I use an email catch all for everything.

github@lastname.com, reddit@lastname.com, randomstore@lastname.com all direct to firstname@lastname.com.

I rarely get spam these days, but when I do, I simply block the address and move on.

It's interesting to see who sold your email address by looking at the left side of the address. The most annoying one for me is that the email address I created for registering my transit pass was somehow passed along to a state political party, at which point it ended up on lots of political fundraising lists. Doubt the transit agency sold it to the political party, it was probably someone who worked for them who thought it would be good leads for their particular preferred party. At the other end of the spectrum was the place I used to get my hair cut selling (or losing through poor security) their email addresses to low quality spammer selling "Male performance enhancement" pills.

Most of the time, the email addresses only end up coming from the company they were given to, but a few hacks like LinkedIn continue to produce scams and spam emails.

yeah, I started using Fastmail's masked email to create emails for services that route to my inbox. Initially I did it with my email domain then figured because my email domain has my name in it that it seemed semi-pointless so I switched to just using Fastmail's domain.

I think there's a subtle extra step there. Create a new domain that just exists to handle masked emails and only masked emails. (I'm in the process of doing this).

How do you prevent someone from spamming you with random usernames? For example:

random1@lastname.com

random2@lastname.com

random3@lastname.com

Do you have a whitelist as well?

> How do you prevent someone from spamming you with random usernames? For example:

You don't, but spammers don't care that much to do what you describe.

Think like a spammer. Why would a spammer motivated by profit to do that on a small personal domain? It makes sense on large service (e.g. gmail, yahoo, comcast), because they might increase their audience, but on a personal domain they're just going to swamp someone's inbox in a way that makes it even less likely they'd bite.

My understanding of how email works is: for each email sent, there's a sending and receiving server that exchange a message between users on each.

* If a server tries to send an email to a user that doesn't exist on another server, the email will "bounce", and the receiver will automatically respond with an error (we've all seen this).

* If a server slowly spams another server with emails to invalid users (say once an hour) they'll just get bounced back each time. No harm done.

* If a server spams another server with an onslaught of emails, even if they are to a valid user, at some point it becomes a DOS attack and the IP of that server will be blacklisted.

So the case you're probably concerned about is the second one where they could essentially brute force a username slowly enough that they don't trigger any red flags. But the time investment, compute power, and bandwidth necessary to do that is not worth how easy it would be to mitigate that. "Great you figured out my email address. Blocked."

If they're going to spend time shooting into the dark like that they might as well be guessing random passwords to public facing ssh servers (which bots are doing all the time).

in my experience that sort of "send some spam to addresses we have no reason to believe exist" behavior takes the form of sending stuff to $commonfirstname@domain not $service@domain

nobody is sending email to alsdkjfadf@domain

> nobody is sending email to alsdkjfadf@domain

That’s actually the kind of spam I used to receive on a very short domain with a catch-all.

I guess they loop through short domain names and then try to brute-force the local part.

Interestingly, I have <3letters>.one but I think because it's an uncommon TLD and a seemingly random 3 letters, I haven't had that issue.

You are right. But I think using a catch all with a separate username for each service/business is becoming an increasingly common practice so I would imagine it’s only a matter of time before spammers catch on and begin exploiting this.

I use service name + 4 random alphanumeric characters. Seems to strike a reasonable balance between just using the service name vs. completely random characters.

Then we adapt.

Simply doesn't happen. Spammers seem to rely on "real" email addresses which they get from leaks and such.

Using random emails like that is a super easy way of getting caught up in a spam trap, which would get you blocked easily.

One of our users used a throwaway a@apple.com, which earned us a complaint inside of an hour, just by sending a welcome/confirm message.

That's not really an issue for end users getting emails at <somerandomthing>@<theirowndomainname>, which is what the thread is about.

But it is for spammers. Which is why it doesn't make sense for spammers to do that.

In practice this isn't very common. In most cases if you block the email that they got a hold of they will just give up rather than trying random addresses.

However it does happen a little. Because it sounded like fun I actually added a signature to my addresses. So it looks like github.com-abcdef@example. Then the spam filter will check the signature and if it is invalid it will give it a high spam weight. (Other than a few widely-published addresses that are accepted at neutral weight)

I do similar and never see that occur.

What I do get are a lot of misdirected messages for people at a school district(one letter, that sounds the same, off from mine) and a defunct tech school in India.

The amount of personal information that companies will send to an unverified email address is terrifying. Devs, please make sure you send a confirmation email before believing an address is good. If I was malicious I could really mess with a lot of travel plans for people, among many other things.

I've seen this. Comes in waves - maybe 100s of emails over a few days. Then years of nothing. They get caught by spam filters pretty easily. I do whitelist a few email addresses, filter others into folders. And every once in a while, I have to empty out my spam folder. Not a big deal to me, and still think it's worth using catch-all email and unique email addresses all over the internet.

