Hacker News new | past | comments | ask | show | jobs | submit login

> if you run a full domain you can use emails as one-use affairs

or, if you use a service that lets you generate aliases, like gmail's "+", or a service like mailinator.

The problem is that the attack vector of email addresses is they are sometimes used as a username, and therefore contains more information than what is strictly required (for the purpose of a username). Leaking the "real" email address not only leads to spam, but allows a more dedicated attacker to use that email address as a starting point on a different site, or hack the email address altogether.

And with sites increasingly blocking disposable email addresses like mailinator, or disallowing email aliases, the problem can only get worse.




Having your own domain is cheap. Generating an email that’s a function of the target website is trivial. I’ve done it for 20 years.

I can confirm the source of every email breach that contains one of my addresses.


Yep, I do the same. I typically use <sitename>@sites.<domain>.<whatever> for website logins (stored in my password manager, so I don't need to think about it to login), so that if my password ever leaks, I know where it was leaked from.


sadly using elite hacking skills this is easily circumvented

    p0wn3r $cat  testerm
    test@gmail.com
    foo+netflix@gmail.com
    foo+ycombinator@gmail.com
    foo+amazon@wizmail.com
    
    p0wn3r $cat  testerm | sed 's/+.*@/@/'
    test@gmail.com
    foo@gmail.com
    foo@gmail.com
    foo@wizmail.com


and so if you set up your email filters right, you can find out who is doing this sort sort of "hacking" to get your real email address. What you do afterwards is up to you.


By definition, if someone is offloading your data to a 3rd party and they sanitise the addrs, then you can't tell.


The "+" is not limited to Gmail, it's standard. The problem is many services with fancy mail validation don't accept it.

Does Gmail allow sending from the + addresses? There's quite an issue if somebody contacts you on that address but you reply without the alias.


They do allow it, but it’s a pain to set up for each + address, especially on iOS.


I have not find a way to send email from Gmail, using either the web interface of their SMTP server, from a custom username (left side of @ symbol). I have a custom domain using Google Apps, but to send mail I use a third party SMTP server to customize the username portion of the From field.


I've never had an issue using a different email for support, I always mention that I own the domain or email suffix and they can verify that if they want to (though nobody has so far).


I'd forgotten about the gmail trick. You're certainly right about that. Though I will say one thing: I've not been hiding my email this past decade and—as far as I know—it has not bit me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: