Aren't catchall aliases self defeating? - Page 2

n5bb · 16 Mar 2023, 08:59 AM

Quote:

Originally Posted by TenFour

One problem I have encountered is that I use an alias, and then someone responds to the alias, but I don't have my email set up to respond using that particular alias, then their system blocks the email address I am using for responses because it is an unknown address.,,,

An example is when using groups.io. If you subscribe to several groups.io groups, you need to use the same login email address with all of them so you can see all of your groups.io accounts with one login. But if you use a different email address for direct email and that conversation gets a groups.io group address added, then when you reply to that thread you might be using the wrong alias and the message won’t be delivered to the groups.io group.

Bill

JeremyNicoll · 16 Mar 2023, 10:15 AM

Quote:

Originally Posted by pjroutledge

Most annoying experience (problem) I've had with aliases occurs when multiple correspondents who I've given different aliases start to get involved in an email chain.
They start to notice that I'm using different email addresses.

And, if close personal associates are involved, such as family members, they will often use and reveal a real email address to a correspondent that I preferred not to give it to.

I've had something similar, also when a legal matter was being discussed. However, none of the people involved had my "real" email address; all of them had individual addresses I'd assigned to each of them, supposedly unique to them. Traffic coalesced onto one of those addresses which I ended up just regarding as "the project email address".

JeremyNicoll · 16 Mar 2023, 10:24 AM

Quote:

Originally Posted by TenFour

One problem I have encountered is that I use an alias, and then someone responds to the alias, but I don't have my email set up to respond using that particular alias, then their system blocks the email address I am using for responses because it is an unknown address...

At the moment I use webmail systems that aren't versatile enough for this, but before that I used a standalone email client which allowed one to define filters which could act on outgoing messages (before they got sent).

I have a naming convention in the many different addresses I use, so that eg addresses used for listserv-run mail lists look different from other sorts of mail lists, and they all look different from eg addresses for personal friends, banks, utility companies etc. I set up various filters that would eg not let an email that was being sent from one of my listserv addresses to anywhere other than a listserver.

Once in a blue moon if I did want to send a personal mail to one or a handful of people outwith the listserv, I'd temporarily disable the rule, send the mail, and immediately re-enable it.

**CyberSmurf** · 16 Mar 2023, 11:04 PM

Recently internic.ca changed their email hosting. They no longer have catch-all, but they do allow 50 aliases on a mailbox.
In many ways this is preferable to me. I can easily add or delete an alias, and I don't have to worry about getting mail where someone got the TLD wrong.

janusz · 16 Mar 2023, 11:30 PM

Is internic.ca a self-contained email provider (like Gmail, Fastmail &c) or it's basically an ISP with email available only to its customers?

**CyberSmurf** · 17 Mar 2023, 12:56 AM

Internic.ca is a domain registrar in Canada.
They also provide hosting for webpages and/or email.

SideshowBob · 28 Mar 2023, 05:08 AM

I wouldn't create a domain catchall with the intent of using it. I have one to allow for addresses I may have given out years ago. It may also help with address typos.

I don't get any spam to my catchall, but it would be easily dealt with if I did and I can turn the catchall off at any time.

TenFour · 28 Mar 2023, 05:26 AM

I'm going to test out a catchall with a domain I use fairly regularly and see what happens.

SideshowBob · 28 Mar 2023, 06:01 AM

Quote:

Originally Posted by TenFour

I would find SpamGourmet or infinite aliases would require too much thinking on my part when giving out email addresses. For example, I have no idea how many emails I want to allow from some service when I first use that service. The other day I had to log into an important government website...

I haven't used SpamGourmet recently, but when I did, I only used it for inconsequential things that needed a temporary email address. Just use a little common sense.

Avion · 28 Mar 2023, 03:25 PM

Quote:

Originally Posted by TenFour

I'm going to test out a catchall with a domain I use fairly regularly and see what happens.

Something to bear in mind, if your test domain has been previously registered by someone else, they've let it drop, and then you've registered it.

You may get some e-mails that the previous owner of that domain had signed up for.

TenFour · 28 Mar 2023, 08:01 PM

My test domain is unique and I created it, so no worries about old addresses other than ones I may have created in the past and abandoned. Frankly, I suspect it will attract very little spam, but I am curious to see how many random email addresses pop up and from whom. So far nada.

janusz · 29 Mar 2023, 03:15 AM

Quote:

Originally Posted by Avion

if your test domain has been previously registered by someone else, they've let it drop, and then you've registered it.

