Hacker Neue

Preferences
8cvor6j844qw_d6 parent
I used per-account email with alias services and password managers.

Also started migrating old accounts in free time.

Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.

---

Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.

[1]: https://datatracker.ietf.org/doc/html/rfc5228

---

Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.

jwr
> I used per-account email with alias services and password managers.

For people who want to do this, be sure to get it right. I run a SaaS with a free tier, and I see people register with "fancy+nospam+servicename@gmail.com" addresses. Many of those become undeliverable or are left unread forever because of filtering rules. So when my system sends a warning E-mail that the account will be deleted due to inactivity, it doesn't get read, which leads to suboptimal outcomes for everyone involved.

mapt
It was infuriating to me when normal_email+site_name@gmail.com stopped working for registration on some sites.

Fucked up my Costco registration, a variety of other things.

This sort of quasi-pseudonymity is required for basic security/privacy in 2025; It's the only way to get a handle on who's allowed to send you email, since we've never bothered to fix spoofing or impose a cost on spam. I've been trying to use it since Sneakemail was a free service back in the pre-Gmail days.

thallium205
Many spammers will strip the +xxxx out of the emails anyway to not reveal the source of their data so it doesn't matter too much really.
ekropotin
I just use <myname>+<service>@gmail.com At the end of day day it’s all delivered to myname@gmail.com mailbox, but I can use filters based on part after “+”.
willvarfar
I'd be really surprised if Gmail's + behaviour isn't so well known by spammers that they just strip them off?
neobrain
Conversely, I'd assume this pattern is used rarely enough for spammers to even bother fighting it.
vladvasiliu
But I've seen service providers who insisted on creating some account with a valid email who wouldn't accept a `+` it in their forms...
edoceo
My favorite was that I could sign-up with the + address but couldn't sign-in. And the support desk rejected that + address too.

The phone support person was confused about that symbol too, what an odd email.

kevin_thibedeau
This is one of the reasons I switched to a different provider using a custom domain. I can make new addresses in any format I want. There's zero risk of a spammer stripping them down to a base address for the primary account. They also don't get rejected by broken validators.
sunnybeetroot
What’s your plan for when you no longer own your custom domain (think bus factor)? Someone else register your domain and now has access to all your accounts.
mouse-5346
Everyone has their own risk profiles, mine assumes I retain control over my domains and emails. I prepay for them several months in advance to make sure I don't lose ownership. any service provider worth their salt will have a human factor for customer support who can help you if any such issues show up.
4 More Comments →
prein
yep, i use fastmail with a custom domain. i have a catch all email set up, so i just register any account on sitename.com as "sitename@mydomain" and it all gets sorted into a catch all folder. I can then run rules if i want it to go into a certain category like "bills" or just straight to the garbage.
vthriller
Not sure about normalizing recipients' emails but some are definitely aware of it because I've seen spam that asked to "reply back to defi.n.it.ely.not.shady+email@gmail.com" or something.
sussmannbaka
even better: those will be spam guaranteed and can just be filtered by rule then
pil0u
With Gmail, also note that firstname.lastname@gmail.com is equivalent to firstnamelastname@gmail.com or fi.rs.tn.am.el.as.tn.am.e@gmail.com

As some other comment suggested, these rules are easy to tackle by motivated spammers.

askl
If they were motivated, they wouldn't work as spammers.
esseph
Some spammers make obscene amounts of money. CEO of Fortune 100 money.
chipsrafferty
10% of all of Meta's income is from scammers.
docmars
I see what ya did there, you get an upvote.
mroche
I do this as well, but there are a number of service providers that just do not handle subaddressing at all. Like creating an account will result in never receiving a confirmation or verification code because the system failed to parse the address.

I've started using grouped aliases instead for a bunch of things.

tumetab1
The downside is that https://haveibeenpwned.com/ can only find "exact email" addressed, as in, you must search for myname@gmail.com, myname+service1@gmail.com, etc.
sneak
As someone who deals in breach data this is a simple regex to strip out.
mesrik
>As someone who deals in breach data this is a simple regex to strip out.

Sure it is, but at least you do get later, post leak, a slight chance find out where leak originated.

Data stealers seldom strip out that +extension part before the selling or otherwise dump it somewhere. And while it's passed on, you get to see address as you gave to that party that had leak. Reason seller don't strip of it is perhaps because they sell by number of unique addresses and while +extension usage is quite rare they make more money when they don't strip it off too.

Information where it leaked can be very useful information to pass leaker at least up till point they have announced they know about the compromise happened. I've done that since turn of century too many times I've lost count already and been quite many times the first to get them know that they had a problem there.

And sure I've received thank you emails that I gave them early head-up info about the issue.

sotix
Careful with this method. I was unable to purchase plane tickets from Southwest or even change my email address because they changed their parsing rules on me and silently dropped the plus. I found out most airlines don't have a ticket counter to buy a ticket the old fashioned way! But the premier help can issue tickets. Took me two months to have CS get someone to run a DML to remove my "bad" email address.
mapt
It's probably easier to tell them "I lost access to that email, I need to set up a new account". People do this all the time.

On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.

vladvasiliu
> On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.

I've lost track of the number of places that use the e-mail as an unchangeable identifier. Bonus points for my company liking to change domain names for sport, which just confuses support.

And even big tech companies, who should know better, do this. Like the big blue CDN that's in the middle of half the web's traffic. Who also, for some reason, can't be arsed to send e-mails reliably if you need to change your account.

sotix
I did, but the CS agent kept trying to change the email to a new one when I told them I had lost access, and the validation failed because it wanted to send an email to the old address about the email being updated and couldn't. They didn't have the right tools to fix it.

Had to get an engineer involved.

tapland
Anyone who’s looked at breach data knows to try yourname+service for any service.

