One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.
What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.
Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.
Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.
Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.
“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”
According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.
Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.
Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.
That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.
But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.
“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”
HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.
While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.
What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.
Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.
What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.
I wonder where we’re heading with all this? SMS instead of Email? Passwordless? SSO everywhere? In the latter case, instead of the Dutch site that has 2M accounts compromised, Google/MS/Apple/Amazon each control access to 2-5 *billion* email addresses that may or may not have associated passwords? Think that future will keep your “inboxes” (or whatever they’ll be called) spam-free? Don’t hold your breath!
The main downside I have seen with aliases is that if you are buying something, customer service might only want to see emails coming from your full registered address and will disregard anything else as potential fraud. If you use common free webmail, you probably don’t have the ability to modify your sending address arbitrarily.
Using an email alias on an account is a little dangerous, because you probably
can’t originate a message from that address, so Support or account-recovery may be hindered.
For example,
suppose your registered email address for eBay is “myname+ebay@gmail.com”.
You may not be able to originate a new email from “myname+ebay@gmail.com”, only
from “myname@gmail.com”. This may get rejected by eBay, for Support or account-recovery purposes, since it doesn’t match
the address on your account.
This won’t be a problem if account-recovery only involves receiving a link in email,
and clicking on the link.
iCloud hide my email doesn’t have this problem as the address maps to a given domain in the system.
Similarly, it’s immune to the +alias stripping Brian mentioned in the article.
Fastmail offers masked email addresses, which are integrated with 1Password. When registering at a site that requires an email address as username 1Password offers a new Fastmail masked email address, and Fastmail also keeps track of which site is associated with each masked address. I use this convenient feature frequently. It is possible to reply from the masked email address, and it does not have a format that would be rejected by sites that do not permit aliases. Fastmail keeps track of how many times each masked address has been used and provides a simple check box to block future emails, if desired.
In 2014, Apple added an iCloud Keychain UI into iOS’ Settings app under Passwords. At that time I used the built in password generator to create random 15-character passwords for my mom, sister and myself. Similarly, I set up 2FA by text where offered.
(Note: similar to Billy Jack, when I created usernames, I used bobYYYYMMDDkc, where the last letters were first letters from domain and domain type (here Krebs….com), in this way I encoded the date I setup the account.)
In 2021, Apple rolled out Hide My E-Mail (HME), it’s also in the settings app but buried under Apple Account at top and iCloud inside there.
In 2017 I implemented the gmail alias approach Brian describes above. I trifurcated it tho, setting up abc.17.biz+123@gmail for general accounts, but replaced the .biz with .fin and.med for the small set of finance and medical related online accounts (I did this as a hedge against a) cranky websites that would ignore the + suffix and b) what I figured would be eventual alias stripping efforts by hackers (guess we reached that point). I also registered the base addresses and the small subset of +alias addresses with HIBP.
As to the +000 suffix I captured the 001, 002, … 00n in a Numbers spreadsheet.
I set up these alias accounts for my mom and sister, probably 150 each (and only for the fin and med accounts for my mom). It was a lot of work, and the number of sites banning the + so numerous, so much work in fact that I never did it for myself; I continued with my 2 email addresses, one for legitimate things and the other for throwaway site accounts or subscriptions.
I can tell you that my mom and sister failed to master the art/science of just looking up of an earth mail address in the Numbers registry. (To some extent they could find the email address in the Keychain but only for sites that accepted e/m addresses as u/n and that was only about half.). If they were asked by a phone agent, they were too flummoxed to find these.
So while security was improved with this approach it was a flop due to time invested setting up an inconsistent system that average users couldn’t seamlessly use. (This was odd because my mom, now 90yo, and mid 50’s sister both were pretty good at copy/paste of authentication from Keychain to sites that (stupidly) blocked Autofill of this info.)
Starting last year, but by bit, I converted my 200 or so online accounts captured in my Keychain to the iCloud HME standard.
Somewhen earlier this year apple improved iCloud Keychain by adding: 1) an authenticator function (it works everywhere that Authy or Google Authenticator is supported), and 2) a notes section at the bottom of every key in the Keychain.
I use the notes section to capture:
– U/n if email is used for login.
