Get the top HN stories in your inbox every day.
dzek69
mixologic
I have been using a catchall domain since 2004 and it has been a lifesaver.
The sad part is when your email leaks from big companies, you definitely know. I started getting viagra spam delivered to equifax@mydomain.com back in 2007, long before their "big data breach", so it was only a matter of time before that companies pattern of poor security caught up with them.
Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
schoen
> Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
That does seem beneficial for the most part, but do you have ideas about how to handle the use cases like establishing new relationships (what, if anything, do you put on business cards?) or allowing the general public or a broad audience to contact you (what, if anything, do you put in advertisements, on your web site, on slides of a conference presentation, in an e-mail signature on mailing lists?).
test6554
Phone numbers too. Can you imagine if you could give out a different phone number to each company and you could put a call limit, allowed call times, as well as a date expiration on the phone number you gave out. It could all be linked to specific companies, where if you got a spam call, you could report it and the company you entrusted it with would get a fine, or possibly the call would simply not go through.
al_borland
The email service Hey (from the makers of Basecamp) has a feature where the first time someone emails you it goes into a screening bucket. You can then approve those senders who are allowed to email you. If you don't approve, you don't see the emails anymore.
I initially signed up for the trail when the service launched. The first or second time I went to check the site/app it wasn't working. I was pretty much done with it at that point. I probably should have given it more of a chance and maybe they worked that out, but at $99/year for email my tolerance for issues is pretty low. They did (I suppose still do) have a lot of neat ideas around email though.
hunter2_
I think it's simply a hybrid approach: you'd handle those unknown contacts with many:1 addresses (since there's no real alternative, as you imply), and you'd handle most known contacts with 1:1 addresses.
A benefit is that you might let messages to some or all of those 1:1 addresses be sorted one way (e.g., they ping you) while messages to some or all of the many:1 addresses are sorted another way (e.g., you only check for them with a much longer interval). But then again, a diligently-maintained contact list can be leveraged to achieve same...
ben0x539
To take the tracking logic further, I think you'd do `businesscard-<date for that particular print run>@example.com`, `<name of conference>-<year>@example.com`, `<name of mailing list>@example.com` etc. Maybe come up with something snazzy yet still unique-ish for the presentation slides.
In practice, I suspect the intention is mostly to use catch-all addresses for situations where the email address is a key in a database and like a login and stuff and not an entry in an individual's contacts list.
EGreg
Actually, centralized databases like DNS are a symptom of a larger problem: society is so used to the idea that you can centralize power, votes, money etc. in one place. It is why we have celebrities and state governments, and privately owned social networks. It is also why smart contracts are still based around blockchains and they allow weird things like flash loans, because only one transactiom can run at a time for the whole world.
So the problem is that bill.gates@gmail.com or bill@microsoft.com is accessible to anyone who can use the SMTP protocol. And a phone number is accessible to anyone who texts it. That’s crazy.
Instead, we shouldn’t have DNS or centralized domains at all. DNS is just a glorified search engine that only really helps you find the root resource at a site, the /index.html thing. The vast majority of URLs on the Web aren’t going to be verbally shared anyway so you may as well store them as non-human-readable strings and let people save some local or hosted index. The titles and other metadata can be taken just like google does.
In this case, sending an email would require the recipient to have given out a capability that was received by you. And if some capability was compromised, they’d just deactivate it. It’s like this dude’s email aliases, but far better
vorpalhex
hello@mycatchall.com
Or if for a specific forum - hello_slashdot@mycatchall.com
MiddleEndian
>Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
Ideally, this would also be the case for physical mail. Multiple revokable tokens, not publicly tied to your physical address.
al_borland
Not having your mailing address tied to your physical address would also have major benefits when people move. Simply update your address with the post office and you're done.
The whole idea of revokable tokens would pose an issue for any company that sends bills, as I assume revoking address tokens would be common with them. I'm sure there are many situations like this.
test6554
Dang, you could trade stocks with information like that.
