If you want to know when your email is sold or shared, there are several strategies to know who the culprit is. Plus addressing/subaddressing is the practice I hear about the most often, and how I keep track of email use.
Do you care about tracking your email? And do you use plus addressing or do something else?
I self-host my own email server (against The Greater Internet's better judgement, it feels) and one of the neat things I can do with Postfix is set any arbitrary character as a username/junk separator.<p>Gmail has supported this for a long time with the '+' character, but this has some major problems. Many things that accept email addresses don't recognize '+' as a valid email username character and won't let you submit the form. I hypothesize that some of this is poor awareness of what constitutes a valid email address, and some of it is intentional to force users to input their "real" email address. I have also run across a few systems that stripped off the '+' suffix off my gmail address.<p>My solution is to use the '.' as the separator because 'firstname.lastname' is a VERY common email username and I'm happy to not allow it in a "real" username on my tiny mail host.<p>So every new site or company I interact with gets user.acme@example.com instead of my "real" email address. I can filter incoming emails based on the To header. And I even have a list of companies (a couple well-known) that have leaked or sold my email address to spammers. Some day I'll write a blog post about that.
I use canaries. I point a dozen domains to fastmail and another dozen to my self hosted email servers. Each have aliases that are mapped to vendors but do not have the vendor name as some vendors are getting upset at this practice and calling it <i>fraud</i>. If I start getting garbage on that alias, I notify the vendor. In most cases they will give me a boiler plate response and then I delete the alias. If they are snarky I create a reject rule with my own snark that also explains the emails for that vendor have been either sold or compromised. This is to let people buying email addresses know they bought a dirty list as some of the modern bots have some telemetry.
I care. I use a generated email address at my domain for every account/service/website.
I store the account info in keepass, they all have generated passwords too.
I can see when email comes in who abused the email, was compromised, or sold it.
If an email starts getting spam, i block receiving to that address. if desired, I update the account to have another generated email, but usually if I'm getting spam to that email I don't want to do business with them again.
I run my own IT. I host my own email, authoritative DNS, web, etc. I use wireguard for a lot of stuff. I put stuff behind cloudflare. I'm sneaky when I need to be, but mostly I'm just a control freak. I also know way more than the average person about email and email authentication. Or lack thereof.<p>Every entity gets it's own email address. As others have pointed out, it lets me track who ends up with it. Sometimes I find it surprising, mostly I don't. Sometimes, though, people are up to some shit.<p>edit to say that those actually creating mailboxes for everything should just use aliases that funnel to a single mailbox. So much easier to maintain than having to have a huge keepass db.<p>edit 2 employ dmarc if you want to see who is trying really game
I do not. I have three mail boxes, for trashy, job-y and personal things. And a couple of technical (apple id, etc).<p>Gmail is really good at filtering spam, so I probably looked into it and found a letter that I waited for only one time in last few years. My inboxes are either empty or may get first non-spam marketing emails that I unsubscribe from immediately. Unread count zero.<p>Idk why people fortify their email that much and investigate who does what. Have no issues nor hesitation with leaving my work email at any local org.
The important detail is to add random nonce/salt to the generated email, like _jri68, so that it's not guessable, so it's provable that the database was compromised. Guessing bestbuy@example.com is believable, but guessing bestbuy_jri68@example.com, is not.
Yes.<p>I use a catch-all. I can accept (whatever)@mydomain.tld<p>Anytime a new company wants my email address, I just randomly give them one.<p>So far I only get spam to the email addresses other people posted on a website as contacts for organizations I volunteer with.<p>(I get spam from web scraping, not from company hacks/sharing etc.)
I've seen quite a few people here reccomending the use of . and + from gmail, but I don't think its a good idea at all.<p>Most people who work in the 'email marketing' space know about this feature. So it's common to see people recommending clients to 'clear' their email list before sending unsolicited emails. And some services even offer this as a feature in the platform.<p>And that also goes for custom domains hosted on gmail. You only need a MX query to learn who is responsible for mail handling in a specific domain.