– e/m mit username is used for login.
– 12ph,34z,56bd for phone, zip and birthday info (we have a mailbox and POB in two different zip codes and I use a fake birthday for non official accounts)
– QA to capture challenge questions and answers (based on the last word in the offered question and a non sensical answer with a two digit suffix for entropy)
– recovery keys
– one time codes
– etc.
So I piloted on myself:
1) creating a new gmail address to act as the HME inbox for emails being relayed by the iCloud HME system,
2) depreciating my fin and med addresses by converting to unique iCloud e/m addresses, similarly replacing my 2 standard yahoo e/m addresses with HME addresses everywhere else,
3) updating all passwords to the newer 20-character standard, (1,2&3 already last year),
4) setting up authentication (and superseding SMS based 2FA) where possible,
5) capturing the contact info for each site,
6) revising all challenge QA sets,
7) replacing u/n neither e/m for authentication where possible. (4,5,6&7) this year after the enabling features became available from Apple.
So after accomplishing this for myself and living with it a few months, I’ve now done same for mom and sis so we are all on the same standard.
I have observations:
– one must realized that using iCloud HME is a form of lock in to two things: 1) paying a fee of at least 0.99$/mo, for iCloud+, and 2) using the apple ecosystem and the work it would take to change out of it to a different e/m set-up;
– it takes less time to setup than the +alias approach (exclusive of my other enhancements). This proceeds by tapping the HME button atop the iOS keyboard and using the applet to create the new HME address;
– the hide my email registry lacks a search function (I’ve reported this to apple as a bug when you have several hundred e/m’s in the registry you need to be able to search the e/m the domain and the little notes section in each e/m entry);
– the registry also lacks the scrollable alphabet that’s in the contacts and the Keychain (also reported);
– the iCloud addresses often contain underscores and hyphens and I suspect some sites are not capable of sending e/m with these (a couple sites rejected such entries, and the rub here is you get three proposed e/m’s for each new e/m you set up);
– similarly I noticed one site in about 500 that allowed e/m for authentication but truncated around 16-characters and the HME addresses are around 20-characters;
– you can’t send a HME email to several recipients, each address is mapped to a single user;
– similarly I think I will continue to give out my first.last@… e/m to people I know for their convenience as well as any others in a group mailing for groups I belong to;
– a couple sites allowed different e/m’s for, say login and contact, and another for invoices (for kicks I did this over constrained thing, and today I saw it gives trouble as the apple mail client said “this address is deactivated or deleted,” which it wasn’t (so I removed this constraint and set the invoice xem address to be same as login e/m address;
– taking the effort to record the e/m address in the notes section of the Keychain key is worthwhile for users like my mom and sis because the Keychain is searchable and if, say AMEX asks them for their email address it’s easier to find in the Keychain than in the unsearchable unscrollable HME registry;
– similarly for sites that use u/n for login, but require an e/m for password recovery, it’s possible to tap that e/m in the key’s notes section for the necessary copy/paste activity;
– after things are set-up, HME offers a button showing the address for that domain above the keyboard for autofilling the address. Where HME has not been set up, HME offers a basic HME button that opens the setup applet;
– I noticed that sometimes it seems HME doesn’t seem to realize it already has an HME address for a given domain, but when I hit the basic setup button the applet said “this domain has an HME e/m, use it?” Here the mantra is “trust HME.”
As with everything, there’s pros, cons and compromises, but from the experiences related above (beyond the 3 of us discussed above, I set up such set ups for some senior nontechnical friends so their online banking and medical, etc would be safer), I can say if you are committed to staying in the apple ecosystem and willing to pa buck a month (which also gets you iCloud private relay IP Address randomization), this is the way to go.
I hope this is helpful for somebody!
I use aliases heavily. Over time I’ve collected about 200-300 of them; I should go and delete those I no longer use.
I don’t like your example of id+example@domain.com because all the spammers need to do is convert it to id@domain.com and they have your primary address which you should be hiding.
I use E4ward.Com to generate most of my aliases although I am starting to use Fastmail’s Masked Emails too.