OJFord
I have a couple too:
Panicked phone call from a jeweller who wanted to know how and why '[their] domain was in my email address'; think he sort of understood once I explained, but still said something like 'can't be too careful in this business' - well sure ok but what am I going to do with.. oh nevermind!
Password lockout/reset over the phone, reading my 100ch 'memorable phrase' as generated by pass... Gave the guy a good chuckle, and no he was not willing to concede by the umpteenth 'upper case A' or 'backward slash' that I obviously 'knew' the phrase and could surely be relieved from reciting the entire thing... I use shorter ones now.
cortesoft
That is a major downside with putting gibberish in for answers to security questions… let’s hackers socially engineer support into letting you get access by saying something like, “oh man, I just mashed on my keyboard for that I don’t remember!”
You would hope it wouldn’t work, but it probably will.
jedberg
That's why I always put legit but wrong answers in. Can't really guess because they're all different and made up, but also can't say, "Oh I just mashed the keyboard".
brewmarche
That’s a good point. It’s better to use wrong but plausible answers or random sentences (some password managers can generate phrases from a word list)
silverhydradev
I do the same thing, but for exactly the reasons you described, this type of passphrase can be vulnerable to social engineering.
nicoburns
Bitwarden can generate xkcd style English-word pass phrases that can be useful for this kind of scenario.
yellow_postit
Same with 1Password. Has been a life saver with a family account.
inetknght
> I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.
I can't tell you how many non-techy people think I'm part of their company because I have yourcompany@mydomain. Sigh. Big companies have ruined the internet by having everyone have @gmail or @hotmail or something.
trelane
The "best" is when you can't even sign up without having an account at a Large Company e.g. gmail or outlook. I'm not sure what that's supposed to prevent issues with.
Sure, you can add "+thing" after the username portion, but those that know this bog standard trick can still automatically derive your email address and get around your filters. At least with a dedicated username portion a human has to think for a second.
ben0x539
> those that know this bog standard trick can still automatically derive your email address and get around your filters
Not if you default the other way around and autodelete all mail that doesn't have a "+thing". :V
justin_oaks
If you use Gmail then you have a couple of ways besides using the + to make a variation of your email address that will still come to your inbox:
1) Use dots (period or full stop) between letters in the username part of your email address. For example, if your email is abcdefg@gmail.com then a.bcdefg@gmail.com and a.b.c.d.e.f.g@gmail.com also get routed to you.
2) Use @googlemail.com instead of @gmail.com in your email address.
I have a Gmail address and I use these other variations whenever a company rejects email addresses with + in them.
Semaphor
Which companies are those? Is there a list somewhere? The only time I ever encountered this was with AliExpress.
Semaphor
Another no regrets catch-all user. Looking into my rules, I have 4 "to" addresses that get sent to spam.
Two stories as well:
a) After contacting a company, I got a mail from their legal department asking me to explain why I’m using their trademarked name in my email
b) Using an online-shop that requires emailing the owner for your order (so he can send you a PayPal invoice and then snail-mail you the music CDs you ordered…) I got a personal message attached of him asking why his label’s name is in my email address.
In both cases, a short explanation was sufficient, though.
bambax
I too have been using a catchall email address since some time in the last century, and it's been cool, although the post is right when they say
> The truth is no one really sells your email
The reason I started doing this was to monitor if someone would transfer my address, and it's never happened. You also get more spam because every firstname@yourdomain works.
But the weird interactions are good! Last year I wanted to get my kid in a somewhat selective middle school (in France) and the fact that the email I was registered with was name_of_school@mydomain helped, because the principal was convinced I was and always had been a huge fan of the school, to have my email named after them...
