Comment by overlordalex
8 hours ago
The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like service@custom.com, and that way when service@ starts receiving spam you know exactly where it comes from
^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.
Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.
I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).
Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.
Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.
I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.
> checks to see if the email server is a catchall
How is this possible? Do they test sending to a few random addresses?
Wildcard email addresses will subject you to a torrent of spam when spammers try dictionary attacks against your domain. It's better to explicitly create aliases, I built a web UI for Postfix to do this for myself and family (https://GitHub.com/fazalmajid/postmapweb)
I am more specific: if I start receiving pornographic spam like I did to the address I gave Dell, I will know they have been hacked.
I will also not hold my breath waiting for the legally required breach notification they are supposed to send.
> up "oh, do you work at <company> too"?
Oh boy, I had many of these conversations and especially non technical people never grasp the concept, I had some cases where they demanded to change it and use a “real email like gmail!!”, one time I bought shoes and the store guy asked me the email to signup for whatever, so I read the shoe’s name and added the custom domain, gave me the the look as if I am bullshitting him. Another at a government connected agency and she thought “I work there because I have the agency email” despite it is the alias not the domain.
But similar to OP, few times I found the service is leaking my email, or they got compromised who knew.
Take it a step further and do uuid@
yes, but service is too guessable, so append a randomly generated nonce as well, eg service_rjfh34@example.com. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.