You may get some e-mails that the previous owner of that domain had signed up for.

Then it's the previous owner's problem, not yours.
It's the same when you move house and at new address keep receiving snail mail for the previous occupier.

j_b · 15 Jun 2023, 03:25 AM

I have another strange use of catch-all. I have a mydomain.tld custom domain that I'm not using, so I just put a catch-all email forward on it.

Since late 2021 or so, I have regularly received notifications from Google/Gmail that some random abc12345@gmail.com account has decided to use an equally random recovery email xyz67890@mydomain.tld. The handles always look very spammy.

At first I just ignored the notifications, however as these notifications accumulated, out of curiosity I decided to take over some of these Google accounts, since after all I own their recovery emails. It's not too difficult as none of these accounts is 2FA protected, none has a telephone # attached, however when an account is still logged-in on a phone, I have been unable to take it over as Google's recovery process insists on sending a prompt or sms to that phone as well.

In any case I have been able to take over many of these spammy Google/Gmail accounts, and they are ...weird. Some are new, some are 3-4 year old. Some were created in East/South Asia, some in the US (based on chosen language, last login location when available, and browsing & Youtube history when available). A few were used to send out weird spammy emails (but not the kind of blatant spams that you usually get in Gmail Spam folder, rather emails containing incoherent sentences and words lumped together, sent to many other similarly spammy @gmail.com addresses). A few also have some equally weird Sheets/Docs/jpg files in Google Drive. Most however are nearly empty of any content. And I have not seen anything looking remotely like real, personal Gmail emails or content.

Now the question is: why do the (presumed) spammers create these Google/Gmail accounts then "give them away" via the recovery emails ? What is the purpose of the weird emails they sometime send out using these accounts ? I have also never seen anyone trying to reclaim these accounts (presumably lost to them now that I control them), as I have had no notification of attempted recovery, no mail asking for return of the account (something I would not mind doing as I have no interest in owning these random Gmail accounts with random worthless handle), etc.. Prior to writing this (long) post, I tried to access again some of these accounts, and a few have been blocked by Google infamously strict access/recovery control ("suspicious login", "account disabled", etc..) which obviously I won't bother to recover.

n5bb · 15 Jun 2023, 12:40 PM

I suggest that you check to see if there are other registered domains similar to yours but with a different TLD. for example, I own a custom .net domain, and that same name is owned by others at the .com, .org, and other top-level domains. I receive accidental emails all the time to unknown persons who must have an email account at a different TLD.

So it’s possible that the owner is accidentally using the incorrect TLD or that their domain name is otherwise similar to yours and they are just making a typo. If they are automating the process, the automation script might be accidentally targeting your domain in this manner.

When people are doing actions on a large scale, a few mistakes don’t always get noticed by them. It’s also possible that one scammer is trying to take control of some junk Gmail accounts that another scammer set up, and is making a typo when entering the recovery domain.

Bill

j_b · 16 Jun 2023, 06:56 AM

Hi Bill

mydomain is my surname, a very common surname, on a gtld, that I got (by chance) more than 2 decades ago when there were only 5 accessible gtlds (com net org info biz). So yes it is theoretically quite possible that the whole thing was/is accidental...
... however I doubt this very much, as I think on the contrary it is quite deliberate, because

- this is no one-off mistake, they have been using <whatever>@mydomain.tld as recovery emails for almost 2 years now, for over 30 or so Google accounts, so they must by now be aware that they have lost control of a few of those, and thus make correction to their script (if they use one) to correct the mistake. I just received the latest recovery email notification from Google no later than earlier this week.

- the handles xyz67890 are never the same, each is always unique / used only once, very long, combining characters and digits, very spammy-looking.

- quite a few of these Google accounts are newly created, with recovery email set (presumably for the 1st time) directly as xyz67890@mydomain.tld, so disproving the theory of someone taking over an existing account and resetting recovery email. I know these are newly created, because I could see the Welcome to Google email in their Inbox with the date & as well as the browing history.

These people know that mydomain.tld has a catch-all (very easy to guess if they look up my DNS MX records), and I strongly believe they set their recovery emails (but never with the same handle twice) as @mydomain.tld deliberately, not accidentally. But for what purpose..?