People simply don't understand you can have more than one email address -- let alone a million. That's kind of fun.
e40
I actually got a call from a company I bought something from, direct from their website. I had bought it using the email $company@$mydomain. Got a call (in the days before most of my calls were not spam and I answered the phone!) from a marketing person and the guy tried to bully me into ... not sure what. I couldn't even tell, like you, what he was accusing me of... I'll say, it felt really good to school him about the internet and how it worked.
mulmen
> When I started with catch-all I was actually using mails like companyname@mydomain […]
I missed out on a dentist appointment because of this. They thought I was a robot. I blame gmail.
cube00
I've missed out on appointments too, the business owner later told me after I finally reached them on a social platform "that address looked weird so I just deleted it"
Regardless, I still regret nothing, seeing my spam free "catch all" mailbox compared to my spam infested decade old web mail is all I need to know it was the right choice.
aendruk
My ham radio certification was issued to a nonsensical address because the exam coordinator crammed @gmail.com onto the end without me knowing.
m3047
The phone thing has veered into outright fraud. Twitter just paid a $150,000,000 fine to the (US) FTC for letting advertisers match on telephone numbers provided for 2FA.
I am really tired of people selling my burner phone to the credit people; and no, I don't own that phone number. Prove I do.
Take my local credit union. Please. Jackasses let someone have access to my checking account. I don't bank online with them either, or I didn't, but last summer was trying to talk to them about a refi and I had to register online and they wanted a phone for 2FA. So of course instead of calling the land line, which is clearly and incontrovertibly mine, they called the burner. Several times.
Eventually I answered it with "fuck you you frauds" and they were "oooh sir, call me back on my direct line" so I tried... from my land line in the same area code, you get the idea... and their system won't route the call to their fraud department. So I ignored them for a couple of weeks.
Seriously they were so incompetent that when the actual fraudsters were probing, the first transaction was a /deposit/. When they were finally trying to clean their mess up, they /credited/ me the same amount. I'm the one who figured it out and told them well you gave me 2x their original deposit, when you really should have debited the amount in the first place.
People like that are not going to safeguard your information.
Ob relevance: I have my own reasons for not wildcarding domains and use this instead: https://github.com/m3047/trualias
C4K3
I've been doing this for close to a decade and sometimes salespeople and customer service people will ask to confirm, but that takes 5 seconds and isn't awkward (in my opinion.)
It has more benefits than knowing who leaked your email, it lets you easily filter your incoming email by who you gave the email to, and when your email is leaked it lets you shut off that email address. Of course you can also filter your email by the sender's domain, but that isn't as consistent, and doesn't help at all when your email address has been leaked.
It's true that you do have to set it up so that you can send email from the addresses to avoid not being able to reply by email, and you will want a password-manager or something to remember exactly what email you used, for convenience.
Personally I'm glad I've done this, it's made it much easier to organize my emails.
gowld
Moreso, it's good to teach people that valid email address are in fact valid.
This part:
> Especially since all these companies ask for and verify your cell phone number
is true, though.
and
> The one outlier is political campaigns: they'll share your email till the end of time.
Because politicians exempted themselved from anti-spam laws, as they do with most laws.
lazyjeff
> Because politicians exempted themselved from anti-spam laws, as they do with most laws.
This was the most puzzling thing to me. The politicians that I saw on TV as adamantly pro-privacy, anti-tracking, who made a lot of sense in everything they were saying -- you contribute a single dollar (because they want to show grassroots support for their pro-individuals campaign) and they IMMEDIATELY give your email and survey responses to everyone in their party, including to state-level campaigns in places across the country.
There was no indication on the donation form that any of my personal details would be used for anything except to show that they had a lot of grassroots supporters.
Not only that, but their emails are so clickbait-ey like "lazyjeff, you are the reason that [hated politician] is destroying democracy."
autoexec
> Because politicians exempted themselved from anti-spam laws, as they do with most laws.
Tons of companies will share/sell/buy your email address. Politicians just stand out because they're shameless about spamming, but email addresses aren't always used for spamming. They can also be used to tie logins to names and accounts across services. They can be harvested for various information they contain. Even folks with just one email address often give away their name, the year they were born, their hobbies, etc. Using an email address like uber@notcheckmark.com and Hilton@notcheckmark.com also tells a story about you and what services you use. Every scrap of data that can be collected helps build a profile of your life and email addresses are a part of that, even when they aren't used to clog your inbox with garbage.