20+ years ago I had a big spam problem (>100/day) from using my primary email address in Usenet posts; big mistake. By using aliases I now only get @10 per day and Gmail is very good at detecting those and routing to my spam folder.
I think most people are reluctant to use Aliases because of the learning curve and extra work to set them up. Creating the Alias and the rules and labels/folders to hold them. It quickly becomes 2nd nature though and isn’t the bother it initially appears to be.
Interesting topic and informative comments. Folks with email tech skills have been using home-grown aliasing capabilities for years; fortunately there are now services that bring the benefits of aliases to folks who aren’t quite so savvy. I use a free email forwarding service called ManyMe.com, which avoids a number of the cons pointed out in the article, with added plusses. ManyMe addresses are simple to use (the form is username.label@manyme.com, where the label can be anything I want to give the address visual context), reveal neither my primary address nor my email provider, can be used spontaneously (or as they say “on the fly”) in conversation or on paper, can be forwarded to any email system, are recorded in my dashboard (along with the addresses of all of the senders that have used the address), can be easily disabled using the in-message interface (and even re-enabled if I only want a short-term hiatus from deliveries), and my primary address is protected on replies, too. A big difference from the other services that I looked at is the strong emphasis on security (hosting attachments, blocking active code and risky file types, displaying the sender’s envelope from address, and a bunch of other things), along with granular inbox controls (not just disable). I’ve been very happy with it.
As a long-time USENET and forum participant and general emailer to all sorts of sites, I DO NOT consider this email formatting as an “alias”. Why? Because this + formatting doesn’t always work, hense this article is flawed.
To me, an “alias email” is a completely *different* email account other than your real account.
Okay, so maybe some folks might technically call that a pseudonym account … but of course, each of those words are synonymous !
( Didn’t learn anything new )
No disrespect to the people here running their own mail servers, but the for the great many readers here, let me just state a personal opinion that running your own mail server has to be one of the riskiest things you can do, and it is not for the faint of heart or anyone who really doesn’t know they’re doing.
I highly recommend using the Apple method, but it’s not free as it requires an iCloud subscription. The alternative is to use email protection from DuckDuckGo because these services feature something that alias emails have been missing.
The ability to reply to emails you receive using the same alias!
ManyMe provides a masked reply capability, too.
The best Disposable or non-disposible Email Address Service that i use by far is Blur (which is my address listed below). Highly recommend it to protect and keep your key e-mail addresses secret. I’m currently looking into SimpleLogin since it got added to the Proton group of privacy apps but Blur seems to be more intuitive. Thank you for your information Brian. Been following you for years and you are the best. John
But then you can sell a “my email” hat for $34 like Hillary Clinton does.
I use “BLUR” from ABINE (dot) COM. A free service that generates random masked emails and send the email to the email account you register with them. You can block or cancel the generated email anytime. I’ve been using it for years. They have some pay for services like masking credit cards, so you have a “one off” credit card for online purchases, but I don’t subscribe to that.
I’ve found that some sites are inconsistently coded and will accept an aliased address when signing up for their site – but not when logging back in – or not on their “forgot password” screen. It makes for quite the frustrating experience.
I stopped using Gmail’s +suffix after enough account creation sites ignored the RFC and cited my email was ‘invalid’. Instead I’ve moved to catch-all emails on a custom domain I’ve purchased. E.g. krebsonsec@customdomain.com. Way less of a headache and still affords blocking in the event of it being sold or misused.
I do this too. It’s great because you can turn off the spam filter on that account so you don’t miss notifications you want (it’s all spam in the Bayesian sense) and blacklist individual addresses that get actually spammed out.
The biggest unintended consequence of this strategy is that I’ll be at a hotel and give the email HotelName@biz.whatever.com and the person will ask, oh do you work for Hotel Name. But I use my powers for good and tell them no.
Are catch-all emails still supported anymore? I thought this was no longer a supported configuration (maybe depends on the email system/provider). I loved using a catch-all mailbox; this way you don’t need to mess around with the “+” part and are able to obscure your actual email address. Now I’ve moved to manually creating proxy addresses, which is more of a pain but still works.
A service like Firefox Relay is also worth mentioning. Then you don’t have to share your actual e-mail address.
