I use catchall email addresses. If your service is called foobar.com I will register at your place with foobar.com@mydomain.com
If I ever receive spam addressed to foobar.com@mydomain.com that is unrelated to your service I know you leaked or abused my data. Result: you will get a DSGVO complaint and I filter all emails addressed to this address from my inbox.
The good thing about using a catchall email address is that I don't have to create a mailbox for each service/purpose, I can just make email addresses up as I go. All you need for that is your own domain and a mailserver that aupports it.
> If I ever receive spam addressed to foobar.com@mydomain.com that is unrelated to your service I know you leaked or abused my data. Result: you will get a DSGVO complaint and I filter all emails addressed to this address from my inbox.
Has this ever resulted in significant penalties for those companies? I used to do this but I gave up as it never seemed to achieve anything.
While some companies filter against this, most email services support plus addressing to accomplish the same thing. You can register under myemail+foobar.com@gmail.com, for instance, and all emails will still be delivered to myemail@gmail.com
This is very common, so lots of spammers will just drop the plus-part with a regex. Many sites even prevent signing up with an address containing a plus.
Not trying to tell you to stop though, this is definitely a good idea, when it works.
I've long wondered if you could put crypto into this, to make it secure from a human attacker who might figure out the scheme. Otherwise it is relatively easy for a spammer to replace foobar.com with google.com and email you again, escaping your filtering and/or making you think google.com has a data leak.
For example, using a HMAC of the domain. So you generate foobar.com-sr32j4@mydomain.com, it's impossible to generate the sr32j4 part without knowing your secret key, and your mail server checks that sr32j4 is correct before accepting the mail.
Interesting idea, I like it. I am not profficient enough with mail servers to know how this could be done, but maybe a python script that just marks offending mails as spam would work as well.
Very cool! Could you go deeper into your setup?
Which email client do you use to view/manage the catch all emails?
Did you host the email on Google Gsuite or AWS SES or something else?
I do the same as the poster above, fastmail supports it directly and makes it very easy to manage. All you have to do is bring your own domain (they'll even manage your DKIM/SPF records etc as necessary if you want).
This is what I do as well, but sadly it seems my phone number has been leaked at some point... I'm considering setting up a private VoIP thing so that each company gets a unique phone number. Really nobody can be trusted with my data, it is a statistical inevitability that they get hacked or sell out.
I do this too, barcelonaairportwifi@<domain> is a prime offender and gets a lot of spam. I've also taken to using Fastmail's masked email support along the 1Password integration for the same.
Yes, with Fastmail this is quite easy to set up. It automatically uses the alias when replying to an email that was addressed to one, but you can also manually choose (on input) any alias for an outgoing email.
If I ever receive spam addressed to foobar.com@mydomain.com that is unrelated to your service I know you leaked or abused my data. Result: you will get a DSGVO complaint and I filter all emails addressed to this address from my inbox.
The good thing about using a catchall email address is that I don't have to create a mailbox for each service/purpose, I can just make email addresses up as I go. All you need for that is your own domain and a mailserver that aupports it.