For every account I create on the internet I create a new mail inbox, this way I can just compare the email title with the inbox it was sent to. So, when I receive a notice from my bank on my github email I know what happened. This genuinely saved me a few times already.
Most providers let you run a catch-all adress on your own domain. You usually set it up with just a check-box "catch-all" and where to send all mail, or you write the username as "*" in an alias.
Not GP either, but this. To name a specific provider, I use improvmx.com. They have a generous free tier, I eventually switched to some low paid tier. Not affiliated, happy user.
This feature is available for no extra cost from panix.com with the "+" (dcoder+anytext@panix.com) technique, and I can use filters on the address.
Since many sites can't believe that an email address can have a "+", I can also use "anytext@dcoder.users.panix.com" at most sites instead of dcoder@panix.com. ("anytext" typically, for me, being the name of the company or organization that I'm dealing with. Also, my Panix account is not really "dcoder".)
I have received phishing attempts for cryptoscams that still had my tagged address and identified the source of the leak that way... but I'm sure there are more cautious scammers and spammers who removes it, still can be the poorman's version of a catchall address I guess.
Sounds like it's time for someone to set up an email service that offers the same functionality without the +. There would be some headaches and it would limit the degrees of freedom users have with base email addresses, but I'd use it!
Fastmail lets you make as many redirects as you want, no + in them.
You can even get an api key for it and plug that into bitwarden, so that when you sign up for whatever, you click bitwarden, generate password, generate email, sign in and it's all set. So smooth. (I sound like an ad, but internet pinky promise no affiliation)
I'm curious - is there a benefit to doing so versus using Apple's Hide My Email (or a similar service) or appending +service to a gmail email address? Completely ignorant on the topic so apologies if this is a silly question.
I'm not really sure how Apple's Hide My Email works, but my impression is they work by creating a proxy email for you. If that is the case, it should be a good solution for protecting you privacy. The problem is you become hostage to Apple, because now if you loose access to your Apple account you also loose access to ALL your accounts(potentially). It's probably on the same level as using a password manager like BitWarden.
I've just explained the problem with the gmail tagging in another comment.
As far as I know Samsung isn't a Korean family name, it's just a brand.
That said, are you sure it wasn't the + that caused the problem? I've run into that a few times, presumably when someone tried to roll their own email validation.
It's probably a specific policy of Samsung which doesn't allow the word samsung in recipient addresses. I had the same issue, but with samsung@private-domain.tld
Sometimes you can sign up with the + but when you try to log in either on the homepage or an app, the login is invalid because of that + sign. Different validations. Stopped using that way after getting locked out of accounts 6 months later...
My usual "smasung" typo worked fine when I registered with them. I use a service for disposable addresses redirected to my main mailbox for potentially spammy registrations which I don't really care about, instead of just creating new accounts which is way too inconvenient to manage.
I'll make these intentional letter swaps every time just to avoid regexes and automatic filters.
Yup. Got my own domain(s) and use a different address for all my services (like with Gmail where you could append +service to your email but with a completely distinct email per service like paypal@mydomain.com). Helped my several times to identify spam & phishing without even having to check the E-Mail itself.
My guess is that you probably know what I'm going to write, but a lot of people don't realize this 'Gmail trick' doesn't really work.
The problem is that foo+bar@gmail.com and foo@gmail.com are delivered to the same inbox, so if you are trying to scam someone it is safe to remove anything after the + in a gmail address.
And having a custom domain on gmail doesn't improve your situation, because with just a simple 'dig mx' you can know if the domain is hosted on gmail and apply the same regex to remove all labels.
So, to be less inflammatory the feature works as expected. But it only protects you if the bad actor is really dumb/lazy or if he is honest.
I do the same as the person you're responding to. There is no '+' in my email, I just create random strings @mydomain. It's impossible for a scammer to know they all go to one inbox.
Some people really love putting dumb validation rules for emails in forms... You would be surprised to know how many system in the real world will just refuse anything that is not a letter or a number in your email.
And the 'fuck them, I won't do business with them' attitude doesn't really work if the system that wont accept your email is the local gas company.
And there is another problem, some systems will just remove any label without informing you. I've had this problem logging in some random websites. My account was created with foo+bar@gmail.com but to log I had to use foo@gmail.com.
Not surprised at all, I've been using the Internet and writing software for a couple decades now. Heck, I might've written one of the validators you're complaining about. But they are typically written to avoid +, for the exact reasons you described.
For those sites, you can add a dot in your username. Then you can ignore any emails sent to an address without the presence of a dot or a plus.
I'm sure there are sites that don't accept dots either, but I've never run into one. So you have to make an exception? Oh well.
I agree that it's easiest to do with service@domain.tld, like the grandparent suggested.
IIRC dot is one of the characters that can't be discarded when checking local addr part (RFC 5322). So fubar@domain.tld and fu.bar@domain.tld are different addresses really. As far as I understand - it's a Gmail's team decision to configure local addr interpretation and allow `helloworld@gmail.com` and `hello.world@gmail.com` to be treated as the same address.
I'd expect that dot trick rarely works anywhere outside of gmail world.
+ sign is part of the standard (`atext` token, RFC 5322), so sites, which disallow it in address are doing it wrong.
The fact, that industry adopted a practice of using everything after + sign as a "tag" is not captured anywhere so this creates even more mess in already messy space (e.g MS followed GSuite in this too and added subaddressing - https://learn.microsoft.com/en-us/exchange/recipients-in-exc...)
I use a similar approach due to me having the luxury of an owned domain.
The problem, however, is that most companies still rely on crappy Enterprise services like Microsoft Office. For most people managing identities like this is impossible to do - due to either lack of user-friendly options or due to too high thresholds of necessary IT knowledge.
I mean, we are speaking about having to configure Dovecot and Postfix and similar tools, and I fuck that up regularly. And we are also assuming that they have to be unguessable (you have github@? maybe I should target linkedin@, too, then!) which implies that they have to be random-looking which means they will likely be blocked by registration filters.
Newer projects like Maddy [1] kind of go towards that direction, but are still targeted at developers or sysadmins.
'Creating a new inbox' was an exaggeration on my part. What I have is a catchall on my fastmail account. But when I talk about creating creating inboxes it seems to make it easier for normal people to understand what I'm doing and the benefits it brings.
> we are also assuming that they have to be unguessable
That would be nice, but I don't have a nice way of doing it. I've tried to use something like rot13 to make it less obvious, but it is a pain to manage it. It would be nice it existed a cypher that was pretty easy to do in my head, but I never found anything like this.
> you have github@? maybe I should target linkedin@, too, then!
Yes, this is a problem. For a targeted attack this may become a weakpoint in my defense. But this is a calculated risk I'm willing to accept for now.
Microsoft used to let you get 500 free emails under any domain you added, for years. I miss those years. Had the nice benefit of putting you into Microsoft's ecosystem. I was able to make emails for different sites too.
For every account I create on the internet I create a new mail inbox, this way I can just compare the email title with the inbox it was sent to. So, when I receive a notice from my bank on my github email I know what happened. This genuinely saved me a few times already.