← Back to context

Comment by jowea

1 year ago

I navel-gaze that if we redesigned communications from the ground up we could handle this better. When you greet someone physically you can add each other as known trusted contacts immediately. And when you sign up to some service online and have to put in your contact info, which likewise prompts you to add them as contact. And you can't share along a contact you know to someone else without that contact ID uniquely identifying you.

That way, everyone who should contact you can do so and if someone else gets their hand on your contact info you can figure out who leaked it.

24 comments

jowea

Reply
sspiff  1 year ago

I do this with my email. I have a bunch of different emails under my own domain, and I use info+uniqueidentifier@domain.org for registrations which do not warrant their own actual email handle.

This way, I can easily filter incoming email, and I can see where an email came from if any party sells my data.

This also works with GMail by the way, you can use youraccount+anyrandomstring@gmail.com and emails will still be delivered to you.

I use a separate email handle that I only hand out to actual human beings, never to companies and never use for account registrations.

This has worked really well for the past 15 years or so.

  • ninkendo  1 year ago

    iCloud’s Hide My Email is perfect for this. No “+” convention, it just generates a random @icloud.com email address specifically for whatever website/app you’re signing up for, and forwards it to your real email. The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.

    I never worry about sites that require signups any more, I just autogenerate an email for them and use a fake name. I couldn’t give a shit less if they get hacked or leak data, because the email and password are randomly generated. If they turn out to spam me I just disable that email address and never hear from them again.

    The only people who have my “real” email addresses are people I know personally.

    • FireBeyond  1 year ago

      > The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.

      That's not remotely true.

      The very very very vast majority of actual iCloud email addresses are going to have "dictionary" names. It's quite trivial to detect a randomized address (and at that point, you probably don't even care about a couple of false positives).

      Multiple instances of letter-number-letter-number ("b2y4r")? Coupled with letter combinations that don't exist in most languages ("ytbn")? And no dictionary words ("john", "smith", "booklover")? Random address.

      Now, whether you care to do business with someone who detects this is a different question altogether.

      But they are absolutely distinguishable.

      3 replies →

    • hsshah  1 year ago

      Have you ever had to reply 'from' a random iCloud email? Is it possible?

      I faced that with Costco support. My method is custom email on personal domain name. Had to setup email alias in gmail to do so. Was a pain.

  • jowea  1 year ago

    I heard about the +, but don't some sites reject it? Or can't bad actors just strip it? You'd need your own domain with a large amount of unique identifiers for it to work if it became popular.

    • heleninboodler  1 year ago

      I find it quite rare for systems to reject the + these days. One notable exception is my credit union, whose Web 1.0 system turned it into a space. The most annoying thing about this practice is if you're telling it to a human, they are very confused about your email address having their company's name in it. I occasionally get "do you work here or something?" Every once in a while I'm talking to someone (example: elementary school secretary) who gives me a vibe that they're going to be really thrown off by this and I just make up a three letter unique code for a suffix since I can still search for whoever sent me that first to see what the suffix means.

      On the stripping of the + and suffix, yeah, bad actors who recognize your scheme can do that, but spamming is about quantity, not quality, so they just aren't going to put in the effort.

      3 replies →

    • jrockway  1 year ago

      I still miss qmail's convention, which used a - instead. That worked flawlessly everywhere, circa early 2000s.

      (I still have some email handling rules for my domain that understand the - aliases I created.)

      I think that both conventions are flawed, as adversaries that know the convention can just remove the distinguishing part. If someone signs up with the email address real+spam@example.com, then they're just going to spam real@example.com. Apple's thing where it creates a987dfc429be@icloud.com is much better. Maybe that's the username I selected. Maybe it's an anti-spam forwarding address. There is no way of knowing. (Actually, I think it does something like relay.icloud.com? So yeah, they know it's not your real address. Apple just says "if you reject this, you can't have an iPhone app", which is what makes it work.)

      6 replies →

  • wahnfrieden  1 year ago

    Apple has this as a service now. It's more automatic than the GMail process and works well.

    A weakness with the GMail process is that spammers are able to remove the + part (even if most don't), and your credentials or identity can be aligned across leaked credential databases by removing the + part.

    • sspiff  1 year ago

      They can, but in my case that still doesn't get them in my inbox since those messages go elsewhere.

  • jkaptur  1 year ago

    It seems like this approach is really popular. Have no spammers/data brokers caught on and started stripping the +identifier?

    • aqfamnzc  1 year ago

      If they were really smart, they'd parse and use that info to their advantage. Have info+autozone@domain.com? Send company-specific phishing emails to +apple, +wellsfargo, +$POPULAR_COMPANY every other week