Aren't catchall aliases self defeating?
 

I received an email this afternoon touting the new Skiff feature allowing catchall aliases if you use your own domain. As I understand it the desire for a catchall is to allow you to create an infinite number of aliases on the fly so you can use a different one whenever needed in order to protect your account from spam and phishing attacks. Makes it easy to block that one alias. But, doesn't the catchall just continue to vacuum up any email sent to that domain? In other words, you can filter out the alias in your own email inbox but it won't really be blocked. This seems to me like a huge waste of time. Why not just limit the aliases in the first place to a few that you actually care about. Sure, you might get some spam to the alias, but you can still block that sender in a lot of email services. I have a nice little block list in Gmail that works perfectly. Educate me. What's the advantage of using catchalls?

Didn't you answer your own question?

But, what is the point of doing that? It will just generate more spam and junk email than using a single address (or a handful of addresses) for everything, and make it more complicated to manage.

It's not just for creating an infinite number of aliases, and not just about managing spam.. It's also good for creating a few addresses (10-20) in each domain without having to mange each one separately.
Most of my aliases get very little spam, or non at all. It's easier to leave everything open and close only what's needed than to keep track and manage every little address I decided to use some time in the past 20+ years.
I don't know how skiff works, but in Fastmail if I have a catchall alias that accepts mail, and I create a specific alias and disable it, then mail to the specific alias would be blocked, meaning any legitimate sender would get a message created by their own system that their message was undeliverable.

But, then don't you receive emails sent to all sorts of generic addresses at your domain like admin@, info@, support@, abuse@, etc.? Or, even just anyname@. You probably don't want to block those, do you?

I received about 150 of these during the past 20 years. I think I have a rule to automatically file those into a folder named spam.generic (and if they don't get there then I manually put them there). I also have messages that are detected by Fastmail as false non-delivery messages (that is non-delivery messages for messages with my addresses as a forged sender) that are automatically filed into a folder named spam.joejob. I have almost 1000 messages from the past 20 years in that folder. They usually come in batches so it's not more than one or two incidents a years. So I could actually live without those filing rules but they're already there and it's a bit more convenient with them.

Experience with personal domain catchall aliases
 

I have had a similar experience to Hadaso with my personal domain hosted at Fastmail. Although I occasionally receive fake “we have obtained control over your account” phishing scam messages sent to administrative addresses, these are nearly always caught by the Fastmail spam filter. Of course, I can’t block the administrative addresses, since all domains SHOULD read messages sent to those addresses as specified by the ICANN rules for domains. Nearly all the random junk I receive to odd addresses is sent to “foo” or similar well-known aliases which I happen to control at my domain or Fastmail owned domains. Years ago I noticed some dictionary spam (random words used as the username at my domain), but these are very rare now.

Most unresolved messages caught by my catchall alias acceptance seem to be due to mistakes by others. My personal domain is “.NET” and there is a university and private company in the UK with my name at other TLD’s (such as .COM or .EDU). So people accidentally enter my .NET domain on a form or other communication, and I start getting messages from a university intended for a student or I get inserted into a random email thread because of such a mistake. In most cases I am unable to get the university (or others) to remove my address, so I eventually block that one address for a while (as Hadaso described).

I just realized that the current Fastmail setup screens allow me to file received messages sent to addresses caught by the catchall (but not with a specific alias I created) to a folder. So I just created a “wildcard” folder/label and will see how many messages actually arrive based on my domain wildcard. But spam and other rejection rules might prevent some of those from arriving, so I may go back and try disabling all rules (and custom sieve) which blocks certain addresses.

This is a topic which is very dependent on personal experience. As Hadaso points out, since Fastmail users can block a specific address at the SMTP stage (accepting the email at the incoming server) and also via sieve rules (automatically or manually written), we can rather easily block spammers who pick on certain addresses.

Bill

So, what is the compelling advantage for you using a catchall?

I have my own domain and it is a catchall. That benefits me in the same way that a service such as Spamgourmet does in that I can create an email userid 'on the spot', usually at a store or something. I almost exclusively use Spamgourmet for newsletters and such. In the more than two decades that my domain has been active, I have received no spam to it, other than to an email address that I gave to a friend or family member.

