Master of your mailbox: an email alias for every site you leave your address

Do you want more control over which mails end up in your inbox? Then every time you give out your email address at a site, use an alias specific for that url. It helps you to track where (and by whom) mail addresses are being used, and lets you filter or block unnecessary mails. Here’s how:

How to generate a limitless number of email aliases

There are two common ways to do this:

  1. If you have your own domain: use a catchall – this a mailbox that will “catch all” of the email addressed to @yourdomain.com, so any email address at the domain that doesn’t belong to another mailbox will end up in this default mailbox. Create email addresses like some-site-you-are-at.com@yourdomain.com.
  2. Use the “+” trick in Gmail: Gmail.com has the weird feature that youraccount+whatever@gmail.com ends up at youraccount@gmail.com (the plus is really a “+”). Create email addresses like youraccountname+some-site-you-are-at.com@gmail.com.

Greasemonkey userscripts to generate url-specific aliases with one keystroke

  1. Email Address Generator for your domain: inserts an email address like “the-site-you-are-at.com@yourdomain.com” when your press “F9”. You’re prompted for your own domain name the first time you use the script. Install the script.
  2. Email Address Generator for Gmail: inserts an email address like “youraccountname+the-site-you-are-at.com@gmail.com” when your press “F9”. You’re prompted for your Gmail account name (NOT your password ;-) !) the first time you use the script. Install the script.

You need the Firefox and Greasemonkey to install these scripts – check out this introduction on Greasemonkey if you had not heard of this great Firefox extension yet.

So what will it bring you?

Some examples of how this habit has helped me so far:

  1. Filter newsletters, notifications, updates (BACN) into folders or labels (or the trash bin) even if sender and subject change
  2. Find out from which marketing stunt some publisher got your mail address
  3. See which startup had its database end up somewhere it doesn’t belong
  4. Be able to prove that a trainee copied the customer database to start his own web shop (happened to a Belgian non-profit organisation)
  5. Block comment notifications when a blog post you commented at succumbs to comment spam (sometimes blog posts do not offer comment feeds but just email notification – I even go as far as making an email alias per posting then, e.g. by inserting a date: 20071009.somedomain@mydomain.com)
  6. Protect my mailbox: I was once stupid enough to include a contact email address in a php script, that got included in the popular Joomla software at some point in time, and got downloaded to hundreds of (virus-infected) computers… In the end, I had to ask my hosting provider to have the mails for this alias sent to the system trash immediately because I was flooded with virus mails…

Some more tips and caveats

  1. Don’t forget that even if you were BCC-ed in an email, you can find out via which alias it was sent to you by having a look at the email headers.
  2. The “Gmail trick” won’t work everywhere – some sites will refuse an email with “+” sign (or will refuse any Gmail address).
  3. The catchall solution is more powerful than the Gmail trick for yet another reason – you can create an actual account called somedomain.com@yourdomain.com:
    1. It will block these mails even from entering your Catch-all mailbox (make it bounce when the mailbox is full, or have the mails sent to trash… such as in the virus mails example)
    2. And it works also when you’re in BCC (see first remark in this list)
  4. Forget about a catch-all solution when you do not have an adequate spam filter (from SpamHuntress). I forward my Catch-all mail to Gmail, which has great spam filtering. Leave a comment if you have other solutions that work for you.
  5. With email addresses constructed this way, spoofing a sender is dead easy of course. As far as I know, it hasn’t ever happened to me (why would anyone do that?) but if you’re careful as Michael Boyd Clark is, you might use a something-cryptographic-of-the-domainname-you-are-at@yourdomain.com instead of domain-you-are-at@yourdomain.com.
    I don’t use it because you’d need to calculate the generated address every time you want to query for it (with the “from:” operator in Gmail e.g.).   And if you – like Michael does – use a hash (from which you cannot derive the originating domain name) you’d need to do some bookkeeping to make sure who’s address this was. Nevertheless, I might consider to rewrite the script so that it produces secret-hash-of-domainname.domainname@mydomain.com (making it both recognizable and impossible to make up).

