One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.
What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.
Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.
Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.
Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.
“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”
According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.
Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.
Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.
That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.
But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.
“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”
HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.
While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.
What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.
Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.
What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.
I prefer to use a catch-all with my own domain name on a Google Workspace account. I’ll usually use something like servicename@mydomain.com A few times I have gotten special treatment and upgrades when using hertz@ or hilton@ because the counter agent thought I was a bigwig with the company. Sometimes when entering a sweepstakes I’ll use the currentmonth+year@mydomain.com or 6-digitdate@mydomain.com
As you, I create a specific alias for each website on my own domain. But it’s not easier for everybody…
It’s trivial to setup and ideally you avoid google’s empire, not use workspace. Get a domain, with free whois privacy protection (namesilo is the cheapest y/y) then get a service like fastmail (40$~/yr).
Namesilo can configure domain templates when registering domain for email, so it’s one click without the need to even setup Cnames etc. If you’re willing to pay ~$50/yr, your email doesn’t have to be supported by an advertising company
Fastmail allows you to do unique antispam addresses with one of their domains or your own or you can set up a wildcard rule and supply a site specific email address for each site/domain. They allow you to set up rules for aliases in a fairly straightforward manner but the best part is if you use the same email for your website account and if they have a separate support site like ZenDesk and you use the same email there you can actually reply to the emails that come in without having to create a new send as like you would with Gmail / Google workspaces.
When you have your own domain with a catchall, then I call this a canary email address, because it is much more likely to not be noticed by someone who stole the data. I have been suing canary email addresses for 20 years.
After a while you learn not to be too generic in your naming convention, because sometimes spammer just makes up things to send to your domain and you won’t know for sure if something was hacked. I now use prefixes so that I can have fewer sorting rules; all financial accounts go into one folder, ecommerce orders into another, etc. There are some other tricks, such as using a Thunderbird plugin to parse the header and show the original destination address when looking at my spam.
The biggest recipient of email is an old address that I used when I was contributing open source Perl modules to CPAN. That address has to be publicly available and gets spam constantly. However, given the amount of spammers that sometimes forget to use BCC and that they tend to send emails in alphabetical order, I know that there are a bunch of people using the same canary. Knowing this, one could search email lists for this canary, identify some domains using catchalls, and then search breach lists for those domains to identify the source of the breach. Since these are canaries and not aliases, these are much less likely to be stripped out.
If Mr. Krebs or Mr. Holden want more information, please let me know.
Like you, I’ve used a catch-all on my domain to identify the source of some emails for a long time, and I’ve had some interesting experiences. Before gmail allowed accessing email through TLS/SSL, I occasionally received unexpected spam to those addresses. (Unexpected, meaning not regular advertising.) Sometimes they were the result of a data leak at the named website, but other times they weren’t. The spam finally stopped after I switched to the encrypted login, and now I think my email addresses were harvested by intermediary servers reading the plain text email.
In addition, when a store asks for my email to send a receipt, their first reaction is to ask “Do you work here?”
The primary disadvantage is that it is hard to send an email from the alias when required to reset a password.
As you said, a lot of providers don’t allow “+” addresses; perhaps they’ve got something to hide?
It is worth noting that with some e-mail packages such as qmail, the alias use a hyphen instead of a plus.
Yes, like broken mail software.
I have a personal domain with a catch all email.
I use.this to sign up to accounts and newsletters.
This makes it more difficult to try hacked creds into other sites.
I generally don’t care about ordering in folders.
I have a similar setup using Fastmail’s “Masked Email” feature. I have a domain that gets random aliases generated against it and only use that alias for a single website, instead of just using a “Catch-All”. Do get questions on why my email is, for example “poop.loop3449@example.com” 😛
As i run some webhosting incl. email myself i can configure needed “dump” or “site specific” email addresses myself and kill them off if they are subject to spam. But indeed that requires looking after it and may become a hassle. Time being and as my used addresses have largely not been subject to abuse that is ok.
As a general rule i use throwaway email addresses for registrations that i deem once-off.
And from time to time i do inspect my “catch all” email dump for something suspicious, else “delete all”.
I have used aliases for a few sites , but the fact that it is so easy for automated spammers to remove the aliases part cancelled the benefit.
I have also used throw-away accounts for sweepstakes and contest.
currently, I just use 2 personal accounts: one for e-commerce and applications I will conduct business with and one for every other subscription.
so far i have twice dropped a previous “important email” when the spam became unmanageable.