While they do take some setup, Firefox Relay or DuckDuckGo’s Email Protection do solve a lot of the problems with aliases. The email addresses generated by these services are always valid, because they don’t have a “+” sign in them. You can also turn them off if you ever get spam through one of these addresses, and as “Me” mentioned, your real address can’t be inferred from the “alias” generated by these services.
I have my own domain so I use email aliases by having a sub-domain for each user with wildcard forwarding for those sub-domains’ email (e.g. bill@example.com can receive email at any email that uses “@bill.example.com”
This gets around the filtering aspect, but still has the issue of knowing what email to recover with. This is where a password manager comes in. And of course you need to own a domain and deal with email hosting.
As for orinating emails from these email address, gmail.com supports “send as another email” address as long as you can receive email at the same address. I’ve never tried it with “+” emails.
I like them for 1 way comms, like newsletters, offers, etc. You know, like emailalias+krebsonsecurity@gmail.com 🙂
I highly recommend using the Apple method, but it’s not free as it requires an iCloud subscription. The alternative is to use email protection from DuckDuckGo because these services feature something that alias emails have been missing.
The ability to reply to emails you receive using the same alias!
I have a phony name/email address, period. I use it to sign up for newsletter, etc. like KOS. That way, personal mail, which may require a more timely response, is not mixed in with lower interest/read-when-I-have-the-time material.
I dread whenever I have to talk to people that work at a company that has my aliased email because they always ask me to give them a new email because they think my email on file is wrong because it has their company name on it.
I’m also deathly afraid spammers are going take one of my breached emails and replace the alias portion with random characters every time they send the email to thwart one of the best methods for identifying how my email got breached and blocking them.
I’m a fan of using the “servicename@mydomain.com” format. Obviously this assumes I have wildcard forwarding set up and also has the limitation highlighted above which means that I cannot generate outgoing emails with these aliases. Keeping track of them with a password manager is super easy. It does trip up customer support folks occasionally 🙂
I have been doing something similar, but using the number “4”. Ex john4somegame@yahoo.com
A while ago I started getting spam addressed to a variant of my email – it contained a dot between two characters. While I’m not sure if this was something the spammer did, or if I mistyped my email into a service which subsequently got hacked, it demonstrated that Gmail ignores ‘.’ in the address prior to the ‘@‘.
One might be able to get away with using a series of ‘.’ placements within the email address as aliases – this would be as easily done as aliases, and less likely to be noticed or removed by those who curate email databases for spammers.
I’ve been using the old “+” for longer than I can remember for both the security value as well as the filtering value.
It’s also allows you to spot when a given site has sold your email address to someone else. Eg. receiving an email to joe+evilcorp@example.com from some random EDM vendor that you weren’t expecting gives you recourse to scream bloody murder at Evil Corp (not that it will likely help much but you might feel better that you caught them out).
Another pro is that it allows you to easily have multiple accounts with a single site. Eg, joe+twitter@example.com, joe+twitter2@example.com.
You can effectively create any number of throw away addresses this way as well. Eg, joe+20220811@example.com gets used for some random one off thing today and I really don’t care about it moving forward.
I’ve been doing this since before + addressing. Some mail providers allow for unlimited aliases (e.g.: Rackspace). It’s a little more work than using +, but it’s less likely to be scrubbed.
Originating email as that alias isn’t that hard if you set your from/reply-to, which will work most of the time. Yes, kind of a pain, but the assumption is you wouldn’t need to do it that often.
Rackspace allowed you to set up send-as (Identities) in their webmail, which was really convenient for more commonly used ones. However, much to my dismay, they have sunsetted that feature and its no longer available. Boo on them.
I’ve been using these for years, but I’ve
always heard of them being referred to as
either tags or “plus addressing.” I prefer
tags, personally. I also use procmail to
bounce anything not coming from an address
in a whitelist I keep unless it includes a tag
found in a list of tags I’ve authorized. It’s
actually a little more complicated than that
(for example, email addresses found in either
my contacts list or my sent mail folder will
automatically be whitelisted even if they
aren’t in my whitelist), but you get the idea.
I also have a separate list of authorized tags
that only work if they have the current date
appended in the correct six digit format for
posting in public places, so they won’t work
indefinitely without modification. With this
system, I do no spam filtering, and I get no
spam.