I do the same as KMnO4 and I think I have never received an email to a random address that I haven't shared before. Currently the biggest volume of spam is coming to adobe@ and github@ (along with some dating sites).

Actually, I did receive one, from my friend who typed the entire message in the name before the @ and left the body and subject empty :D

> Actually, I did receive one, from my friend who typed the entire message in the name before the @ and left the body and subject empty :D

So something like this?

    From: bobby@tables.com
    To: myplanejustlandedcanyoucomepickmeup.thx@lastname.com
    Subject: <blank>
    Body: <blank>

Reminds me of the classic bob wehadababyitsaboy https:/youtube.com/watch?v=9JxhTnWrKYs

Exactly! The message was like 3x longer, I wonder what is the limit?

Little Bobby Tables ;-)

You've made my evening!

I do the same and I did receive a few, to some addresses that looked like UUIDs. It was just a handful of addresses, so they were easy enough to block.

Whitelist.

I do this too, but with the domain name instead (eg github.com@lastna.me). That way anything that doesn’t pass the simple glob (.) gets filtered off to the admin account for later checking-over.

Do you have to set up a new email address for each website you sign up for or do you have software that automatically handles it?

Sounds tedious if it’s the former

I use a catch all alias that maps all local parts to one account (unless a specific account or alias already exists)

Requires zero user action to make up an address

>Sounds tedious if it’s the former

Thankfully it isn't.

To set a catchall with sendmail, add a line to /etc/mail/virtusertable like so:

   @domain.tld <emailaddress>

And if I decide to block a particular address, which I've only had to do with addresses set up for specific sites (which I've then decided sends me too many emails -- I've yet to receive spam that's not from the site in question), add a line to /etc/mail/access like so:

   To:<specificsite>@domain.tld error:5.1.1:"550 User unknown"

And that can be temporarily (or permanently) reversed by commenting it out. I imagine it's something similar for postfix, qmail, exim, etc.

Edit: I'd add that I make extensive use of folders/filters to handle email as well, so unless I don't want to use a site/service any more, I'll usually create a filter unless I don't want any more contact with a specific entity -- then it's "user unknown" for that email address.

1password started doing this with fastmail, ux is not great as it's not easy to create one manually in 1p but only when you're autocompleting your email on a site, but I guess it will improve over time. https://1password.com/fastmail/

Just a curl command with mailcow-dockerized

I do this but it requires 0 setup, it's a feature in Fastmail.

A catch-all that forwards to one account works very well.

I did this and heartily endorsed it up until the day I got 1.4 million spams in under 24 hours.

If you run your own mail server, any symbol can be used as an identifier.

Gmail has "+", but I've used '.' for a very long time.

example.hn@mypersonalsite.com

For most sites, things like this are enough to fool. Alternatively I use a base64 encoded version of the sitename.

so: example.aG4g@mypersonalsite.com

LOL!

I redefined the '-'/'+' localpart separator of the username/localpart of my fully-qualified email address to be something else (it's a letter).

so, my own mail alias works just fine ... in commercial Git repos and many websites.

Google's GMail lets you use multiple periods as you see fit but that is easily stripped out (to get your username).

Just another cat-n-mouse in computer security.

Might make more sense for GitHub to enforce whitelisting.

more on this local-part separator: https://egbert.net/blog/articles/comparison-of-local-part-in...

(again, my hardened website cannot be viewed on only Chrome clients as these clients remain broken for intentionally ignoring my server-mandated HTTPv1.3/ChaCha-only).

Fuck M$ and the abomination they're making of github...

They have been doing this for some time.

I got banned, cause I created a couple of separate accounts with temporary email addresses and aliases on my gmail account.

Is this to deter people from using GitHub Actions runners for bad things?

Possibly, but it might be more than that. I have to imagine that GitHub has to fight all sorts of spam. Issues (and comments on issues) in a popular repository can be SPAM. When Hacktoberfest offered a free t-shirt for making a pull request to any repo (regardless of the quality of the PR), maintainers were basically inundated with SPAM. Imagine someone spinning up lots of GitHub accounts to create issues and PRs which are basically just SPAM messages about some crypto scam - PRs proposing changing the readme to their message, issues talking about how they could fund themselves with that crypto, etc. Even if they're deleted by 99% of people, they've served their purpose. Someone thinks they should do what the message says and money is made.

This also prevents legitimate bug reports that are being submitted by people (such as myself) who have no interest in using GitHub to begin with, and even less interest in giving GitHub any kind of personal information.

There have been numerous times now where I'd like to quickly provide details about a problem affecting some GitHub-hosted open source project I'm using, sometimes along with a fix. But since I can't easily create a throwaway GitHub account, I'll just end up keeping the information and fix to myself. I wish that wasn't the case.

sad; one step closer to only allowing google/yahoo/bing/apple domain emails