It is a pain to overcome the intentional hurdles email providers have put in place to slow the transfer of email accounts and contact lists from one account to another
I use a password manager and all my emails are registered with haveibeenpwnedDOTcom
I’m relying on a third party service for e-mail aliases because of exactly that “+” problem, which actually doesn’t hide your original e-mail address.
I’m using Simplelogin.io (https://simplelogin.io/) and I am very happy, but there also is https://anonaddy.com/, Firefox Relay and as you said Apple Hide My Mail.
The cool thing about Simplelogin is that I can use any address I want in front of my catch-all domain and addresses are just created on the fly. If I’m not happy with a service afterwards / get spam, I simply blacklist said alias and I’m good.
thumbs up for anonaddy from me, as well.
as a plus, they support registering a public PGP key and they will fully encrypt any email they forward!
I use the free version of Abine’s Blur (abine.com) to define a temporary (no time limit) email address per website. Email to that address is forwarded to my real address with a tag of its origin. If I reply, the reply is sent via the temporary email address. If I tire of such emails, I simply cancel the temporary email address. The free version of Blur also stops some trackers. The paid version can run a masked credit card and phone. They’re good about answering inquiries, even for the free version. No, I don’t work for them.
Having stumbled head-long into non-compliant sites that explicitly rejected +*@ addresses in the late 1990s/early 2000s, I instead adopted a site@mydomain approach to supplying email addresses. It gets past all filters, and provides a much better hammer when beating down website breaches/sharing of addresses. If I get a site@mydomain email from anywhere that isn’t from *site*, I invalidate that address (potentially after changing it at *site*, if it’s someplace I care about continuing the relationship), which deals with the immediate problem. It also has the advantage that phishing emails claiming to come from *site* due to unpaid invoices or whatever to an address that isn’t site@mydomain are clearly not legitimate.
I pretty much *never* use my public-facing email address, if I can help it, since usually if I just dream up a new site@mydomain address, I can get to a system faster to create the address than any POS system can phone home and attempt to email me. Online, it’s a no-brainer to do it before a transaction is completed. In-person, I just bet their retail system is slower than my getting home. (Like here, I just created a new address that I’ll remember)
It’s an ongoing lesson with my spouse, who routinely mentions getting “past due” emails from some services we’re subscribed to, and my pointing out “that’s not the address we used for that service”. This is despite also getting told about services/banks neither of us are members of that *also* get alerts to the same addresses. Six of one, half a dozen of the other…
I have been using “disposable” email address for at least 15 years. I have something like 300 extant right now. I create a new email address for most every web interaction, such as this comment.
I use a service named spamex.com. Cost is $9.95/year for up to 500 email addresses, their UI for managing the email addresses and the ability to send an attachment of up to 500kb. I use a Google email address to forward all incoming mail to. When I reply, that address gets stripped so it remains hidden. The big weakness with this service for me (besides their archaic UI) is the ato email multiple people via one email.
I get very little spam. Almost none in fact. Since I am able to ID who got allocated any address, I know when one has gotten hacked, stolen or sold.
Over 15 years, I can say that the grand total of compromised email problems is only about 7, if memory serves. I consider that fairly low. But if all you ar eusing is a single primary email address, then even one compromise is one too many.
Two were stolen and sold. One was apparently sold by the smalltime website operator. And four were sold/traded by the following websites:
– The Territory Ahead (a defunct clothing company)
– The Sierra Club (shared their dB with a local politician)
– The Smithsonian magazine company
– National Geographic magazine.
Don’t ever give these websites a real address as they will sell/trade it to others!
I have a dedicated domain for emails, and I no longer use a catch-all wildcard address because all it takes is a spammer trying a dictionary attack against you to be inundated with spam for joe@example,com, john@example.com etc.
I use Postfix and wrote my own web-based tool to manage the list. At the moment I have 1469 aliases in it, including 183 that are now blacklisted for being compromised or for abusing trust and sending unsollicited email.
I have used aliases for a few sites , but the fact that it is so easy for automated spammers to remove the aliases part cancelled the benefit.
I have also used throw-away accounts for sweepstakes and contest.
Like many others here I use a madeupname@mydomain.com whenever I need to sign up for something. I keep a list of these in a text file, along with answers to the security questions, which I also make up. The first big spammer I detected was LinkedIn.
I have used tagged email address since I started running my own mail server in the 90’s. It has allowed me to diagnose a data breach at several companies including Ameritrade (pre TD), Adobe and several others.
Most recently, it has given me some data regarding the Burger King blank order spams. The Burger King email came to my McDonald’s tagged email address sent by sendgrid.
