Alternatives if you don't have your own domain:

- Fastmail masked emails (https://app.fastmail.com) - Firefox relay (https://relay.firefox.com/) - SimpleLogin (https://simplelogin.io/)

There's many more.

Seconding Firefox Relay. Got premium to give Mozilla money to waste on CEO compesation /s. Dislike sarcasm a lot, still had to do it.

And even if you do have your own domain (I do), for one-offs these services are still useful, since they're not relatable to you, and motivated spammers can't just guess new addresses for you. For example, y'all can send me an email at 0yiulnql3@mozmail.com, but if I get lots of spam there, I'll disable it and you'll never know what other Firefox Relay masks I have.

That, and the UI for disabling masks is much easier than having to create a new filter.

Similar setup for me: separate addresses for external parties, which BTW, helps phishing recognition too, because e.g. a "note from my bank" to an address I did set up for some shop cannot be real. And those abused addresses can be deleted from /etc/aliases to render them void.

Besides that my postfix server is configured to reject connections, where the sending site does not have a reverse DNS mapping. Worked twenty years ago, is still useful today when I check my logs.

I have a similar system. My domain is catch-all, but I give everyone a unique email address with a bit at the end of the alias to indicate what my email rules should do.

For example, if I get an email at anything_s@mydomain.com, that will go directly to spam. I use this for everything from Google to every small website I sign up on. They usually only spam anyways. And I check my spam every now and then for if there's anything important - there has never been.

I consider whatever most normal businesses send me spam as well, as I don't care for most of it. Uber Eats, for example, sends a number of emails per each order. That is just spam in my eyes. If I'll use a service I care about, I'll give it an email with a different alias suffix that will never go to spam. But I almost never do.

This has keep out the phishing spam when websites leak my email address just as well as the regular "important information about a minor interaction you did with us" spam that comes from most websites.

I have a similar system. But I "register" the addresses in a .txt-File first. (sitename-random-number@mydomain) A catchall will flag every mail send to you as successfully delivered on the spammer site. So the spammer will send again and again, wasting your resources.

I've been doing the same for some years now, except auto deleting anything.

What I noticed is that the only spam I get goes to my mail address that's published on my blog and my github address. So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.

> So it seems that nobody sold my address to spammers, they only scraped Publicly available addresses.

I've been doing it for many years and have already went through quite a few leaked addresses (at least a dozen or two, out of many hundreds). Even a small hotel, not part of any hotel chain, in Portugal in the middle of nowhere has leaked my address.

That said, I believe almost all of those leaks were due to websites or databases having been hacked, not due to them actually selling my email addresses.

When they sell my data (which has also happened before) I tend to get spam from actual businesses, often related ones. When the email gets leaked, I tend to get huge amounts of generic spam/scams (e.g. "your device was hacked!!"). You also tend to find the latter addresses on haveibeenpwned.com.

I did this but a nerd sniped myself. I had out addresses like {name}-{hmac}@me.example. These addresses then bypass the spam filter and if they start spamming me I block them.

The problem is that I still need a general address for my website, resume, HN profile, Git author info... So I still accept mail to a handful of publicly available addresses. However it does let me play with the spam rules a bit more. Signed: auto-accept, known address: moderate spam filter, unknown address: heavy spam filter.

You can do something similar with Gmail - if your email is matt@gmail.com you can receive to Matt+1@gmail.com, matt+2 etc. Although some websites reject this format.

Spammers will definitely remove the + suffix.

While the + is part of the RFC, many websites do not accept a +sign in an email address field.

I've been "fighting" many websites in the last 20+ years, which use(d) javascript libaries which accept "only a-z, 0-9 and _" as valid characters in a local part. Some even changed their code after I complained and pointed them to the relevant parts of RFC822 (and all successors)

IMNSHO: sysadmins who do not know that the local part of an email address is not of their concern (as long as it complies to RFC 822++), are not worth their money. And web designers? Don't get me started on that topic ;-0

Edit: ok, they even allow "." and "-" in local parts.

Or worse, they'll accept it, but then some backend system trips over it, and now the product you ordered never ships to you, but customer service doesn't know how to refund it either.

Gmail does not see "." as contributing to uniqueness of the addressee name. So for instance a missing "." expected in "matt.smith@" is a reliable flag for rejection.

I just installed rspamd and don't have to do any of that faffing around.

It's better than Gmail in filtering Spam.