Lightly and calmly, meaning I have many aliases on my addresses on personal domains and I try to always give unique aliases (keeping some spare on purpose), but not always-always because I'm not enough disciplined and the track is very informal, when (very rarely) I see spam I know it's time to rotate the alias. That's is.<p>Of course if unknown@spammer.net write to my amazon-cx1@mypersonaldomain.tld I could try to locate who have sold/leaked my address but it's still vague, since Amazon, eBay, PayPal, have a gazillion of third party. If it's to JoeIKnowNothingAboutIT@maypersonaldomain.tld it's likely he was cracked and so on.
I used to use a catch-all with a custom e-mail for every website I used. I had amazon@mydomain, newegg@mydomain, etc.<p>I found that despite what people think, your e-mail address isn't being sold. At least, not by any vendors with a remotely decent reputation. I never got spam to any of those e-mail addresses.
I do, I use Fastmail and create aliases for every service. It's interesting to see how fast companies will "lose" or sell your email address.<p>I've seen it as fast as 24 hours my unique email address is being used by others even though their privacy policy says that they will never share your info.
Fastmail offers per-service generated addresses. I think it's kind of fascinating to watch my email address that went solely to my local credit union start sending me spam somewhat related to my employer.
Occasional use of plus addressing but I find a lot of signup forms now actively block this. Also have a secondary crappy gmail address that I use for low value stuff that is sus. (That’s full of spam and has multiple hits on have I been pwned)<p>Beyond that I don’t worry about this too much.<p>As a side note - amazed that iPhone autocorrect corrected my “owned” to pwned in above
Yes, I’ve done this for years. And to be honest, I don’t think I’ve ever “caught” a business sharing a service when they shouldn’t have.
Makes me question why continue to do it.
I care but don't have time or the resources. What I have made a habit of tho is registering to any new website or service using example any.name@gmail.com → register using a.nyname@gmail.com. I then take note of which variant / which service.<p>I have no idea if this works the way I expect it logically <i>could or should</i>, but if it does I guess I have some data to go thru.
I've used spamgourmet.com for many years (Literally decades, my first entry was 2003-08-07) to create disposable email address. You just make up the address "tempsite.4.username@spamgourmet.com" to create an email address for tempsite that expires after 4 uses. You can always remove this limit later.<p>My message stats: You have 245 spamgourmet address(es). 827 emails forwarded, 28,605 eaten.<p>The #1 worst offender for selling my address was Yahoo, followed by the German magazine Der Spiegel, then Groupon. But my stats go back 20 years, so this may not represent current sharing activity. I also have many many examples of registering at all kinds of sketchy websites that have never used that temp address beyond the initial registration confirmation..<p>Sorting by created date, in the most recent 5 years, my temp addresses seem to be getting shared and re-used considerably less frequently, which probably correlates to the overall death of email, which is for old people, so I am told.
I also have an @ alias on my domains, and give unique addreses to companies/services which identifies them. I'm only had a couple accusations of "fraud", but they were easily dispelled by asking them to explain what "fraud" I was committing (they couldn't) and explaining why I do this.<p>Addresses which have been lost/stolen and start receiving spam become spam traps, and I change the email address with the company/service to a new alias so their legitimate mail is delivered normally.<p>In some of the few cases where the loss/theft was identified, it didn't happen at company/service directly, but with one of their suppliers, for example, a breach at the marketing email provider they used.
My friend Ward was doing sub-addressing back in the 1970s, with made up apartment/box numbers, and eventually the xmodem.com domain. He learned quite a few things about it.<p>For instance, if you look at the article he wrote about CBBS[1], you'll see he's listed at apartment #3D.<p>I never took up the practice, though I suppose I could having the warot.com domain to play with, and a single family residence to make up PO boxes, apartments, etc.<p>[1] <a href="https://vintagecomputer.net/cisc367/byte%20nov%201978%20computerized%20BBS%20-%20ward%20christensen.pdf" rel="nofollow">https://vintagecomputer.net/cisc367/byte%20nov%201978%20comp...</a>
I do not regularly track, but I do reflexively create throwaway emails at a domain I bought for that purpose, so that I can /dev/null them if/when someone sells that email address to a list.
Not any more. Dark web rollups include just about everything you could ever want to know about anyone. Using a unique address per service just makes it easier to identify which services you use.
