Dear services that refuse email addresses that have the name of the service in the address:
-
@IrrationalMethod @j_angliss @alexr
the problem with the + hack is that when it's broken, it's *really* broken. most folks have made support unusable for anything not dead simple, so it tends to make that site unusable. murphy's law says it will be some site i need. financial sites are particularly notorious for stupid and bad decisions on how they deal with account security.
Exactly, always those.
Although my accusations of hacking came from a particularly terrible UHaul rental experience where this wasn't even in the top 10 of my problems.
-
I have to say it's been facinating to see the + address I provided to ACE hardware show up in some fraudulent spam lists and then gradually find it being used by "legitimate" mass mailings from a major US political party that I didn't share it with, for somehow connected my identity with it.
@IrrationalMethod @j_angliss @alexr
i've had probably half a dozen emails show them leaked or compromised. more have shown that someone was bought out and their lists sold.
the most spammed addr i have is one on an IETF RFC, where the emails in the RFC are not hidden at all. i specifically used a unique addr, knowing this. it's been fantastically useful as a canary in the coal mine of who is using really cheap crappy unvalidated lists to spam.
-
@IrrationalMethod @j_angliss @alexr
i've had probably half a dozen emails show them leaked or compromised. more have shown that someone was bought out and their lists sold.
the most spammed addr i have is one on an IETF RFC, where the emails in the RFC are not hidden at all. i specifically used a unique addr, knowing this. it's been fantastically useful as a canary in the coal mine of who is using really cheap crappy unvalidated lists to spam.
@paul_ipv6 @IrrationalMethod @alexr I'm signed up for "have I been pwned" for my domain and its surprising where I see my email addresses (real or generated) appear.
-
@paul_ipv6 @IrrationalMethod @alexr I'm signed up for "have I been pwned" for my domain and its surprising where I see my email addresses (real or generated) appear.
@j_angliss @paul_ipv6 @alexr I should do that for my domains... I didn't know it was an option.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr They must be some of the few who haven’t figured out phone numbers are better for tracking and made them mandatory. I really don’t want to give my phone number to a website.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
Fun fact!
The crappy filter doesn't recognize when you spell the name backwards.
(Mind you, it's equally hilarious to me how few sites accept "+" in the local part of an email address. I've had some of those addresses for years, I use "+" to determine which do NOT go into the spam folder.)
-
@j_angliss @paul_ipv6 @alexr I should do that for my domains... I didn't know it was an option.
@IrrationalMethod @paul_ipv6 @alexr definitely. You have to validate each time a report comes in but it's a click. Worth it just to see.
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr I use name+service@Mydomain.com
Some services do not support +word in an email address! It's in the spec!!
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr I bet in a lot of cases you could just munge the address a bit while keeping it recognizable for your tracking. Like if you're registering for "Service", create "s3rvice@mydomain.com" or "fartservice@mydomain.com"
-
@alexr we handle this by rot13ing their name and then undoing the transformation on our mailserver's end
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
Agree. Although I use it for to detect data breaches.
I tell the shops its anti spam so we know its from you. Makes em feel special.
The refusal to accept their name in the email probably results more from a over zelous web site designer than anything else.
Reversing their name usually works
$ echo example.com | tac
moc.elpmaxe@..... -
Agree. Although I use it for to detect data breaches.
I tell the shops its anti spam so we know its from you. Makes em feel special.
The refusal to accept their name in the email probably results more from a over zelous web site designer than anything else.
Reversing their name usually works
$ echo example.com | tac
moc.elpmaxe@.....@ken_fallon @alexr I just insert a period (looking at you, ora.cle and ep.ic).
-
@alexr I use name+service@Mydomain.com
Some services do not support +word in an email address! It's in the spec!!
-
@alexr @paul_ipv6 same for ones that dont allow + in the mailbox part. It's in the RFC, even google/Gmail supports it.
I made myself a small script to base64 encode the site + date (in case it's a site that allows you to order stuff but not register), but its not convenient.
@j_angliss @alexr @paul_ipv6 I have a regex alias in my postfix to treat . the same way the + does. Never came across a site which didn't like the dot, although I always use + if possible
-
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr Some creativity is needed.
Google can become: g.zerozero.le
Git: geyet
Apple: aqqle -
Dear services that refuse email addresses that have the name of the service in the address:
We domain owners do that because we do not trust you not to sell that address to others or otherwise use it inappropriately. Your algorithmic refusal of that address is sketchy af.
@alexr I don’t tend to use the company names anymore after a Schneider comment along the lines of ‘if your email address is my company at your domain, I bet I can guess what your Amazon email is’. I pick a few words that will remind me of the company. For example, for Amazon I might use something like riverinbrazil as the username part. When I read it, it’s obvious to me that this is the email address I gave to Amazon, but if you know that I have an account with Amazon then you’d need a bunch of guesses to find it (and most of the real ones are specific to how my brain works and other people would find it confusing what the connection is). The only ones where I use the company names are accounts I’ve had for well over a decade and there aren’t many of them left.
-
@alexr @paul_ipv6 same for ones that dont allow + in the mailbox part. It's in the RFC, even google/Gmail supports it.
I made myself a small script to base64 encode the site + date (in case it's a site that allows you to order stuff but not register), but its not convenient.
@j_angliss @alexr @paul_ipv6 even exchange/365 supports it.
I have another rule that accepts X as the too lukeXsite, but it’s annoying when + isn’t supported.
-
@jernej__s @shapr @alexr
Consider the + part a form of password. No password, no access. -
S svenja@mstdn.games shared this topic
