random people in the internet.
It's a violation because you have to get explicit permission for each and every way of communication. So giving permission to be contacted through a single email address doesn't mean you gave permission for the phone or in this case another email address.
True, though there are marketing comms laws that predate GDPR (at least in the UK) that cover that too - that's what I meant by it being unsolicited spam.
In either case, the existence of the different authorised email address is irrelevant.
I wonder if there's a way to script setting it up to be honest, I end up about an hour deep in help docs each time I set up a new domain+email trying to work out how to make a catch all and how to configure the thing so replies come from the right email.
I can attest to the unstable handling of '+' suffixed emails. UPS allowed me to ship a package as guest with myemail+ups@gmail.com but wouldn't let me create an account with the same email ID.
I had no way to track the package pickup onwards.
Can confirm; once signed up as foo+bar@example.com, everything worked (including the confirmation mail)… and then the address was automatically normalized (‽) as foobar@example.com and I could no longer receive any mail (since that's a different account altogether).
There's also the unstable handling of . symbol (dot or dots) in email address before @ symbol. Gmail allows dots in email address before @ and normalizes them, so the same address with or without dots works. This leads to funny behavior such as unlimited account creation with the same email address (yes, + symbol would also work for this but that works almost everywhere and is better known) or my wife thinking she does not have an account while she does, creating a new one instead.
Sometimes it's only partly supported, in the sense that the website will just break if your email has a `+`. I'm pretty sure I encountered that one with both Disney and Royal Caribbean reservation workflows just flat out breaking.
I switched to '-' instead of '+' which was a trivial change in exim.conf and saved my sanity because there was just too many places which either break on '+' or refuse to accept it in the first place.
I used to do this, until I had to reply to an automated email for some customer support system. It rejected all my replies because the From: didn't match.
Yeah you can, you can default it to send from the address the email you're replying to was sent to too.
It's the only thing I missed when I switched to Fastmail. (Which has since added it too, but not before I left in favour of my own SES-based solution.)
Sorry, it's many years since I've used gmail, don't have an account to check and describe exactly. I suppose I should've said 'you certainly used to be able to', I don't know for sure you still can.. would be dumb to remove that though.
Iirc there was a section of settings called 'sending & receiving', and there was a drop-down to select 'reply from same address' or similar.
That option is only for fixed addresses, not catchall addresses.
I.e. if your main email address is ojford@ojford.com but you're also preconfigured e.g. foobar@ojford.com you could set that option to have Gmail use either ojford@ojford.com or foobar@ojford.com as your return address, depending on the originating email's TO address. However, if you _also_ have a catchall address and somebody sends to newservice@ojford.com, even with the setting set your return address would be ojford@ojford.com.
Hm.. ok, I thought it worked but perhaps not - it has been a long time. I use my own client now, so obviously it behaves exactly as I want :) (which is as you describe).
Current Thunderbird does enable the From address to be edited in the Compose window, and can fill in that field from the TO address of the message being replied to. Previous Thunderbird versions needed an Addon called Virtual Identities to do this.
I used this to determine that Xfinity was compromise, yet still no acknowledgement despite reporting the issue to them and they went through some spiel about how I received the email by mistake and continue to receive emails by mistake at <randomword>_<randomword>@<customdomain>. The only person I shared that email with was them, and never had the issue with another provider.
If I have to provide an address to get a download link, that address will be either postmaster@aol.com or abuse@domain-of-the-company . EMailing the link to the provided address will probably just make me seek out different software. Make software that users want to sign up to hear more about; don't force them to opt in to marketing just to try something. It's the first impression and sets the tone with your company.
If a company to which you have provided an email address, gets compromised, it's likely that you'll start getting automated pishing emails to that address? And that the address ends up in... some "warning" database like Have I Been Pawned, and you'll get notified?
I have had this happen a few times.
> Canaries are also a good indicator to detect if a company has been compromised.
Yep, this is a fantastic use case.