Why I have Over One Thousand Personal Email Addresses

Yes, that's right, I have over 1,000 active email addresses. Here's why, how I manage them, and how my system has evolved over the past 17 years.

Why?

In early 2002, my main email address was sold to a spammer. I started to receive thousands of emails pitching all sorts of useless things. At the time, there were many Princes of Nigeria trying to give away their fortune, if only I could provide them my bank account information for the deposit. The obvious junk email was obvious. Realizing that in the near future, my ability to detect valid vs junk wasn't going to get better, I needed a better plan.

How?

Birth of the Allowed List

At the time, I ran my own email server from my home internet connection. I setup a procmail rule to create an "allowed list" of people who could email my personal email address. Everyone else got what looked like a bounced email. Those on the allowed list then received an automated response that I had a new personal email address and could they update their address books. It hasn't changed since 2002. Friends and family were the only ones allowed to email my new personal email address. What to do about commercial vendors?

Dedicated Commercial Domain

In April of 2002, I bought a dedicated domain name, lewman.example (for example) to be used only for email from commercial vendors. Each address is an alias to one valid login in the domain. Anytime I bought something or had to sign up for an account, the account is tied to the vendors name @ lewman.example. For instance, when buying CDs from CD Baby, the account was cdbaby.com@lewman.example.

At first I used a wildcard address. Meaning, I accepted anything for the local part (the left of the @ sign). Quickly, spammers started emailing all sorts of made up local names (like 7rywehfuwr@lewman.example). This became old quick, so I removed the wildcard and went back to named aliases. I used the full domain name of the vendor for a long time. However, this gets unwieldy quickly as companies consolidate, merge, and otherwise rebrand themselves. This worked so long as I could create the alias and was at home to edit my mail server configuration. Companies started asking for email addresses in person for receipts, for memberships, for contact information, etc. I couldn't edit my mail configuration remotely, so I had to figure out another method.

Once again, procmail let me create a recipe to accept an email from my personal address, with a special delineation, which then parsed the email and created the new address. If I was at Radio Shack and really wanted to join their list, I could quickly email a special address (postmaster-create@lewman.xx) and it would create radioshack.com@lewman.example on the fly. I could then give the newly created alias to the person or machine in front of me and be all set. This worked great for the longest time.

Trying 1-to-1 Mappings, ha!

For a very short while I tried to authenticate, or at least validate, that the sending domain is tied to the company. Let's take Radio Shack. The idea was only Radio Shack's valid servers could email my radioshack.com@lewman.example address. The hope is this would stop spam and phishing attacks, such that only Radio Shack was emailing the address they had on file for me. It never worked well.

I naively assumed that Radio Shack would email me from some email server related to radioshack.com. I wrote a procmail/perl script to periodically look up the mail servers (MX records) for radioshack.com and ONLY allow those MX records to email the radioshack.com@lewman.example address. This didn't work at all for the majority of vendors. The majority use some 3rd party mail server providers which never tie back to their corporate website domains. I bounced a lot of email for the months this system ran.

In later years, I had high hopes for SPF or DMARC, but frankly, neither work as advertised. The best I can do is to use SPF/DMARC to influence the determination of junk/phishing mail or not. It turns out, spammers and phishers can set up SPF and DMARC too. Even today, if you enforce only DMARC-validated email, you won't get much email at all.

Evolution in the 2010s

At some point, I had so many email aliases and such, I couldn't remember the aliases anymore. Was it fatbrain.com@? fat-brain.com@? Etc. I needed to rethink the system, and stop running my own mail server. I couldn't keep up with all of the patches, configuration options, RBLs, procmail changes, and perl updates.

The system had evolved into a fairly brittle state and since I was running Tor Project full time, I had other things consuming my time. I think it was a conversation with Pat at SRI and Paul from NRL who changed my mind "know your limits" or "what are you an expert in?" were the general themes. I signed up with FastMail and have used them since, plus they have sieve for when I want to really customize things.

I went back to wildcard addresses for lewman.example, but with a twist. New addresses are tied to a vendor, but with a more generic scheme and a date stamp included. I tried hashing the date stamp to make it less obvious, but it's tough to do MD5 in my head on the fly.

(Apple|Google|Samsung|Stripe|Paypal|Amazon) Pay

I really like using the new payment methods of Google Pay, Apple Pay, Paypal, etc anywhere in the world. It's faster, more convenient, and seems more secure than swiping a physical card (plus you can't do this swiping for online transactions). However, with convenience comes the costs, sharing all the info without customizations.

Let's take Google Pay. I find what I want in some website and add it to the shopping cart. I then checkout and choose Google Pay. By default, Google shares my info with the vendor, including my valid Google account email. Ugh. I want to customize the email to match the vendor name plus the date stamp. For such sensitive info, I don't want my actual Google email address leaking out there for any vendor to spam, sell, lose, or otherwise know it exists. Too late however, the transaction is done and my email address is shared with the world, one vendor at a time. I then have to go back, login to my vendor account and change the email to the "proper" one, vendor-datestamp@lewman.example and hope they forget about the old one.

This is true for all of the "Pay" services. At least let me do google-email-vendor@ or something to let me control the phishing/junk email floods.

Benefits?

Why go through all this trouble?  It's not that much trouble. The simplest solution, just buy a dedicated domain name and setup a wildcard address (*@example.com) and start using custom local names as you like. Keep your current email for friends and family only.

I've caught breaches for a ton of vendors before the vendor announced the breach. Every time I've contacted support at the vendor, they assume I'm breached or some spammer guessed the email. In a word, no, you've been breached or you sold my info to some spammer. So far I've seen 450 breaches or sales to spammers, sometimes it's tough to tell what happened.

It makes phishing scams really obvious. Apparently, Microsoft Tech Support (microsofttechnicalsupport@mail.ru.invalid) needs me to update my account, radioshack@lewman.example. Nice try.

Or I need to pay 0.4 BTC to some dude who installed spyware on my computer and recorded me visiting a porn site, except you emailed barnesandnobles-2012@lewman.example. Also, seriously B&N? you had a breach or sold my email.

The best is the UTF-8 spam, pretty sure I never created إبله@lewman.example, ever.

Over the years, a number of people and employers at various vendors have asked how I have an email named to their company. I tell them about the simple solution. A few have subsequently emailed me to say thanks for explaining it and they're much happier now with a dedicated domain.

Overall, the system has worked for 17 years. I'm sure it'll continue to work for another 17 without much issue.