If Brian Krebs is looking at this you might use this info to further dig into the story and get around any excuses Burger King might use to cover up what happened.
Brian,
This is another good reason to use a password manager like 1Password to track the email addresses you use on various websites.
– Sofa
A zillion years ago (1990s!) I started a separate email alias for all purchases, something like: bought@mydomain.com
Having a separate email alias for every site seems like WAY too much work. (Lets concentrate on unique and excellent passwords instead!).
I only use my “real” email with actual people, as opposed to businesses and websites, etc. Well, I do also use it for pseudo personal correspondence like forums and doctor’s offices. Frankly, if someone wants my actual email address, it’s very easy to find.
I’ve had my domain and personal email since 1995… so I do get a lot of spam! Gmail does a GREAT job at zapping it all. Sadly, somehow I get most of my spam at my real address. I think it’s just because I’ve had it for so long.
I’d say, the alias “bought@” address has been great for sorting my email between actual personal correspondence and receipts and the like. But gmail is really the “spam filtering savior”.
If I was starting all over with a new domain in 2022, I might do 3 addresses: one personal, one for shopping, and a third for forums and social media. I might try harder to keep my “personal address” only for personal things and withhold it from social medial and doctors and the like.
I wonder why you didn’t mention the much-cleaner way to have aliases: have your own domain. If you’re signing up for facebook you can just use “facebook@”, for twitter “twitter@, etc. The aliases are completely disjoint from your main address, probably ME@ and easy to remember and keep per-service aliases unique.
And even if you’re a gmail fan [I won’t go near it for various reasons] this works smoothly: you can just forward the email to your gmail account: set up a simple forward for facebook@ to forward to ME+facebook@gmail and get the same results with more anonymity.
I use anonaddy.com to make anonomous email addresses. All email flies over the net in the open, but once it gets to anonaddy it has the ability to encrypt it for the second leg of the journey to my real email at ProtonMail.com, where it stays encrypted unless I’m reading it.
By the way, when I signed up for my Medicare Supplemental Insurance, I gave the agent an alias address.
That was all well and good until I tried to set up an account on the insurance company’s website. As near as I can figure out, they do not handle e-mail with ‘+’ signs in the address and are apparently unable to do anything about it. They can’t even seem to change my e-mail address.
I have a similar issue with USA Today. I subscribed elderly Mom using a ‘+’ sign to my address. They automatically signed that address up to a daily news summary email. When I’ve tried to manage that subscription on the USA Today website, it won’t allow me to unsubscribe because it won’t accept the ‘+’ sign on that page, although they were happy to accept it on the subscription page! Grrrr.
For those that don’t know it, you can use the Apple Hide My Email system together with your own custom domain. There are some nice features available there. It allows you to transcribe existing addresses into that system, and later create new ones. It also allows it to be set up for an individual or a family of users.
I’ve actually never heard of this way of creating an alias. How is this “+” business any better than using a third party service to create aliases that don’t require special characters? It seems like it’s not.
If you have your own domain, e.g. @example.com, and your account is “main@example.com” you can build better aliases by setting up a catch all, such that is krebsonsecurity.com-2022@example.com would go to main@example.com and you would know where it was from.
But, the best solution, in my view, is to use a password manager with dual factor whenever possible. You are going to get spam, does it matter that you know how they got it?
I own two domains that I use only for email and only for me and my wife. I create a new forwarding address for almost every website that we visit on a regular basis. The only exception is the email address I use to register product warranties. I have a specific naming standard for the forwarded emails that allows each email to be sent to unique email boxes, and the emails from the boxes are downloaded into Outlook. There, they are sorted and filtered through rules. Additionally, I keep multiple forwarding email addresses available that I consider completely disposable. I use those for special purposes (such as posting this comment), and if I get spam on them, I deactivate them. I’ve been doing the above for about 15 years, and spam, even on the completely disposable addresses is exceedingly rare. A few weeks ago I got a spam email on my AT&T address that was a scam. It indicated that I had placed an order for something and had a number to call to dispute. At that time, I told my wife that most likely one of the companies that AT&T contracts to sell their service had been breeched. Then the scammer tried my naming standard pattern on another company address, and again, with a number to call to dispute the order. I’m waiting to see what he or she tries next…
I have been using a unique email address for every site for the last 20 years. The main disadvantages is that if spammers get more than one of your email addresses you get multiple copies of their spam. Occasionally, some sites don’t like you using their name in your email address and seem to block choosing that email at registration. Also, if a site, like an e-learning site selling an online course allows their customers to rebrand the entrance site but payment goes through the main domain you can end up with a confusing set of email addresses and electronic purchases that you now must access via the correct email address. Having them under one email address would simplify this.