Have more tips or ideas? Share them in the comments…

26 Responses to “Master of your mailbox: an email alias for every site you leave your address”

  1. Michael Clark Says:

    Hi, Your idea of adding the original domain to the hashed address is so obvious, thanks for pointing that out. I tweaked my script.

    The bookkeeping isn’t all that much, but you’re right, it is an extra step. And I’ve caught people abusing my email address. It’s too bad that no one cares, the FTC is impotent when it comes to privacy violations.

  2. Robin Wauters Says:

    Here’s a tip: don’t give out your e-mail addresses on websites :)

    I know it’s radical, but it IS a way to remain master of your mailbox

  3. Pascal Says:

    Robin, what did you just do on my site?

  4. Robin Wauters Says:

    Hehe, I didn’t say I was master of my mailbox, I’m just saying that it helps if you’re not as careless as me

  5. links for 2007-10-10 : 7 seconden Says:

    […] Master of your mailbox: an email alias for every site you leave your address Nifty! (tags: email tips) […]

  6. Pascal Van Hecke - Daily Links » 2007 » October » 09 Says:

    […] Master of your mailbox: an email alias for every site you leave your address want more control over which mails end up in your inbox? Every time you give out your email address at a site, use an alias specific for that url. It helps you to track where (and by whom) mail addresses are being used, and lets you filter or block mails. (tags: antispam, catch all, catchall, email, emailmanagement, gmail, greasemonkey, spam, userscript, userscripts) […]

  7. Gudrun Says:

    Been doing that for ages now, and yes, it works. I tend to block every single email address I get spam from (if I handed it out first)… Too bad for the company that I subscribed to in the first place.

    So yes, it’s a fine tip :-)

  8. links for 2007-10-10 « LamaZone Says:

    […] Master of your mailbox: an email alias for every site you leave your address great! thx pascal! (tags: tips email) […]

  9. marnik.org » links for 2007-10-10 Says:

    […] Master of your mailbox: an email alias for every site you leave your address Ik doe dat al lang op mijn domeinnaam, maar dat het bij Gmail kon wist ik niet. Gezien op 7seconden.be (tags: email tips catchall spam mail gmail domain trick) […]

  10. links for 2007-10-12 » The Gryphin Experience Says:

    […] Master of your mailbox: an email alias for every site you leave your address Beide tips kende ik eigenlijk al. Ik vergat ze wel toe te passen. Vooral dan de gmail-tip is wel handig. (tags: email spam tips gmail) […]

  11. Stockel1949 Says:

    Disposable, anonymous and free email address at http://www.yopmail.com

    YopMail is a temporary WebMail service (also called disposable email) allowing to Check anonymously all e-mail addresses like “@yopmail.com”.
    YopMail will help you to keep spam out of your inbox

  12. benjamin deauxver Says:

    I have tried but am unable to deduce information on what alias was used to reach me when someone BCCs me with one of my aliases. I look at the headers from Outlook 2003, and from comcast webmail (they are identical headers) and can never find my own email or alias. It troubles me, and I’ve found nobody else to confirm this behavior. Can you help me out? I could send you an example if it interests you. (a header example) ~Benjamin

  13. Michael Clark Says:

    Benjamin: It depends on how your mail server handles BCC. If it is running Postfix, there should be a header called “X-Original To” that will show what the address was. If you are running Sendmail, it won’t show you the address. Other mail servers may or may not embed the original recipient address.

  14. Pascal Says:

    Hi Benjamin,

    it is possible that your mail provider (Comcast) strips the “for:” header before dropping the mail in your mailbox (I have no clue either why some mail servers do that). Maybe you could do the comparison with another mailbox you have?

  15. benjamin deauxver Says:

    I tried just now sending a mail from my employer’s mailbox to my home mailbox at comcast, than I logged into webmail and checked the header.

