On Mon, 2005-01-31 at 10:18 +0000, Mark Rogers wrote:
companyOrMailingListName@yourdomain.com.
I actually recommended yourusername-companyOrMailingListName@yourdomain. Like Wayne mentioned, spammers often try dictionary attacks to your mta, and if you accept anything@yourdomain, you can't easily block those. If you use a static prefix, you can filter all the others out at the SMTP conversation stage.
Has anyone actually found any vaguely reputable website or mailing list that has sold an address on?
Canon UK has sold/leaked my email address, as has cec.co.uk; now it appears to be exclusively used by spammers. Even if Canon did send some legitimate mail, I no longer care if I get it; it's probably only marketing material anyway.
Hint to Canon: if you better protected your customer's privacy, you might improve your customer's willingness to receive your emails.
The difficulty in using the suggested strategy is taht when you return to the site later (eg to buy add-ons for your Canon camera) you have to remember which email address you sued when you first visited. I find that near impossible given the number of sites I work with.
I tend to use the domain name, minus .com/.co.uk, that makes things easy to remember. Of course that does mean people can easily guess and forge.
If the pain has some gain, of-course, that would make sense. But does it?
The nice thing is that it provides a really cheap filtering method; email to such address gets discarded at the smtp conversation stage, (postfix smtpd_recipient_restrictions) before incurring the cost of running my spam content filters.
This method also makes it trivial to filter mailing list email into separate folders, rather then scanning for headers, which might change if the provider changes mailing list software. This does mean that if you get spam sent directly to you, and it evades your spam filtering, it may end up in your mailing list folder, even though it wasn't sent to the mailing list. That's happened a couple of times with my alug address.
It also provides some protection against phishing: if I get email from "my bank", and it it's not to myusername-mybank@mydomain, I know for sure it's yet another phishing attempt.
Hint to online banks/services: If you allowed your customers to register a pgp key and send/receive signed/encrypted email, they would be less likely to fall victim to fraud.
[It goes without saying, I hope, that anywhere that is publically archived should be treated with more caution. Mailing lists, news groups, contact addresses on websites (unless spam-blocked in some way), etc.]
Public bug databases for open source projects also appear to be harvested for addresses a lot. So if I contribute to a bug, I might allow those emails through for a while, then go back to discarding them.
I've been using this method for a couple of years now, and it hasn't been too much of a bother. Previously I experimented with time-limited and challenge-response mechanisms (like http://tmda.net/), and found that too much of a pain (it failed the Mum test).
I did once run into a bit of hassle: I sent mail to letterland.com, and before they were prepared to answer the issues I raised, they started getting all defensive about my use of their copyright/trademark in my email address, apparently thinking that I was somehow trying to impersonate them or whatever. So I had to educate them. :)
All in all, I find it a useful tool.
-- Martijn