Dear services that refuse email addresses that have the name of the service in the address:
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr @paul_ipv6 same for ones that dont allow + in the mailbox part. It's in the RFC, even google/Gmail supports it.
I made myself a small script to base64 encode the site + date (in case it's a site that allows you to order stuff but not register), but its not convenient.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr Nice to know I am not the only one who does this (for the same reason).
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr we handle this by rot13ing their name and then undoing the transformation on our mailserver's end
-
@alexr @paul_ipv6 same for ones that dont allow + in the mailbox part. It's in the RFC, even google/Gmail supports it.
I made myself a small script to base64 encode the site + date (in case it's a site that allows you to order stuff but not register), but its not convenient.
The best part is when they allow you make an account with the + but then won't let you log in with it, and when you get on the phone to fix it, the CSR* makes an accusation that you're trying to hack their computers.
(*Can't blame the CSRs)
-
The best part is when they allow you make an account with the + but then won't let you log in with it, and when you get on the phone to fix it, the CSR* makes an accusation that you're trying to hack their computers.
(*Can't blame the CSRs)
@IrrationalMethod @alexr @paul_ipv6 oooh, I've hit a few sites like that. Or combined with the recovery process (remove MFA) not working because it treats a + as space (url encoding), but the sign up doesn't.
I've locked myself out of at least 5 sites and support refuse or cannot help.
-
@IrrationalMethod @alexr @paul_ipv6 oooh, I've hit a few sites like that. Or combined with the recovery process (remove MFA) not working because it treats a + as space (url encoding), but the sign up doesn't.
I've locked myself out of at least 5 sites and support refuse or cannot help.
@j_angliss @IrrationalMethod @alexr
i gave up on the + method decades ago due to way too many places breaking it and it hasn't really improved. i still run my own mail server so that i can have a unique email per site that *most* sites will accept.
bad web developers and "security" folks using "best practices" lists that have never been valid make life miserable for all of us.
-
@j_angliss @IrrationalMethod @alexr
i gave up on the + method decades ago due to way too many places breaking it and it hasn't really improved. i still run my own mail server so that i can have a unique email per site that *most* sites will accept.
bad web developers and "security" folks using "best practices" lists that have never been valid make life miserable for all of us.
Yes, I use my own domain(s) with a paid mail provider that offers both wildcard addresses and their own random email address generator, and I can send/receive from either. But moving there was more about not trusting Google than frustrations with the + character.
While I hear it's not that hard, but I'm happy to let someone else deal with the problems.
-
@j_angliss @IrrationalMethod @alexr
i gave up on the + method decades ago due to way too many places breaking it and it hasn't really improved. i still run my own mail server so that i can have a unique email per site that *most* sites will accept.
bad web developers and "security" folks using "best practices" lists that have never been valid make life miserable for all of us.
@paul_ipv6 @IrrationalMethod @alexr yep, that's partly where my script comes from. I can check a box and it'll create an alias record in a sql db that postfix reads. Now I can create "base64_encoded_site+date" as an alias and drop it when I want... but also see when they "leak" my details
-
Yes, I use my own domain(s) with a paid mail provider that offers both wildcard addresses and their own random email address generator, and I can send/receive from either. But moving there was more about not trusting Google than frustrations with the + character.
While I hear it's not that hard, but I'm happy to let someone else deal with the problems.
@IrrationalMethod @j_angliss @alexr
the problem with the + hack is that when it's broken, it's *really* broken. most folks have made support unusable for anything not dead simple, so it tends to make that site unusable. murphy's law says it will be some site i need. financial sites are particularly notorious for stupid and bad decisions on how they deal with account security.
-
Yes, I use my own domain(s) with a paid mail provider that offers both wildcard addresses and their own random email address generator, and I can send/receive from either. But moving there was more about not trusting Google than frustrations with the + character.
While I hear it's not that hard, but I'm happy to let someone else deal with the problems.
I have to say it's been facinating to see the + address I provided to ACE hardware show up in some fraudulent spam lists and then gradually find it being used by "legitimate" mass mailings from a major US political party that I didn't share it with, for somehow connected my identity with it.
-
@IrrationalMethod @j_angliss @alexr
the problem with the + hack is that when it's broken, it's *really* broken. most folks have made support unusable for anything not dead simple, so it tends to make that site unusable. murphy's law says it will be some site i need. financial sites are particularly notorious for stupid and bad decisions on how they deal with account security.
Exactly, always those.
Although my accusations of hacking came from a particularly terrible UHaul rental experience where this wasn't even in the top 10 of my problems.
-
I have to say it's been facinating to see the + address I provided to ACE hardware show up in some fraudulent spam lists and then gradually find it being used by "legitimate" mass mailings from a major US political party that I didn't share it with, for somehow connected my identity with it.
@IrrationalMethod @j_angliss @alexr
i've had probably half a dozen emails show them leaked or compromised. more have shown that someone was bought out and their lists sold.
the most spammed addr i have is one on an IETF RFC, where the emails in the RFC are not hidden at all. i specifically used a unique addr, knowing this. it's been fantastically useful as a canary in the coal mine of who is using really cheap crappy unvalidated lists to spam.
-
@IrrationalMethod @j_angliss @alexr
i've had probably half a dozen emails show them leaked or compromised. more have shown that someone was bought out and their lists sold.
the most spammed addr i have is one on an IETF RFC, where the emails in the RFC are not hidden at all. i specifically used a unique addr, knowing this. it's been fantastically useful as a canary in the coal mine of who is using really cheap crappy unvalidated lists to spam.
@paul_ipv6 @IrrationalMethod @alexr I'm signed up for "have I been pwned" for my domain and its surprising where I see my email addresses (real or generated) appear.
-
@paul_ipv6 @IrrationalMethod @alexr I'm signed up for "have I been pwned" for my domain and its surprising where I see my email addresses (real or generated) appear.
@j_angliss @paul_ipv6 @alexr I should do that for my domains... I didn't know it was an option.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr They must be some of the few who haven’t figured out phone numbers are better for tracking and made them mandatory. I really don’t want to give my phone number to a website.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
Fun fact!
The crappy filter doesn't recognize when you spell the name backwards.
(Mind you, it's equally hilarious to me how few sites accept "+" in the local part of an email address. I've had some of those addresses for years, I use "+" to determine which do NOT go into the spam folder.)
-
@j_angliss @paul_ipv6 @alexr I should do that for my domains... I didn't know it was an option.
@IrrationalMethod @paul_ipv6 @alexr definitely. You have to validate each time a report comes in but it's a click. Worth it just to see.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr I use name+service@Mydomain.com
Some services do not support +word in an email address! It's in the spec!!
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr I bet in a lot of cases you could just munge the address a bit while keeping it recognizable for your tracking. Like if you're registering for "Service", create "s3rvice@mydomain.com" or "fartservice@mydomain.com"
-
@alexr we handle this by rot13ing their name and then undoing the transformation on our mailserver's end