I'd recommend using less obvious names, but I still don't see a problem with creating unique addresses for various services that demand an email account. If nothing else it's a great way to compartmentalize the crap they'll send you (spam or not). If someone questions why you have COMPANYNAME@example.com that should really just be a 2 second conversation.
willk
I couldn't agree more. I've been using a catch-all for probably 12 years now. Sure, sometimes you get a second look when you give an email that has the business's name in it, but who cares?
I get the benefit of blocking mail coming to me forever, doing fast sorts and searches, never have to worry if the company doesn't like a + in my email address.
scoot
I use 33mail.com (33m.co) for this which gives you a personal subdomain for free, or a private domain on the paid plan. I'm on the (super cheap) paid plan due to mail volume, but haven't found the need for using a personal domain.
I find it zero effort having a unique email address per site, and when combined with unique (algorithmic) password gives effectively a unique identity per site (cookie sharing aside, but there are solutions for that.)
As a result, I have been able to call out a couple of sites for data breaches, and continue to see npm spam in particular. Worst offender so far is Pipedream, an absolute embarrassment for their CEO who appears to have initiated the data scrape. I won't be surprised to see them sued out of existence, which is a shame, as I like the service in general.
couchand
> you do have to set it up so that you can send email from the addresses
Fastmail's webmail allows you to specify the sending email address for a catch-all mailbox in the message composition page, so there is no additional setup there.
hamburglar
Edit: oh god, leaving this in place for posterity but I am completely misrepresenting fastmail here. It is protonmail that I recently tried and had these limitations. Apologies! How embarrassing. Also, I have no idea why the child comment correcting me would be so downvoted. It’s apparently correct.
Yes, but fastmail has a couple dealbreaker limitations when doing this: First, you can’t originate mail from that address; you can only respond. This makes it unusable for a lot of mailing list control messages and other systems where you are required to make inquiries from a registered email address. Second, you must explicitly set up each of the unique recipient addresses, which is a huge burden when you want to be able to generate them on the fly when signing up for web accounts (and when you already have hundreds in use because you’ve spent decades giving every company a unique address).
If they addressed these and I could have an unlimited number of suffixes directed to a single fastmail address, I’d sign up for a paid account in a heartbeat. Looks like a great service but those are fatal flaws IMO.
duffmancd
This doesn't match with my experience. I have a single catchall *@my-domain.com address that will receive anything sent to the domain (without setting up separate accounts ahead of time).
You can also send from any address, but I agree that the UI is a bit hidden. You first choose from the from-address dropdown "*@my-domain.com", and then a new textbox appears where you can type what address to send from. As another commenter pointed out, if you are replying to an email it will automatically fill in the custom from-address, but you can overrule it.
cstrat
You can originate emails from anything - it just requires that you set it up as an alias (and you can set custom signature etc...)
You don't need to explicitly setup recipient addresses! I can have as many xxx@myname.mydomain.com addresses, where xxx is anything at all. myname@mydomain.com is my main email address.
rootusrootus
And it conveniently pre-fills the from address with the correct one if you reply to an email which came to an alias.
brewdad
I have a single address, donotspamme@mydomain.com that I use as a throwaway and then route it to a folder to review about once a week. It draws a chuckle from salespeople when they ask for it or see it pop up in their system.
NonNefarious
Eh, I did it for a while and while I think the OP overstated the "awkwardness," I didn't find that the effort was worthwhile. I only caught one entity selling or otherwise divulging my address: the Atlanta Journal-Constitution newspaper, oddly enough.
Oh, and someone did hack some FAA database and mine it for addresses.
But that's all I netted in several years. Beyond my main address at my own domain, I keep a Gmail address for mailing lists and other low-grade traffic.