When I learned about public git commits "leaking" my email address it was already too late. Now I'll probably use that email for this particular task. And another sad thing, is that many spammers are picking up "support" email address from Google Play Store.
Still waiting for a email service which would charge each spammer several dollars for "successful delivery", or plain "waste of time".
I self-host so that I can set the addresses to whatever I want it to be. I use the ISP's server for sending and my own server for receiving (this can be configured with Exim).<p>Then, if I receive some spam messages, I can delete an alias that I don't want, in order to avoid receiving any messages.<p>(When someone sends to an invalid alias, the SMTP server gives them a 550 error.)<p>(I use Heirloom-mailx for reading, managing, and sending email messages.)
My strategy is to use a few alias for sources with spam risk like forum, sign up on “free” offers etc., some for newsletters. When I’m suspicious but not sure, I quickly add the +. Only for very few official transactions, I would use my real addresses.
In general, Gmail deals very well with spammers. For the rest, when an alias is spoiled, I simply discard it and create a new one.
been running my own email for 25 years or so. been using "plus" addressing (actually hyphen) for approximately as much. got only few cases when email got sold/shared. biggest issue was linkedin email address leak a bunch of years ago, so i got a lot of spam to -linkedin@ alias . changed email on linkedin to something different, and old emails go to spam
Fastmail let's you set a wildcard when you bring your own domain. Same outcome as other's mention - usernamespotify@domain.com is my spotify email address. I make it up during login creation and it just works. I've used this technique for every login but not once has it resulted in traceable spam. Logins are all tracked in keepass.
I have addresses like somename-ex-someservice@mydomain.com directed to my email, which I use to register myself in "someservice". This is how I know where email was leaked and needs to be disabled. I use Protonmail basic subscription to attach my domain. Before that I was using rewriting rules in Postfix.
I use Proton's email aliases for throwaway accounts, and I have a catch-all on my own domain and use custom email addresses (think apple.com-randomstring@example.com) for accounts that I intend to keep until I die.
I use iCloud’s Hide my Email feature. So I have dozen email addresses and I receive email in the same inbox. I don’t care how my email addresses are used. The moment I see too much spam, I remove the email address.
I have a public address and a private address. Gmail does well enough with spam filtering. I check it monthly and find some false positives. Nothing important though.<p>I can’t imagine spending more time on this, though.
I used to, but it basically showed that no one ever gave away my email address to spammers, or at least if they did, the spam filter caught it. It's not worth it.
Catchall for 25 years :) (on domainfactory - df.eu) each company/service gets their own email prefix, so I can determine spam and also filter unsolicited emails.
Yes every service gets a custom address.<p>It's also interesting that some services don't allow COMPANYNAME@mydomain.com for registration. (Can't remember which)
I have a catch-all domain but I don’t bother to setup unique emails for each service. It’s too much of a headache and you have to ask yourself:<p>If I find out someone sold/shared/leaked my email what am I going to do?<p>Here the possible responses as I see it:<p>* Stop doing business with them - This is way easier said than done<p>* Be mad - ok, great, now what?<p>* Send a strongly worded email - again, so what?<p>* Sue them? - Good luck<p>Selling or sharing my email address is a shitty thing to do, but my recourse is extremely limited and really ends up with me just being angry with nothing to do about it. Given that I’ve decided just to not care.<p>There are many things in life that I once cared about or once got worked up about that I don’t anymore because I’ve realized that it’s just not worth it. I’ve tried to identify more and more the things that get me mad, but don’t affect any change and then purge those things from my life. Life is too short to spend your time worrying about things like who sells your email.
for general purpose website signup not directly linked to my identity, I use Simplelogin. For real life personal stuff I just have a gmail. There is another dedicated email for open source work, plus a few historical email addresses which aren't actively used but still occasionally receives stuff.
I use Hey.com's "catch all" inbox for this but it's a bit janky. If you set up a "custom domain" Hey account, you can actually email `[anything]@yourdomain.com` and it'll arrive in the catch all inbox. (Not unique to hey obviously) It has the benefit that it's impossible to block, but Hey obviously doesn't really want me doing that since they charge per-email-address.