I have found cases where I started to get spam sent to a unique address before a breach was announced so I knew that my email address, and details, had been stolen. I usually change my address at that site and block the old address as soon as I notice. Quite often I just cancel my account at that site.
I also notice sometimes that my email address sometimes was passed on to a different company which then triggered me to investigate. Sometimes it was due to a rebranding, merger or acquisition. Occasionally, it was unexplained. I wonder if that company had acquired a mailing list from somewhere? I was expecting this to be more common but actually it is very rare especially more recently.
Having a catch-all address does also mean that spammers occasionally send stuff to random email addresses at your domain. richard@mydomain.com was pretty popular at one time but I blocked those if I notice that they are cropping up.
Overall it was been an interesting experience but the benefits are hard to ascertain. I have used a password manager since before they were popular so have had a unique email and password for every site for almost 20 years. I guess that has protected me in ways that I will never know.
“The main disadvantages is that if spammers get more than one of your email addresses you get multiple copies of their spam.”
This is not a real disadvantage.
I use them when I can, but I’ve discovered that some providers either explicitly or implicitly don’t allow them. For example, some will say an email address with a “+” is invalid. In other cases (looking at you Duke Energy and Quest) I found that their websites don’t always function properly when you use an email address with a “+” in it.
I used to sign-up with a custom domain `sitename@example.com` but I felt that the domain registrar became a liability (I wouldn’t trust them to keep the domain alive and secure enough forever).
So I went back to +@ and there is only one disadvantage that is really painful: You can sign up with the address successfully in an online store, but you’ll not get transactional mails about your purchases. Apparently because one programmer did the sign-up form (allowing +) and another the email-sending-part (scraping +).
Also fun with hm.com recently where I signed up long ago with +@, suddenly I couldn’t login any more. Their login form rejected +, but the “lost password” function still allowed it. So I could reset my password but still not login. I spent almost an hour discussing this with their support team, who kept sending me helpful “reset your password” links 🙂
Important caveats
I found another explanation of having multiple email accounts. Aliases are only one approach.
https://defensivecomputingchecklist.com/MultipleEmailAddresses.php
I’ve been using Yahoo disposable addresses for years. They consist of a stable word with a variable second word. For example: stable-amazon@yahoo.com, stable-krebs@yahoo.com, stable-att@yahoo.com etc. I also have a simple algorithm for strong, easily remembered passwords.
Too many sites block “+” as invalid character in email addresses, or bugger up the URL encoding of forms, and they get translated to spaces.
It’s also way too easy for people to strip the aliases and just email the plain address. I’ve wondered if there’s a way of crafting mail rules for something like Google Workspace (where you can have multiple username aliases in addition to + suffix) to perhaps use a username with a + alias that rejects emails missing something following +
E.g. aliasmail@example.com == bounce
aliasmail+alias1@example.com == delivered
aliasmail+alias2@example.com == delivered
In general, we should always look for a solution that tries to respect the comfort of the user, in this case the use of email aliases is the most common for most people, so we should look for a different solution, more suitable for the current problems. For example, that the largest email providers have more specific policies regarding the creation of email names and an automation of multiple names for when you register on a site so that you do not have to remember what the name of user you used.
That may be beneficial using the “+*@” over what I do, that if hackers see that they scrub it. I host my own email, but every service I sign up for uses a forwarding address that redirects to my inbox instead. The one benefit my method uses is that if I start getting spammed, I can simply delete that forward, and any email sent to it gets bounced back to the spammer—I refuse to use a catchall address. I accidentally once signed up for something using an old iCloud email address, and every day I’m coming in 100+ spams, no matter how many rules I set up to block or send to trash. Up till that point, I never had the spam problems so many other people seem to have. Deleted it, and barely had spam since then. I can go back to checking maybe once a week, most of the time nothing, rarely more than one or two. It’s now back to the case where I have to force myself to check it every so often.
Like most people, I use a throwaway email for shopping (this is where I get hit with ads and promotions) so that I can simply delete it. In situations, I made a purchase, I move the email to another email so I can pick up the package which I can show my phone to sales person (saving papers).
I had a person who stated me that he was nervous about providing email to businesses because of the spam, I told him just create a throwaway email as ISP give customers options to create subaccounts for that purpose.