One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.
What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.
Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.
Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.
Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.
“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”
According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.
Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.
Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.
That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.
But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.
“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”
HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.
While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.
What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.
Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.
What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.
As many IT people, I have my own personal domains, and use catchall and aliases for any signup, since 10+ years.
Now with password managers it’s even easier, and you dont forget the aliases in case you need a pwd reset…
I’ve been using email addresses for about 20 years to try to reduce spam. The trick was having my own domain, and using email hosting that provides enough aliases (as in hundreds). What else that was important was using a good password utility that I could use long unique and complex passwords for every site so that even if that website stored passwords in plain text or weak encryption, it didn’t affect me much. When I get notices from HaveIBeenPwned, I’d simply delete the aliases and recreate the login info for that website.
own domain + default mail box (yours), assuming your own that domain) will do that without any need to create any alias prior to registering
I use them pretty extensively, but there’s a definite downside.
The biggest frustration with using them is the inconsistency of systems that will accept them. Even within one company’s approach to handling email addresses you might be able to create an account with an alias, but not use that same email address in their support system. Then there are the organizations that won’t allow addresses with a “+” at all.
There’s another element to this as well and Google doesn’t really explain the nuance of their email addresses to the users. So if a user signs up with first.last@gmail.com, they think that’s their email address. But really it’s ‘firstlast@gmail.com’ and in fact adding periods between any character in the email address is still the same (e.g. f.irstlast@gmail.com, firstlas.t@gmail.com, f.i.r.s.t.l.a.s.t@gmail, etc). So in addition to being able to alias with the “+” you can also alias with the “.” period. You can also combine the two.
Which means that someone can sign up for services with any alias of your email they wish, and in fact, I’ve experienced just that. So while not necessarily gaining control over your email address it can still cause a measure of havoc.
I wonder if that can be used as an email takeover attack by impersonating another user’s email address.
Alias ended his comment, “while NOT necessarily gaining control over your email address…”
I don’t see any path for an email account takeover.
Now, if some website admin has a weird bug that doesn’t follow standard account reset practices, then maybe someone can get reset links/codes sent to the attackers email.
… but that account takeover attack would still be possible even if the user doesn’t use an alias. Only the attacker would need to use an alias.
There was a way to take over Netflix accounts this way.
I don’t use a + in my alias and I’ve never had an alias rejected. I have over 200 alias, one for each site/service.
That is brilliant. I didn’t even know that was possible.
I’d keep these in my password safe for future reference.
I’m going to try this on my new Proton email address.
I find Apple’s Hide My Email feature extremely useful. Unlike Gmail’s aliasing, the generated addresses can’t be distinguished from normal iCloud email addresses. In addition, Apple provides excellent tools for labeling, notating, and otherwise managing generated addresses.
The primary reason I use these single-purpose addresses is that it makes it easy for me to keep track of who has which address: the answer is (in theory) always a single group, and that group is the label I’ve assigned to that address. If I ever want to change email addresses in the future, I can simply change where all these emails are forwarded to. I can even stop using aliases relatively easily: since only one group has an address, I can change the email they have then delete the old address entirely without fear of missing anything.
Privacy is actually a minor consideration: my actual email addresses are public knowledge, and most of the places that have my email have my name as well. Besides, a malicious emergency data request targeted at Apple (or whoever provides your aliases) could reveal every single one. Aliases are probably an effective counter to most automated forms of attack, but a determined individual could bypass them.
As for cons relative to using your actual email, the only real disadvantage is that the alias provider has control over the address. Like with a mailbox provider, they could abuse this access as they see fit. Unlike with a mailbox provider, you don’t really have the option of self-hosting if you want to preserve pseudonymity: if you’re the only one using an email domain, it’ll be trivial to link every single alias to you. Granted, this doesn’t seem to bother Gmail users much, so maybe that’s not a dealbreaker.
I use aliases, but not with the “+” sign. I have my email setup with catchall and use websitename@mypersonalemaildomainname.tld. This worked surprisingly well to catch a certain political fundraising site sharing my contact info with another group that I did not appreciate getting emails from.
It’s a little awkward when I ask a company to enter their own name in the user portion of my email address, and some even ask if I work for them.
There have been two downsides:
1) replying to an email sent to my custom alias responds with my actual email account unless I take the time to set up a true alias which is a pain and time-consuming.
2) some companies require a response from the exact email address on file and refer to downside #1.