“if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.”
Yet another good argument for using a password manager, since you can store the email address used for every site/login.
Two thoughts for feedback on your article Brian:
1) If you use aliases (which I have for years), you can’t search HIBP for + wildcard @ gmail.com (for example). i.e. If you’re looking for breaches you have to enter every variation of your address+alias to get a result. Troy won’t budge on this issue (yet) based on the low volume of aliases present in his Db.
2) If using aliases, add random characters after the “+”, not the site name i.e. +wombank@gmail.com. Use +FT45Dx7@gmail.com in combination with a PASSWORD MANAGER to record the unique address. That way if you’re credentials are compromised, you’re not making it infinitely easier for the threat actor to target the particular domain with your compromised email/password.
I use an alias for almost all of my accounts. Remembering an alias isn’t a problem, as I use a password manager for everything.
Not being able to send an email from that alias is a problem, in theory, but is not something that has caused me any issues thus far.
There was a time in my career when I was very interested in the details and suggestions found here, but I honestly don’t have the time anymore, and worse, the skills to know that I’ve done it correctly.
And for all the scum and villany of the internet and “being” the product (by virtue of free services), I’d happily pay for a product or service that was secure and didn’t monetize me. I’ll have to look into Apple’s solution. For all the things we spend money on, I am a little surprised by anyone who thinks 99 cents a month to Apple is a bridge too far.
I have a number of domains I use for emails – some professional, some for rubbish – and use a different username for each site.
All domains and usernames filter back to the same inbox, so managing all of them isn’t an issue (though I guess having a catch all inbox could open me up to other abuses, but it’s been fine to date).
And every account gets loaded in a password manager so I never forget.
One con with using aliases or plus addresses or and address variation is signing up with monitoring services. HaveIBeenPwned is one example, but not the only. I have signed up my primary address(es) with HaveIBeenPwned so I can receive notification of them being found in data breaches. But, As far as I know, my variations are not being monitored. Certainly my true aliases are not being monitored since there is no way to discern the primary address from the alias.
I also have a family domain. I also generate aliases there. I can also generate subdomains. I have the domain and some subdomains registered with HaveIBeenPwned. That works well for the aliases created in the domain and subdomains, no gaps except for the subdomains I have not registered.
I have been using email since before the Internet. Some of my primary email addresses were registered before anybody needed to concern themselves with spam, data breaches, tracking, other privacy issues. I move on to new primary addresses using forwarding and aliases as I do. I have to use four digits to count the number of accounts I have established on the net. Once you put something on the net, it is there forever, literally. You need to adapt.
(long time reader, first time commenter) I think using a “+” alias to automatically sort email into folders must be a Gmail feature, it’s not a standard feature in any other server software I’ve used.
That being said, I’ve run my own mail servers since the late 90’s and I’ve been using aliases since probably the early 00’s. They are absolutely an amazing idea, because I can selectively block alias senders who won’t stop sending “helpful” notifications. I’m looking at you here, Youtube, Hampton Inn, American Airlines, FACEBOOK and all the rest (you know who you are). I can also permanently unblock addresses I really care about, like e-bills.
I use a separate domain for aliases, configured with a “catch-all” rule to just forward everything to my real address. Then I use aliases like someretailer@otherdomain.com when I register on websites. That’s certainly beyond what Grandma can handle and it costs a little bit every year, but it’s well worth it. It doesn’t even require running your own server — you can register a domain with a catch-all forwarder at Godaddy for about $20/year.
In my experience, the only downside is talking to customer service reps on the phone. They see your email address is the name of their company and it Blows. Their. Mind. I’ve tried explaining it to them before, but it’s always a waste of time. Now I just wait for them to ask “is that really your email?” and I only say “Yes.”
I have a personal domain for email only and have used a form of email aliasing for nearly three decades. Anything without an alias filters to spam or junk or remains in the email client inbox. I can also easily send email from any of those aliases. I’ve encouraged others, especially those running their own businesses, to acquire their own domains so they can enjoy this email flexibility for filtering account communications (and to present a more professional public face than a gmail address affords).