I was under the impression that a catch-all wasn't originally intended to catch aliases created on the fly, but was to ensure delivery of

• incorrectly addressed emails (eg 'mike@example.com' instead of 'michael@example.com') where the domain name is correct
• generic email addresses (eg 'webmaster@example.com', 'sales@example.com', etc)

Using catch-alls for aliases created on the fly just seems to be a handy exploitation of the original idea.

I would find SpamGourmet or infinite aliases would require too much thinking on my part when giving out email addresses. For example, I have no idea how many emails I want to allow from some service when I first use that service. The other day I had to log into an important government website and it resulted in something like a dozen emails to my inbox in a few minutes due to the elaborate and convoluted security precautions. Maybe I am just lucky but using ordinary consumer Gmail I rarely receive any spam or phishing messages in my actual inbox. If I look at the spam folder I probably get one a day or so, but Gmail takes care of isolating them and I have to do nothing.

I have a domain hosted somewhere other than Fastmail, and it accepts emails to any address. I don't have to "register" online any of the specific addresses that I hand out to various companies.

At Fastmail I - so far - do not have a domain but instead have about a dozen of their FM-owned addresses as aliases of my single FM account) and it's annoying to have register those. It's partly why I only have that dozen or so defined, rather than (at the other place) hundreds of in-use addresses. The other reason is that the FM addresses are (obviously) not at my domain so I use them mainly for mail-lists etc where I don't need to have obviously personal addresses in use.

Yes, I get spam to a handful of the non-FM addresses, and also quite a lot to message-ids (which some spammers think are email addresses). But filters route the valid mails to valid folders and leave the other stuff to be deleted after eyeballing it to MAKE SURE that nothing misaddressed is being deleted by accident.

I do get emails from friends who persist in misspelling the local part of (whatever I told them to use as) my address. It doesn't matter how often I tell them, they don't seem to be able to fix that.

I do also (at the non-FM) place have a couple of subdomains set up with separate handling of email for them. I have thought about being creative with defining and deleting subdomains (on, maybe, a year by year basis) so that truly throwaway addresses that I do not expect to get traffic for in future can be handed out for a subdomain that will, in a year or two, cease to exist. But so far it's not been worth the hassle.


My attitude to spam changed when I ceased to use a dial-up modem to collect email, and started to use an always-on broadband connection. It's always easier to receive everything and filter it (in an email client, or - even with webmail - on the server). That way nothing genuine is likely to get deleted. NONE of my filters delete anything; they just route valid emails to one set of folders and leave the rest (in the Inbox) to be inspected.

Obviously, we can each do what works best for us! Another part of my thought process to limit the number of email addresses and services I utilize is to reduce the treasure hunt project for those that will be around after I am gone. I have witnessed this problem with a couple of my close friends. Often the remaining spouse or significant other has been clueless as to the arcane digital systems used by the one who has gone and tracking everything down and gaining access, or even understanding what is happening, is a difficult and long process.

Most annoying experience (problem) I've had with aliases occurs when multiple correspondents who I've given different aliases start to get involved in an email chain.
They start to notice that I'm using different email addresses.
And, if close personal associates are involved, such as family members, they will often use and reveal a real email address to a correspondent that I preferred not to give it to.

An example: I recently engaged a legal firm for a particular job and used an alias. Later, I had to get my siblings - who use my real email address - involved in the issue and as the various emails circulated my real email address was revealed to the law firm.
No real harm done, but some confusion among the various parties, and if it had not been that particular law firm I might have been more annoyed about my real email address having been revealed.

Can't complain though, it seems to be a frequent consequence of using aliases and it's something I cause myself and have to manage. :)

One problem I have encountered is that I use an alias, and then someone responds to the alias, but I don't have my email set up to respond using that particular alias, then their system blocks the email address I am using for responses because it is an unknown address. Some people have very tight spam filters that basically only allow emails from known contacts, so if you send from something different than the original alias used you get blocked. Maybe just coincidence, but this has mostly happened to me with businesses I was doing paid work for, so resulted in embarassing delays and communications to reestablish communications about paid projects. Has happened to me more than once and has made me gun shy about using one-off aliases that I don't utilize as full-on send and receive email addresses.