Oops, thought of a third downside.
3) the catchall catches a lot of garbage sent to random email addresses at my domain.
That’s not an email alias. That’s a completely separate email
No. An alias is not a completely separate email (address).
Some thoughts:
For me, two different things in this article/comments.
What Krebs is describing is what I’m used to call “plus addressing”. or “poor man’s aliases”.
For me, an email alias is an uniqe email address you create where email to that address is delivered (redirected?) to an existing main email account/inbox. (Like an “+address”).
But the part before the @ in an alias can be totally different from the main account, unlike an “+” address which contains also the correct real first part of the address. Or can be easily found.
(A “real” alias address can also be delivered to a totally different domain.)
I never give out the address of the “real” address/account. It may be shown in the headers by some providers though…
A real alias is better in view of security.
I create a new alias for every new place I register.
I am still getting spam to the dropbox@mydomain.tld, monster@mydomain.tld when I out of curiosity open up for catchall on those domains.
Both Dropbox and Monster were hacked years ago. And if I remember correctly, I knew of that before dropbox and/or monster finally acknowledged being hacked.
Same goes for reducing spam. Delete/change alias. Spammers can clean out the “”+” part” of an address. But with catchall deactivated and use of real aliases, no problem.
Besides the obligatory postmaster/abuse.But most spammers are wise enough to stay clear of those.
Another benefit that I can think of –> One of my online banking accounts that use email for a login name was getting hammered by a brute force attack, so I changed it to something like bankname_canthackthis123@… Haven’t gotten a single failed login attempt notification since.
bahahaha.. That’s exactly what an alias is.
That’s been my experience as well. The biggest downside is that some websites don’t allow them.
The inconsistency problem is significant too.
Looks like it’s the websites that need to catch up, especially now that Apple is making it easy.
For reset management, and I think most people do the same, it’s pretty simple to just search the email history and/or for to:email+ so you can see all your aliases in use.
So for users, they should use them where they can, but just be aware of the nuances.
I don’t do that coding biz. It is a good idea for someone that needs security or is anal in nature. (Anal as in anal-ysis.) Really, I don’t have the brain power for coding things. I’d screw up and mix things up right away. I’ve been on forums since the 1990’s…the bulletin bad days! Hundreds of them over the years. I get bored and switch my screen names sometimes, but that is about it. I couldn’t imagine all the codes I’d need.
Now, I wish I did make a separate email account for a certain project I am doing. It involves collecting the humongous, almost daily, amounts of email solicitation from a certain political party. I make PDF’s from them and my email address is on them all.
While not that big a deal, I’d prefer the email was not on this project. I’ve heard they have PDF editors so I will have to buy one and remove my email info down the road. A lot of these ideas evolve over time and we don’t realize it until the project is well underway. If I realized this issue, I would have done it 1.5 years ago instead of thinking about it now.
I publish my email address all over the net. If you have looked at my spam email collection at the Internet Archive…that is a big reason why I get loads of spam mail. I don’t mind it, as I have a use for it in the Archive. But if I didn’t archive it, then all the spam would be an irritation. Same as with pop-up ads. I used to get mad as hell with pop-ups. One day I decided to archive the pop-up ads and now I welcome them…well, at least kinda. I mean, I’m already there…so might as well archive them instead of burning up.
nsfw…ish
https://danieldteolijrarchivalcollectioniihome.files.wordpress.com/2021/09/reddit-subreddit-collapze-popup-ads-d.d.teoli-jr.-a.c..jpg?w=1024
I use fastmail to create aliases like amazon@mydomain.xyz to avoid the “+” altogether. Some sites have blacklists for words that can’t be used in an email address for example Pet Smart might prevent you from using the string “petsmart” in an email address. Come up with a standard pattern for these cases, like dropping the vowels (ptsmrt), or just use 1Password to keep track of your unique email aliases.
I’ve made heavy use of aliases for quite a while.
Mine are of the form billyjack+1053xx@example.com where 1053 is the 24 hour time that I created the alias and xx is typically a two letter abbreviation for the site i’m looking at.
In many cases, the alias is for a news site. In those cases, once I give them the alias and create the filter for it, I don’t need to concern myself with it any more. If I do, then I can just look at the past e-mails.
For shopping and other sites I usually just look at old e-mails to get the correct alias for that site.