This does help in filtering spam though

selcuka
It doesn't have to be literally the service name. Can be any unique alphanumeric suffix you make up randomly. As long as you use a password manager you don't have to remember it.
fragmede
Indeed, it needs to be more than just the company name if you want it to be useful later. If the email address used is company@example.com, any idiot could guess company. But receiving email to company_wkhx46@example.com is clearly gotta be from them, or they got hacked.
gblargg
That's why you have to salt the + portion (look up an old email from the service if you forgot the alias).
logifail
> Anyone who’s looked at breach data knows to try yourname+service for any service

Since we're all using a unique password for every service - <cough> we are doing that, aren't we (!!) - then how does that help?

abustamam
I tried to start doing this. The first site I tried to sign up to said it was an invalid email address.

I would say they could fuck all the way off, but there are legitimate reasons to not let people sign up with an alias (like one person signing up for multiple free trials)

efreak
There's other issues as well: occasionally a service will not allow using their service name in your email address. My usual response to this is to misspell it and use an address cursing them instead. (Since these accounts are usually one-off to register to view something, I really don't care if they delete my account in the future and I don't bother to save the password)
vladvasiliu
Right. Because it's oh so difficult to set up a separate e-mail account with one of the free providers.

I have such a hard time understanding why people think e-mail addresses are some kind of special thing hard to come by.

abustamam
When I'm signing up for one service, I don't want to have to sign up for another service, no matter how easy it is. It's not a question of difficulty, it's a question of convenience.

That's why services like Firefox Relay exists. Just generates a new email address for you whose inbox gets relayed to your regular email, no fuss needed. I don't personally pay for it but I do use the heck out of the free email addresses they provided.

lelandfe
(the keyboard smash username is apropos)

> Per-account alias might sound much

Not only does this not sound too much, this is a feature Apple offers called Hide My Email: https://support.apple.com/en-us/102548

fainpul
And one day you've had it with Apple's latest user-hostile shenanigans and switch to Linux. What now? Do you just keep paying for iCloud+ forever?
steelframe
In my experience the overwhelming majority of services permit me to change my email address.
fainpul
Of course. But I have hundreds of user accounts, as probably many people do. I would not enjoy changing all those email addresses.
marliechiller
wouldnt this be the case for any vendor you choose?
vladvasiliu
Indeed. But some are easier to change than others. I switched my e-mail provider, and it took all of five minutes to launch the copy of my data. Since I kept the same domain, everyone sending me e-mails didn't notice anything.

With Apple's approach, I'd have to go through each account and move it from something@icloud to something@new-domain.

However, for people who don't want to mess around with custom domain names and e-mail providers, apple's approach is very practical. You just need to tell it to "hide your email" when you register somewhere and you're good to go.

sometimes_all
As someone who uses both, I much rather prefer aliases to hide-my-email for the more important stuff. For one, I can choose the email address "username", which I cannot with Apple's solution. Plus, what happens when I move on from Apple to something else?
bn-usd-mistake
But aliases can be easily mapped back to your normal email address, unlike Apple's which are opaque. I, too, am afraid of vendor lock-in though. Sadly, couldn't find a good alternative yet
ziml77
There's no solution to lock-in because there must be some massively shared domain that the email address exists on for the anonymity of the service to properly work. However if you are simply looking for an alternative to Apple, Fastmail offers a masked email service too.
sometimes_all
Not sure where you're coming from - my original email address is not being shown in headers, so those seem fairly opaque. Probably depends on your email provider?
toddmerrill
I do this also. I started doing it with physical mail before email existed to sort out the junk mail, so first and last name always contained a reference to the company you were dealing with. Paul Allen back in the 80s said in a Seattle Times interview that it was how he handled it.
sometimes_all
I also use per-account emails, but not sieve filtering. Catch-all is helpful for throw-aways, aliases for the more important stuff.

It's super-easy to figure out who leaks my emails to whom, so I can easily disable both the leaker and the people who leaked.

Much more user-friendly than Apple's hide-my-email.

6c696e7578
> I used per-account email with alias services and password managers.

20-something-ish years ago I setup qmail in my VPS and a .qmail-default file captures all my me-sitename@vps emails. If they send me junk I echo '#' > .qmail-sitename and that's the end of it.

Other things that get a mixture like someone annoying who harvested my ebay/paypal addresses or something, I'll sift out the good (stuff I need) via maildrop and everything else gets junked.

Honestly one of the best, but annoying, things I've done, well worth the time invested as I have a nice clean mailbox.

tguvot
did exactly same. the only difference is that i use compromised emails to train spam filter
scoot
> I used per-account email [addresses] with alias services

I do too (anything@mysubdomain.example.com), but but online services collude with data brokers to share so much information [0] that I don't doubt that many of these "separate" profiles have been aggregated.

Unfortunately the services that supposedly offer to have your personal data removed from data brokers don't seem to support aliasing, so no straightforward way to either find out or have the data removed.

[0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1], for example:

Match and combine data from other data sources 419 partners can use this feature Always Active

Identify devices based on information transmitted automatically 546 partners can use this feature Always Active

Link different devices 358 partners can use this feature Always Active

Deliver and present advertising and content 582 partners can use this special purpose Always Active

[1] https://www.coursera.org/about/cookies-manage

IanCal
> [0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1],

I can opt out of all of them. The only third party cookie I can't is a cloudfront one for crsf.

scoot
They've changed their cookie consent provider (or rolled their own) since my comment. Probably just a happy coincidence, but well done Coursera in any case for fixing a pretty egregious breach of regulations.

The other good news in the meantime is that the EU (who originally mandated cookie consent) has finally woken up to the ridiculousness of leaving it up to the site, and will require browsers to enforce it instead.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal