← Back to context

Comment by jrockway

1 year ago

I still miss qmail's convention, which used a - instead. That worked flawlessly everywhere, circa early 2000s.

(I still have some email handling rules for my domain that understand the - aliases I created.)

I think that both conventions are flawed, as adversaries that know the convention can just remove the distinguishing part. If someone signs up with the email address real+spam@example.com, then they're just going to spam real@example.com. Apple's thing where it creates a987dfc429be@icloud.com is much better. Maybe that's the username I selected. Maybe it's an anti-spam forwarding address. There is no way of knowing. (Actually, I think it does something like relay.icloud.com? So yeah, they know it's not your real address. Apple just says "if you reject this, you can't have an iPhone app", which is what makes it work.)

6 comments

jrockway

Reply
jowea  1 year ago

Following my navel gazing idea, the trick is that mail to real@example.com just gets spam binned automatically. Anyone who has any business emailing your should have an real+randomuniqueid@example.com email address to send to you. It's almost like the randomuniqueid is a password to your inbox.

Unfortunately, this is only for email no such thing for phones or anything.

notpushkin  1 year ago

A certain tongue-in-cheek email provider [0] uses . (a dot) for this purpose, i.e. username.anything@domain.tld. Spammers could remove the distinguishing part here too, but they can't be bothered to keep a list of all the conventions used by different providers, so I think it should work pretty well.

(Personally I use a dedicated catch-all domain now, and the username is the distinguishing part – try to remove that!)

[0]: https://cock.li/, they do have SFW domains though

seadan83  1 year ago

Not all mail servers treat a+b@a.com and a@a.com as the same email.

By equal token, you can't be sure that the email address doesn't actually just contain a plus sign.

I was disappointed to find out at work recently that the plus convention was not configured. It made testing account signups more difficult. This is when I dug in a bit and found it that it depends in the mail server for whether those are unique addresses or not.

FireBeyond  1 year ago

> Apple's thing where it creates a987dfc429be@icloud.com

Still trivial to detect. Random letter/number combinations, letter combinations that don't exist in the dictionary, no dictionary word? Pretty detectable.

  • jrockway  1 year ago

    Meh, some actual customer probably uses that as their email address. xXxreaperMainxXx69@gmail.com is probably a real address.