I use aliases where it makes sense, but not for services that are critical (e.g. Bank, school, IRS, etc). I have an irrational fear that the alias will somehow break and I’d be cut off from that service and have to create a new account. I’m a heavy user of Apple’s iCloud ‘hide my email’ feature, which works beautifully. Their process flow could use a little refinement, especially as it comes to creating new user/passwords for new sites and then saving it to the keychain. Apple’s aliases are also a bit…bizarre in their naming conventions. But overall I’ve been happy with it. Pros/Cons? Pros is that I keep my email hidden from services that might get breached, and it helps cut down on spam. Cons is that I have to manage this crap in the first place.
I have been using Fastmail’s masked email feature to create unique email aliases. It has been working great so far. Fastmail also has a nice interface for managing these emails and figuring out which service belongs to each email (Tip: add the domain to the mask email description field). That is the first place I would go to try and figure out which email I used for a given service.
In addition to fastmail and Apple’s Hide My Email services, there is also 33mail.com, which is a free service unlike the other two that allows for unlimited alias addresses, and may work in situations when the plus sign is filtered out. I have used this for years and it is handy.
When an isp switches from providing mail service to merely reselling it, one may suddenly lose all those services that were signed up with using + adddresses.
I noticed only when I stopped receiving receipts and notifications. There was no notice at all from the isp.
This happened to me when the isp switched to reselling MagicMail without notice. After some run-around, I was told by my isp that MagicMail refuses by policy to permit + addressing regardless of any standard at all. If I recall correctly, MagicMail told my isp that it was obsolete and nonstandard.
Smaller isp’s generally seem to be switching from providing services to reselling services. One must run their own mail server to have any control, or even any choice, at all any more.
While some dont like giving information to extensions, the AnonAddy extension makes quick work of making unique addresses for every site without relying on the ‘+’ convention to be implemented.
Though the addresses are entirely random letter nonsense so don’t recommend using them for logins unless you have a good password manager too.
My website hosting includes email, so I have access to mail rules, etc. and what I started doing years ago is using the domain name of the site on which I’m creating an account as the email address at my domain, and then creating a corresponding forwarding rule on my mail server. So for example if my mail domain were wxyz.com and I wanted to sign up for the Krebs on Security mail list, I would create a forwarder for ‘krebsonsecurity.com@wxyz.com’ which sends mail on to my regular email address. This way if I start getting spam on one of the forwarders, I can create a corresponding rule to deny the mail with ‘Error 550 – No Such User Here,’ delete it altogether, or whatever.
The biggest plus is that I don’t have to put on my thinking cap to remember the email address I used.
There are various alias services out there, no need to completely rely on Google as this post seems to suggest. I’ve never used a + in an alias. My structure is site identifier plus a period plus some random characters to eliminate someone guessing your address @ my custom domain. I have over 200 aliases, one for each login. Have never had a problem managing any of it and no problems with any site rejecting an alias.
The benefit of a custom domain is you can easily repoint all of your aliases to a new domain with not much work. And the benefit of an alias service is you can easily create completely random email addresses but then give them a sensible name so you can find them as needed.
I’ve only had to disable or delete an alias a couple of times so far due to spamming and such. It’s also helpful for those times when a service doesn’t allow you to “delete” your account (is any account ever truly deleted?), because you can either disable or delete the alias and you’ve effectively disconnected yourself from the service. But in these cases if possible obscure all of your account info first, such as a fake name, fake address, etc.
Adding to this, using a nonsensical email address makes a lot of sense. Oftentimes accounts are hacked by people just guessing your email address…johnsmith@emailprovider.com. But it’s much harder to guess diejflisefj@emailprovider.com. Someone once tried to order something from my Amazon account, apparently through customer service, because the account was never accessed. From that point forward all of my emails/aliases have some element of randomness to them and aren’t easily guessed. Just one more step in the security/privacy race.
The easiest, and least objectionable method I’ve found involves the integration of Fastmail with 1Password. Brilliantly creating a unique address (usually formatted as word1.word2####@ fastmail.com) and instantly creating an impenetrable password) these two work very well together.
For years I’ve had many email addies, multiple domains etc. Now they all generate through a single domain, forwarding them easily from Fastmail, to the designated domain and into a single mail folder for segmentation and analysis.
I’m confused, I thought it was up to each email provider to decide if they have aliasing. I know Gmail and hotmail have it, but is this a universal standard?
