← Back to context

Comment by sspiff

1 year ago

I do this with my email. I have a bunch of different emails under my own domain, and I use info+uniqueidentifier@domain.org for registrations which do not warrant their own actual email handle.

This way, I can easily filter incoming email, and I can see where an email came from if any party sells my data.

This also works with GMail by the way, you can use youraccount+anyrandomstring@gmail.com and emails will still be delivered to you.

I use a separate email handle that I only hand out to actual human beings, never to companies and never use for account registrations.

This has worked really well for the past 15 years or so.

23 comments

sspiff

Reply
ninkendo  1 year ago

iCloud’s Hide My Email is perfect for this. No “+” convention, it just generates a random @icloud.com email address specifically for whatever website/app you’re signing up for, and forwards it to your real email. The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.

I never worry about sites that require signups any more, I just autogenerate an email for them and use a fake name. I couldn’t give a shit less if they get hacked or leak data, because the email and password are randomly generated. If they turn out to spam me I just disable that email address and never hear from them again.

The only people who have my “real” email addresses are people I know personally.

  • FireBeyond  1 year ago

    > The random addresses are indistinguishable from real iCloud.com email addresses, there’s no naming convention a website can reject.

    That's not remotely true.

    The very very very vast majority of actual iCloud email addresses are going to have "dictionary" names. It's quite trivial to detect a randomized address (and at that point, you probably don't even care about a couple of false positives).

    Multiple instances of letter-number-letter-number ("b2y4r")? Coupled with letter combinations that don't exist in most languages ("ytbn")? And no dictionary words ("john", "smith", "booklover")? Random address.

    Now, whether you care to do business with someone who detects this is a different question altogether.

    But they are absolutely distinguishable.

    • ninkendo  1 year ago

      The auto-generated addresses also have dictionary names. They’re explicitly designed to look like addresses that a real person might come up with… typically a dictionary word, followed by some numbers and symbols. Just like other email addresses on popular services where all the good names are taken.

      2 replies →

  • hsshah  1 year ago

    Have you ever had to reply 'from' a random iCloud email? Is it possible?

    I faced that with Costco support. My method is custom email on personal domain name. Had to setup email alias in gmail to do so. Was a pain.

jowea  1 year ago

I heard about the +, but don't some sites reject it? Or can't bad actors just strip it? You'd need your own domain with a large amount of unique identifiers for it to work if it became popular.

  • heleninboodler  1 year ago

    I find it quite rare for systems to reject the + these days. One notable exception is my credit union, whose Web 1.0 system turned it into a space. The most annoying thing about this practice is if you're telling it to a human, they are very confused about your email address having their company's name in it. I occasionally get "do you work here or something?" Every once in a while I'm talking to someone (example: elementary school secretary) who gives me a vibe that they're going to be really thrown off by this and I just make up a three letter unique code for a suffix since I can still search for whoever sent me that first to see what the suffix means.

    On the stripping of the + and suffix, yeah, bad actors who recognize your scheme can do that, but spamming is about quantity, not quality, so they just aren't going to put in the effort.

    • jowea  1 year ago

      Spamming is about quantity but stripping a "+" is something a one line script can do, which is what will happen if this gets popular. A real solution should be more resilient. Like spam binning anything that does not use the "+" ?

      1 reply →

    • nunez  1 year ago

      unfortunately, i disagree; i stopped using plus sign addressing because so many sites i wanted to use it on (many of them for important things like medical stuff) wouldn't accept it

  • jrockway  1 year ago

    I still miss qmail's convention, which used a - instead. That worked flawlessly everywhere, circa early 2000s.

    (I still have some email handling rules for my domain that understand the - aliases I created.)

    I think that both conventions are flawed, as adversaries that know the convention can just remove the distinguishing part. If someone signs up with the email address real+spam@example.com, then they're just going to spam real@example.com. Apple's thing where it creates a987dfc429be@icloud.com is much better. Maybe that's the username I selected. Maybe it's an anti-spam forwarding address. There is no way of knowing. (Actually, I think it does something like relay.icloud.com? So yeah, they know it's not your real address. Apple just says "if you reject this, you can't have an iPhone app", which is what makes it work.)

    • jowea  1 year ago

      Following my navel gazing idea, the trick is that mail to real@example.com just gets spam binned automatically. Anyone who has any business emailing your should have an real+randomuniqueid@example.com email address to send to you. It's almost like the randomuniqueid is a password to your inbox.

      Unfortunately, this is only for email no such thing for phones or anything.

      1 reply →

    • notpushkin  1 year ago

      A certain tongue-in-cheek email provider [0] uses . (a dot) for this purpose, i.e. username.anything@domain.tld. Spammers could remove the distinguishing part here too, but they can't be bothered to keep a list of all the conventions used by different providers, so I think it should work pretty well.

      (Personally I use a dedicated catch-all domain now, and the username is the distinguishing part – try to remove that!)

      [0]: https://cock.li/, they do have SFW domains though

    • seadan83  1 year ago

      Not all mail servers treat a+b@a.com and a@a.com as the same email.

      By equal token, you can't be sure that the email address doesn't actually just contain a plus sign.

      I was disappointed to find out at work recently that the plus convention was not configured. It made testing account signups more difficult. This is when I dug in a bit and found it that it depends in the mail server for whether those are unique addresses or not.

    • FireBeyond  1 year ago

      > Apple's thing where it creates a987dfc429be@icloud.com

      Still trivial to detect. Random letter/number combinations, letter combinations that don't exist in the dictionary, no dictionary word? Pretty detectable.

      1 reply →

wahnfrieden  1 year ago

Apple has this as a service now. It's more automatic than the GMail process and works well.

A weakness with the GMail process is that spammers are able to remove the + part (even if most don't), and your credentials or identity can be aligned across leaked credential databases by removing the + part.

  • sspiff  1 year ago

    They can, but in my case that still doesn't get them in my inbox since those messages go elsewhere.

jkaptur  1 year ago

It seems like this approach is really popular. Have no spammers/data brokers caught on and started stripping the +identifier?

  • aqfamnzc  1 year ago

    If they were really smart, they'd parse and use that info to their advantage. Have info+autozone@domain.com? Send company-specific phishing emails to +apple, +wellsfargo, +$POPULAR_COMPANY every other week