Brian_K_White
So basically, yes it's a bit of extra work, but simply worth it.
Life without it is worse than life with it.
kornhole
Agree. This also creates additional challenges for data brokers when trying to tie together datasets about you.
simmons
I've been doing this for over 20 years, and it hasn't really been a problem. During the occasional real-life interaction that requires someone to confirm my address and they express surprise, I just tell them that it's correct and I have advanced email needs. It never takes more than a few seconds -- nobody has ever said "please tell me all about your advanced email needs!" :)
> I use a password manager for passwords but I also need to use it to remember the associated emails.
I do this, too. It never occurred to me that you might not populate the email/username field -- it's kind of the password manager's job to keep track of that. :)
> The truth is no one really sells your email – at least no legitimate companies.
I think that on the whole, this is true. However, I have had a number of these addresses start receiving spam over the years. I think this is due to the companies' databases being compromised due to poor security. At the end of the day, the cause of the leak isn't greatly important, and I'm glad I can simply turn off those particular addresses.
SargeDebian
I’ve been offered the employee discount multiple times when providing storename@firstlast.tld. I declined as I’m not going to risk fighting some fraud charge over €20.
I’ve never had difficult or negative interactions either. “I bought @firstlast.tld and now I can do whatever I want” settles it.
I also have @lastna.me. My grandma has her own and mostly her bridge club mates are puzzled about how her email address just looks like her name. The whole setup is worth a few bucks, I guess.
pengaru
Yeah I don't understand what the kerfuffle is. Sometimes they express disbelief or surprise, but it's never been a problem beyond telling them "I control the whole domain, you get a special address so I know if your database gets hacked and/or my information sold via this channel" and that almost always results in the employee being interested in getting the same thing for themselves.
aaaaaaaaata
Do you live in a region where the majority of people are adept with a computer?
pengaru
Mix of CA and IL, but CA is like half rural desert and half SF bay.
I don't think it requires much computer literacy to understand what an email address is, how annoying SPAM is, and the problems of identity/credit theft.
Sure, these are first-world problems, but so is having to furnish an email address at all.
kalleboo
> During the occasional real-life interaction that requires someone to confirm my address and they express surprise, I just tell them that it's correct and I have advanced email needs
When someone has asked I say I have it set to whitelist them so it doesn't get accidentally filed as spam, they really like that answer =]
fnordpiglet
The USPS is one of the worst offenders for selling email addresses.
stickfigure
For weeks our Shopify app was getting rejected because "you cannot use the Shopify name or trademark in your app". It wasn't... repeated requests for clarification just got back the same form response.
After a several frustrating back-and-forths, finally someone at Shopify said "check your email address".
The developer contact email address we had submitted, which was only used for shopify<->us communication and no customer would ever see, was shopify@ourdomain.com.
<facepalm>
prawn
You'd think anyone competent in tech would instantly recognise that for what it was. Using an email like that for a specific purpose shouldn't be that uncommon. And they should recognise that it was an internal address. Crazy.
cdubzzz
I assume Shopify’s position there is that the email address provided with the app is probably visible to end users somewhere and could cause confusion. The policy itself seems reasonable enough just shitty enforcement.
stickfigure
Based on their difficulty articulating the actual issue, I'm pretty confident that this wasn't intentional. Probably someone in a body shop following a checklist.
The specific box is labeled:
2. App submission contact email
This is the email we will use to communicate
with you during the app submission review process.
prawn
Not sure in this case and it's definitely possible, but usually you have an email used for the account and interacting with Shopify, and then a public facing one used for customer support.
kazinator
Title says that using a catch all domain (whatever that is) is a mistake, but the bulk of the article about it being a mistake to use the other party's company name as the local part of a throwaway e-mail address which you use for communicating with that party. There is nothing about the catch all aspect being a mistake. You don't have to give a Hilton hotel an address like hilton@example.com; it could be bob-2022-05@example.com, right?