I use 33mail.com’s service. I pay them an small annual fee and they give me my own subdomain from which to create unique aliases. I can also view and manage all my aliases in their somewhat user friendly web interface.
If your email provider allows aliases without the tagged-in folders, then you can circumvent threat actors attempts to prevent having their work reverse-engineered
I have Proton Unlimited, and that only allows 14 additional aliases
But there’s no reason why I couldn’t just create unique free email accounts, with no limit
All I need now is an email app that can handle monitoring multiple user accounts at the same time
Proton recently bought SimpleLogin.If you have a Visionary, Business and Unlimited account you can link SimpleLogin to your account and create unlimited aliases that forward to your Protonmail account. SimpleLogin Premium is now included in your Unlimited account.
I have used an alias technique similar to what you mentioned for many years.
The biggest benefit is being able to use rules to automatically trash email received for an email address that has been hacked, sold or otherwise provided to a different entity.
My email service allows the use of periods (“.”), dashes (“-“) and/or plus signs (“+”) after the account name (and before the “@”). I’ve never run into a web site that will not accept at least one of them.
I don’t use aliases, but have found that Gmail is so good at identifying true spam and phishing that I rarely get anything in my inbox. When I do I report it and then it almost always goes away. I have had to block maybe a half dozen addresses over the years that somehow evaded Gmail’s filters. Frankly, I’m not sure it is worth bothering with aliases. I’ve used the same Gmail address for 16 years and often go weeks without seeing any emails I don’t expect. I do use several other email addresses for things like newsletters and forums where in my experience you are most likely to be subjected to spam and junk. Then periodically I just change those addresses if they start to attract too much junk.
By using the same email address for everything, you’ve basically tied your entire life together. Makes it easy for Google and everyone else to ad spam you and track you. Aliasing provides some level of obscurity. Not perfect, but at least make them work a little harder for it.
@Zephyr – While I use separate Gmail accounts for more sensitive communications, I echo your experience that the Gmail account I use for everyday purposes rarely has spam coming through — maybe one every couple of weeks.
You miss the granularity benefit of being able to surgically replace an email address and password for a single site when spam shows up.
DuckDuckGo’s new email forwarding sevice allows creation of infinite aliases which is pretty great! This plus a password manager makes it pretty foolproof to create a fresh alias for every online account.
I agree with many of these comments and, being tech savvy, I create my own domains.
One tip I would give is that .xyz domains are really cheap if you just use six or more numbers, for example 285301.xyz. That cost 1.15GBP per year in my territory, so cheap to set up and anonymous.
Abine Blur is another service that creates e-mail aliases that forward (or not) to your actual e-mail account. They call it masked e-mail. It’s free. If you subscribe they also provide masked credit cards, masked phone numbers and other services.
Bitwarden’s password manager now integrates with SimpleLogin, AnonAddy, and Firefox Relay
Going one step further, we advise security conscious customers to use an email alias as their main, public email address.
This is because some email systems (like Zimbra, which, in full disclosure, we resell) can be configured to disallow login attempts that use email aliases. Keeping one’s “real” email address entirely private has the benefit of mitigating distributed brute force login attempts as well — again, if the email system used supports this feature. We documented the technique for configuring Zimbra to do this on our web site: https://www.missioncriticalemail.com/2021/02/08/defend-zimbra-against-distributed-brute-force-login-attacks/
Hope that helps,
Mark
I have been using two forms of aliases for many years: ‘+’ and ‘-‘. The plus ones I can use on the fly while the dash ones mean I need to be on a computer so I can edit the filters on my personal email server. The advantage of using a dash is that I’ve yet to run into a recipient who won’t accept it. The downside of the plus is that recipients seem to have a tendency of accepting the character during signup, only to turn around and replace it with a space when sending a reply. And once it’s in their system, you can’t manage it since your login won’t work. Either accept it everywhere, or deny it everywhere!!
I have roughly 1000 aliases (mostly with dashes) and have had to retire over 80 over the years as they’ve gotten leaked out either through selling lists or due to a breach. When that happens, I just delete the alias and create a new one. So far, only a very few have gotten dinged two or more times.
Is it not better to set up a honeypot email server if you own a domain? Than you can use site1@mydomain.com, site2@mydomain.com, etc. and always know the source of data hacks and never have your email alias (de-)sanitized and (black=)marketed.