    I had used only a BCC address with an alias that redirects to the comcast mailbox via a 3rd party email host that I also have (a different domain name than comcast) and the alias information was plainly visible. Thus it seems to invalidate the theory that comcast is stripping the To: headers. My third party email host is “webmail.us”, I haven’t done the experiment with them yet today….

    Occassionally I get email from spammers that has nothing in the TO: box, and I suspect all the recipients are in the BCC box. But the header yeilds absolutely no information about the alias that was used to reach me.

    Another group mailing list (from my wife’s church) comes to my mailbox every few weeks and the sender told me she uses BCC to send, and the same thing happens. I cannot tell what alias she is using to send them to me.

    I, too, have been using the “invent-an-email-address-on-the-fly” method for a couple of years now, and this worries me that I can receive an email and have no idea what address is the culprit.

  16. Pascal Says:

    OK strange… (I mentioned the “For” header and not the “To” header but I guess you meant the “For” as well…)
    In that case I do not have an explanation either…
    Maybe other people who land here via Google can help you out ?

  17. Pascal Says:

    Ah, found just now Michael’s (moderated) comment… maybe that helps.

  18. benjamin deauxver Says:

    Is the “mail server” you referred to the one used by the person sending mail, or the one used by the person receiving the mail? My Comcast mailbox has presented mails that both have, and don’t have, the information on the BCC receipient (obviously, only my own recipent information shows up!). So has, I beleive, my “webmail.us” mailbox shown both types of info.

    If this is dependent on the sender’s mail server, then that means it is indeed possible for spammers to flood your mailbox with all kinds of crap and that you might have absolutely no idea which of your 100s of email aliases is colleting all the garbage?!? Just speculating, but I continue to be disturbed by this issue. ~Benjamin

  19. Michael Clark Says:

    Hi Benjamin, I’m referring to the email server that receives the email. It is up to that server to deice what to do with a BCCed recipient email address. I have no idea how various web mail providers handle the problem.

    It’s also possible that any intermediate mail server (a mail service like a forwarder) might strip out any headers, although they still have to keep the ultimate recipient in mind since they are forwarding the mail.

    Figuring out who is selling my email address is a huge reason why I run my own mail server. It allows me to ensure that the original address email was sent to will be in the headers.

  20. Tom Jarvis Says:

    Pascal,

    This is exactly how I have been running my mailbox, and it works really well. However recently I have changed from IMAP or POP based email to having a Hosted Exchange solution.

    It seems that the advice above used to be industry standard advice when email was something that could be trusted. However now as most email is unwanted spam, the industry are stopping catch-all addresses, especially on Hosted Exchange services.

    I’m getting to the point where I am having to redesign my mailbox, so that I have an “untrusted” box, and then create aliases for new trusted boxes. So that I can then dump any alias which starts spamming me.

    It’s a bit of a pain though, as the aliases have to be created in advance before the address will work! Especially as I use to just sign up on a site and create a random email address!

    Best Regards

  21. Maxime Says:

    Hi Tom, you hosted exchange provider should provide you with a selection of spamfiltering solutions, please inform!

    Regards!

  22. Michael Melen Says:

    I really enjoyed this post (not that I didn’t enjoy the others as well ;) )- nice work man.

  23. Ben the cs reapz Says:

    Tried it with no success. you might wanna split the code in two, the injector isnt working.

  24. designer Says:

    Thanks for sharing these usefull informations.

  25. Amedee Van Gasse Says:

    The + trick isn’t specific for Gmail, it’s a default feature of Postfix (and other mail daemons too, I guess).
    I have reconfigured my Postfix to use – in stead of +:

    recipient_delimiter = –

    @Benjamin: it is easy to forge email headers. The SMTP protocol has not security whatsoever. A spammer can put anything in the To and From headers. The only thing that matters for a mail server, is the RCPT TO command. That’s not sometjing you always see in your mail headers, most of the times you only see it in the logs of your mail server. Very difficult to debug if you don’t run your own server.
    Just Google for “smtp telnet” for more info.

  26. whmcs themes Says:

    Very classy looking ! Great idea, love it !