I use a throwaway e-mail system whose generated addresses look like this: 539-343-1293@example.com. The dashes can be replaced by underscores or periods: all are recognized, but not mixtures of them: basically three versions of the every alias is installed. (Why? I ran into a situation where I had to enter my e-mail address into a point-of-sale system that didn't accept dashes.)
There is no "catch all" mechanism at play. Each address is explicitly created, using a web-UI application that I wrote. The moment you create it, it goes live, as a local alias recognized by the mail server.
Each such address is associated with its creation date, and a memo field. If the memo field contains URL's, they get rendered into navigable form. They are editable. The memo field is what tells me who/what the address is associated with. I have a regex search box to filter the entries (quite a lot have accumulated).
The UI is like Web 1.5: you can checkbox these items and do bulk operations on them, like bulk delete, move to top, move to bottom and such.
When I delete an address, it immediately stops working. THAT is why "catch all" would be a bad idea; if you have a rule which routes any nonexistent local part to your inbox then you don't have any easy way to turn off an address which is being abused, other than going into the mail server rules and writing a rule to reject that address. That's not a fun UX, compared to a nice throwaway address management dashboard.
This system is called TAMARIND: Throw Away Mail Alias Randomization Is Not Defeatable. :) :)
kazinator
Tamarind is found here: https://www.kylheku.com/cgit/tamarind/tree
It's a CGI application used with Apache.
That code you see there does evrerything, using the raw HTTPS stream and environment variables from the server. There are no libraries, no web framework, nothing.
- cookie handling / session persistence
- generating HTML responding to requests
- reading/writing e-mail aliases file
- authenticating via IMAP or SASL
bitexploder
Fastmail also has features similar to this. Aliases and randomized masked email. The web ui helps you send email from the masked email as well.
bambax
> You don't have to give a Hilton hotel an address like hilton@example.com; it could be bob-2022-05@example.com, right?
Sure, but then it's impossible to remember, or use for classification of incoming mail. Password managers can help with the first problem but not the second one.
undefinedzero
You can search by email in most password managers.
bambax
Yes but I'm talking about incoming email classification.
al_borland
iCloud+ has something like this as well. So far I've only used it with Sign In with Apple, or whatever it's called. Your comment led me to go check out the iOS Settings and it looks one-off random emails aliases can be made in there.
Of course at this point my email is so many places it almost seems like a lost cause. What I wouldn't give to have a reset button for the entire internet. I would be much more careful with my address than I was 20 years ago.
Animats
I used to have one of my domains configured to accept all mail, after spam filtering. The result was amusing. I had the domain in .com, and a school in the UK had the same domain name in .co.uk. So I'd get some misaddressed mail, usually at the beginning of the school term. Not that much.
One day I got a message "I am going to kill you tonight". It was from someone at the school, intended for someone else at the school. I wasn't sure what to do, especially since it was the middle of the night in the UK. Call the cops in the UK? Finally I found an emergency number on the school's web site, and ended up reaching the headmistress. She was at first annoyed at being awakened. Then she was fully awake and annoyed. Once she heard the name of the sender, she said "He's only 12". Some kid was in for a major chewing out, but the situation did not require police.
If that had happened in the US, there would be a SWAT team callout.
superkuh
I strongly disagree. I've also been using a catch-all domain for more than a decade and giving each sign-up it's own name@mydomain.com. I can remember one small issue. Otherwise it's never been a problem. The problem has been getting marked as spam for running my own mailserver. But it's all worth it in the end.
__david__
I agree with you. So many companies end up with absolutely terrible unsubscribe code that just flat out doesn't work[1]. With my own server I can just burn a particular email with one line in a file, or I can block their whole domain. I end up having to do this fairly regularly.
I can also choose the message to send in the smtp 5xx error line and so I like to call them names. I know a person never sees it but it makes me feel good knowing my server is cursing out the spammers' servers.
