> the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service
This. Typically HIBP attribution includes the email of the "submitter". Various data aggregators will contact them and buy the stolen data. Everybody wins*.
Doesn't the value drop dramatically if it has already been shared with Troy and the HIBP database? Or is there a time frame where it has been authenticated by Troy but not yet added to the database?
Many hackers will remove addresses that are obviously unique, including tags, to keep silent which database has been hacked, but it seems inconsistent.
I have checked and known my address was in a hack and it isn't there, while other times it is there. I also wonder if they start filtering out by domain, as they see a domain across multiple databases with unique addresses in each database exactly one time.
Yes, without exception. I want to know who is leaking/selling my address, and usually stop doing business with those who do. It also makes filtering really easy. People sometimes have strange reactions when I verbally give them an email address with their company name in it, especially when I'm a new customer.
All you need is a domain and an email provider that allows catch-all addresses, both of which are easy and cheap.
I always see people claiming they use this strategy, but I never ever ever see people blaming services saying "this and this company sold my data to spammers". Where are the name-and-shame people? Have you ever caught anybody doing anything?
It's hard to distinguish between leaking and selling, but I think leaking is much more common. Dropbox famously leaked a lot of emails in ~2012, including mine - I was never a paying customer and that put me off becoming one or using them (to this day most spam sent to my domain is to that Dropbox address). Two local PC parts companies leaked or sold my email. I confronted one about it and they claimed they hadn't had a data breach, so either they sold it, or they were too incompetent to know they'd been hacked, or they lied - I suspect incompetence but whatever happened they lost my business. A couple more incidents long ago too.
Real estate agents can be pretty aggressive with emailing, but IME respect unsubscribes and don't seem to share/leak emails. I kind of wish I'd used an address per agent instead of per company to see what was happening better.
Non-company uses can also reveal issues. I had an address scraped from a flatmate finding site, and one apparently lifted from a relative's contact list somehow (I only have one I use for family, so that was a concern, but spam to it petered out quickly).
Yes, I was one time suddebly getting whine ads on an E-Mail for a service I signed up. I contacted the service (rather unfriendly) and they apologized and the unwanted E-Mails stopped.
It's a separate address that can have its own mailbox if need be, but unless you want to keep meticulous records on the go, and refer to them constantly, some sort of pattern is required.
Yeah we run this on our own Proton Mail whitelabel, and for a few customers who have us manage it, mostly for the filtering aspect, and the occasional customer who has the wrong/mis-spelled address in their system and won't change it.
Same here, only issue I’ve ever had was when my email address had the name of the company in it in the format of spamlklcompanyname@domain.com
CS people are sometimes confused by that and I’ve been accused of attempting to hack them by a small shop online because of my email.
Major SMTP provider refused my email address as login because of this. Luckily my moaning eventually made its way to one of their developers who fixed it.
You can't sign up for a Samsung account with the name Samsung anywhere in your e-mail address. Aliexpress another offender. There my email is just spam@domain.
2. Buy a /24 ipv4 block with good reputation (maybe like $10k)
3. Get a rack in a nearby datacenter, rack up a BGP-capable router and your servers for redundancy to run email. Takes about $30k initial setup costs if you buy all new, and about $5k initial setup costs if you cut corners and buy used. It'll be $2k/mo after that, so less than the cost of 1 $100 avocado toast per day, quite affordable.
4. Setup your mailserver of choice, such as dovecot + postfix. Enable either a catch-all address, or use recipient_delimiters. The former means "anything@domain.com" works, and the latter means "user-anything@domain.com" works (assuming your recipiient_delimiters are '-'). I recommend using a real catchall.
5. Setup your spam setup, this is the hardest part. I have no guidance here.
6. Point your DNS over, setup SPF and DKIM records, test, and off you go! This should all take about 1 to 3 days if you know what you're doing.
7. Find out that some email will go to spam anyway because you're not using one of the big 4 email providers, but it can't be helped, and anyway no one uses email anymore.
And after that, for less than $30k/year, you have email with catchall or subadressing support. Nice and easy.
Then, after you do this, you can simply give internet archive the email address "internet-archive@mydomain.com", or generate a random string. If you forget the email you used, you can search your email history for the first email they sent you, and check the To field.
This is hacker news, we're all either founders who have 2 billion dollars in (illiquid) stock options, or FAANG employees making 600k/year, what else are we going to do if we want email?