[1] I would venture that roughly 30% to 40% of email unsubscribe links aren't url encoded so that the `+` in the email goes in naked to the url, resulting in the server decoding it into a ` `. Sigh.
leephillips
Yes, I also have insults in my client_checks file. I enjoy running my own mail server.
neogodless
I've had some of the same experiences as the author. "Do you work for..." or "You must be a big fan..." And plenty of "How do you... "
A few sites actually check for and prevent you from putting their domain name in as email (probably something about having employees sign up... ?) so that's a bit annoying.
I think it's worth it. Among other things, if any one alias becomes tainted enough, I'll throw it on a burner account so those emails go into a black hole, instead of my spam folder. And I'm always using a password manager on a computer, rather than trying to remember email when I visit a retailer. (Often, these days, if I'm in person, I just make up some kind of abbreviation - instead of "Ollies@", "olbgo@" because I don't care too much and even if I forget where it came from, it's not a big deal.)
And there's a slight security benefit if one email + password leaks, though these days every password is unique too (was not always the case... ah the naivety of my internet youth.) I don't think email addresses get sold "a lot" but they sure do get breached a lot and end up in the hands of spammers. Cadillac@ actually got sold or breached quite quickly after I signed up for a free car brochure, about a decade ago.
With my current host (NameCheap) and Thunderbird, it's very easy to change my from address - it just works without any hassle.
ShakataGaNai
Been using a catch all email domain since 2005. I've not had any major issues with it.
The entire "calling up and having to explain the username" thing is few and far between. Had that conversation in person and over the phone dozens of times, at most I get a little ask to verify I spoke correctly. Customer support doesn't care. They have people calling them up with an email address of "420hotcock69 at something dot tld". The entire "your company name at silly domain dot tld" generally doesn't phase them.
Mispelled accounts? Rarely happens. Copy and paste the domain. Use a password manager. The only time I have trouble logging in is when I can't remember if I used social auth or created an account.
As for getting email accounts purged? Don't bother. Stop using it for whatever legit reason. Then set a filter to mark all email to that user@ to be sent to spam/deleted. Problem solved.
The ONL time I've had issues was a few random systems that had funky rules for verifying fake email addresses. Oddly they sometimes look for their own domain name in the email address. So I can't use the exact domain name at those.
efreak
Samsung does this, and it annoys me every so often. I'm using sammysung@ because they won't let me use samsung@. There's a couple others like this as well.
justsomehnguy
> Then set a filter to mark all email to that user@ to be sent to spam/deleted. Problem solved.
Just forward it back to sales@solarwinds.com. Or just to sales@solarwinds.com
BatteryMountain
Just never ever use social auths, ever. Can get royally screwed if the account gets locked down/deleted.
codingminds
For such systems I just spell the domain backwards, which sometimes creates interesting things. Until now there was no system that detected this. E.g. gnusmas@domain.tld instead of samsung@domain.tld
selfhoster11
What you're referring to as Gnusmas, is in fact properly called GNU/Christmas (the Christmas celebrational event kernel with the GNU userland, err, I mean decorations and way of celebration).
thebean11
I try to disguise it a little to avoid the awkwardness, and also put the recipient into the subdomain instead of sender name. For example for grubhub I'd do:
me@grb.mydomain.com
No need to remember anything because it's all in a password manager. I've found this worthwhile, already blocked a couple spammers.
You could also go with something fully random, you still get the same benefit. It's easy to look in your email history and see what you originally used the email address for. Password manager obviously required though.
schroeding
Nice! I tried this a few years ago, and while this worked nicely for inbound email, deliverability outbound was really bad, even with DKIM etc. set. Normal mails from <my domain> were fine.
I guess "amazon.<my domain>" got quite the phishing score at the time, so good call using grb instead of grub. :D
thebean11
Yeah deliverability is a good point. I'm usually only using this trick for services where I wouldn't be sending outbound email luckily. Normal emails come from mydomain.com.
curiousfab
Using custom subdomains for each account is a great idea. Once you start getting spam on this subdomain, you just need to remove the DNS entry and the spammer's attempts to deliver spam will be unsuccessful (versus if you use different local part names, you have to filter / reject the mails explicitly).