Sure, you could pay fastmail $40/year for this, but that's not really the hacker news spirit, and no one on this site knows how to count as low as $40.
The real justifications you can give yourself:
Shared VPS hosting pretty much all bans email, AWS, DO, etc all have ToS that say "no email" as anti-spam measures.
Shared IP space will go straight to spam due to people having spammed on it in the past. Buy a /24 to ensure you don't go straight to spam.
Rackspace ensures you actually own your email, at least moreso than with other shared hosting, and owning your email is important.
> Shared IP space will go straight to spam due to people having spammed on it in the past. Buy a /24 to ensure you don't go straight to spam.
I have had no problems with deliverability to Google from an IP on a shared block. I don't send marketing mails or any other kind of spam though. Microsoft blocks my IP but they are too small (outside businesses) for me to care to give them special snowflake treatment.
Deliverability of your own mails is also irrelevant for the original discussion about using unique email addresses for signing up to services - you don't need to be able to send at all for that.
For the “least painful” self-hosted email setup, you can’t be hosting on an IP in a subnet that’s ever sent spam, if you want to avoid being blackholed occasionally. This means you can’t have an IP allocated to you by a hosting provider, or a residential ISP, or a “business” ISP, or any cloud provider. That leaves very few options.
Note that I am speaking from personal experience here. I have been self-hosting email for over a decade, from the same IP, with (roughly) the same DNS records. Occasionally, for no reason, I will end up on the global spam list for Gmail, Outlook, or iCloud - never more than one at the same time, and never with a discernible reason. The best I can figure is that the IP is allocated to me by a hosting provider that occasionally sends out spam from its subnet (aka any hosting provider that doesn’t block smtp). I have also tried self-hosting a different mail server from a variety of residential IPs in different cities and countries, and ran into the same problem.
Not sure if mobile carriers would allow the required ports to be routed, and the connection is usually behind CGNAT, so you can't accept connections from the outside to receive emails. Many home ISPs however can give you a (mostly) unfiltered public IP that once paired with a dynamic DNS service can be reached from the outside. Once the network part is solved, a small cheap box (*Pi like board, mini PC, etc) can be set up to act as mail server, with firewall rules on the router that don't expose anything else to the outside.
I meant just in terms of compute power. Like my isp gives me a static IP with forward and reverse dns, and the box lets me put the phone WiFi ip address in the DMZ so all traffic is handled by the phone. Then the termux app lets me run sshd and other stuff.
And actually I think this is a kind of setup people could get into: an Android dist that focuses on self hosting off an older device.
Some providers allow you to use Alias emails (I think google redirects mail to ia+mymail@gmail.com to mymail@gmail.com), and if you use your own domain, you can just use a catchall redirect and enter a random address (ia@mydomain.com which goes to catchall@mydomain.com).
1/ Buy a domain of your choice
2/ Register an account on Migadu.com and pay them $20/year
3/ Configure your domain nameserver with the settings provided by Migadu
4/ Done.
Voluntary sharing, since afaik they don't pay the criminals to get the data. Either the criminals share it directly (fat chance, usually), or someone else bought it and shared it either publicly, privately with HIBP, or privately with someone who then reported it to HIBP
How this specific instance unfolded, time will have to tell. The leak may have occurred in 2020 for all we know at this point
There is a strange dynamic between the threat actors who conduct these breaches and researchers.
When not used for extortion and for "status" in the hacking community, they share them with researchers (commonly HIBP) to warn people about a site's security and so that site is forced to fix things.
2a = bcrypt, 10 = 2^10 rounds, Bho2e2ptPnFRJyJKIn5Bie is the 22 character salt, hIDiEwhjfMZFVRM9fRCarKXkemA3Pxu is the 31 character hash value, and then there's ScottHelme. Best guess is that the archive.org folks just appended the user name to the stored hash. Maybe once upon a time they didn't have a username column in their table and this was a creative way of adding it.
Friendly reminder to generate a unique password for every account you create so database leaks like this one don't bother you (besides on the site they're used).
I think pretty much the same argument for old-world POTS. While nothing was encrypted, nothing was recorded and someone had to physically access the local copper, which in reality provided more privacy than the future (today) where everything is recorded forever and you can bribe, extort, hack, blackmail, or just for fun leak everything recorded.
Having unique passwords isn’t something you should rely on either. Good MFA practices limits the impact of breaches like this. It isn't an either/or thing, do both.
https://www.bleepingcomputer.com/news/security/internet-arch...