Hackbraten
That’s exactly how I’ve been doing it for more than a decade. (Without the subdomain part but with the disguising.) I feel it’s been worth it so far.
encryptluks2
Note some services won't even recognize a subdomain email address as valid.
kennywinker
Really? Wouldn't that catch people with `.co.uk` or similar localized domains?
zarzavat
They use a regex such as /[a-z]+(\.[a-z]{2,3}){1,2}/
There’s a lot of bad email validation regexes floating around on the internet. If it’s an older service it may have been written before gTLDs.
selcuka
Technically .co.uk is a TLD [1], not a subdomain.
thebean11
Yup, I've been rejected from a couple things, but it works for the vast majority
thebestmoshe
What do you use to manage all the subdomains?
eastdakota
Before Cloudflare, I built a company around this called Unspam. It wasn’t commercially very successful, but it allowed you a ton of power around routing/filtering emails on a per-email basis (e.g., require senders to certain emails to pass a Turing test, add a header to others, turn up or down spam filtering by the address). I haven’t had the problem the author references, but mostly because I preface conversations with: “This is going to sound weird, but my email is…”
There’s a security benefit in making your email not-the-same across services. Yes, perhaps many of mine are guessable if you know the pattern I use. But it defeats non-targeted scanning. People target me (I was just sanctioned by Russia along with Mark Zuckerberg and Marc Benioff! Woot!!) yet exactly zero people have targeted me this way.
I’m still one of the few remaining Unspam users. Works great to this day. (Impressive given I wrote the PERL that powers it.) Actually think someone could spend a week with Cloudflare + Workers + Email Routing + Area1 and replicate the functionality+++. I’d gladly pay $5/mo for that. Wouldn’t be a big business. But an example of a bootstrappable lifestyle business that could easily cash flow enough to healthily sustain a couple developers.
Let me know if you build it:
crazyhnidea@matthew.unspam.com
Nadya
I'm going to mirror most of the other commenters in saying - I've been doing this for nearly a decade and have basically never had an issue with it and have absolutely prevented some spam because of it. The "social awkwardness" problem of using "Company@example.com" can be solved by using "PineappleBanana@example.com" instead or random characters or my personal favorite throwaway "[Company]SentMeSpam@example.com". Yea, you might have to use a password manager to know which random string of nouns is tied to what account - but no more "social awkwardness" of using the company name in your email (can't say I've ever had that experience either...)
In fact the only issues I've ever had with a "non-standard" email address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of my domains is a .ru address and even before the modern-day issues surrounding Russia .ru addresses get blocked in many places. My fallback email is an email hosted by https://cock.li which being chan-adjacent also gets blocked so occasionally I simply have to accept that I am not wanted as a user because my email isn't good enough.
Get the top HN stories in your inbox every day.
I'm using catch all since forever. I regret nothing.
Two stories:
I don't use mails like facebook@domain uber@domain - that's too obvious. And knowing that may often disclose that I actually have an account registered on given page. I don't want that, so I go full random, using few words I have in mind, current few words from the song I'm listening too, etc. So password manager helps me with e-mails too.
But Sometimes when a website annoys me (stupid rules for passwords, crippled UX for forms, because re-writing a select component in javascript is such a brilliant idea, etc) I tend to insult the company I'm registering with using my e-mail or password, I mean mail: this.freaking.store.is.dumb@domain.com and pass: goDieInPain1312323$$$$. Once I registered account for a supermarket loyality card with some very little insult towards the supermarket. Later I got some huge amount of the points collected and their system crashed and I had to contact the support (the bonus was too high for me to give up on that). First via e-mail then via phone, when they were confirming my address. They helped me and said nothing about the name I was using.
Another story:
When I started with catch-all I was actually using mails like companyname@mydomain, and when I once contacted them via phone the person talking with me was not very into tech I think and were accusing me of... I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.