16 Mar 2023, 11:04 PM	#19
CyberSmurf Moderator Join Date: Nov 2001 Location: British Columbia Posts: 4,011	Recently internic.ca changed their email hosting. They no longer have catch-all, but they do allow 50 aliases on a mailbox. In many ways this is preferable to me. I can easily add or delete an alias, and I don't have to worry about getting mail where someone got the TLD wrong.

16 Mar 2023, 11:30 PM	#20
janusz The "e" in e-mail Join Date: Feb 2006 Location: EU Posts: 4,944	Is internic.ca a self-contained email provider (like Gmail, Fastmail &c) or it's basically an ISP with email available only to its customers?

17 Mar 2023, 12:56 AM	#21
CyberSmurf Moderator Join Date: Nov 2001 Location: British Columbia Posts: 4,011	Internic.ca is a domain registrar in Canada. They also provide hosting for webpages and/or email.

28 Mar 2023, 05:08 AM	#22
SideshowBob Essential Contributor Join Date: Jan 2017 Posts: 278	I wouldn't create a domain catchall with the intent of using it. I have one to allow for addresses I may have given out years ago. It may also help with address typos. I don't get any spam to my catchall, but it would be easily dealt with if I did and I can turn the catchall off at any time.

28 Mar 2023, 05:26 AM	#23
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,740	I'm going to test out a catchall with a domain I use fairly regularly and see what happens.

28 Mar 2023, 08:01 PM	#26
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,740	My test domain is unique and I created it, so no worries about old addresses other than ones I may have created in the past and abandoned. Frankly, I suspect it will attract very little spam, but I am curious to see how many random email addresses pop up and from whom. So far nada.

15 Jun 2023, 03:25 AM	#28
j_b Junior Member Join Date: May 2018 Posts: 13	I have another strange use of catch-all. I have a mydomain.tld custom domain that I'm not using, so I just put a catch-all email forward on it. Since late 2021 or so, I have regularly received notifications from Google/Gmail that some random abc12345@gmail.com account has decided to use an equally random recovery email xyz67890@mydomain.tld. The handles always look very spammy. At first I just ignored the notifications, however as these notifications accumulated, out of curiosity I decided to take over some of these Google accounts, since after all I own their recovery emails. It's not too difficult as none of these accounts is 2FA protected, none has a telephone # attached, however when an account is still logged-in on a phone, I have been unable to take it over as Google's recovery process insists on sending a prompt or sms to that phone as well. In any case I have been able to take over many of these spammy Google/Gmail accounts, and they are ...weird. Some are new, some are 3-4 year old. Some were created in East/South Asia, some in the US (based on chosen language, last login location when available, and browsing & Youtube history when available). A few were used to send out weird spammy emails (but not the kind of blatant spams that you usually get in Gmail Spam folder, rather emails containing incoherent sentences and words lumped together, sent to many other similarly spammy @gmail.com addresses). A few also have some equally weird Sheets/Docs/jpg files in Google Drive. Most however are nearly empty of any content. And I have not seen anything looking remotely like real, personal Gmail emails or content. Now the question is: why do the (presumed) spammers create these Google/Gmail accounts then "give them away" via the recovery emails ? What is the purpose of the weird emails they sometime send out using these accounts ? I have also never seen anyone trying to reclaim these accounts (presumably lost to them now that I control them), as I have had no notification of attempted recovery, no mail asking for return of the account (something I would not mind doing as I have no interest in owning these random Gmail accounts with random worthless handle), etc.. Prior to writing this (long) post, I tried to access again some of these accounts, and a few have been blocked by Google infamously strict access/recovery control ("suspicious login", "account disabled", etc..) which obviously I won't bother to recover.

15 Jun 2023, 12:40 PM	#29
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	I suggest that you check to see if there are other registered domains similar to yours but with a different TLD. for example, I own a custom .net domain, and that same name is owned by others at the .com, .org, and other top-level domains. I receive accidental emails all the time to unknown persons who must have an email account at a different TLD. So it’s possible that the owner is accidentally using the incorrect TLD or that their domain name is otherwise similar to yours and they are just making a typo. If they are automating the process, the automation script might be accidentally targeting your domain in this manner. When people are doing actions on a large scale, a few mistakes don’t always get noticed by them. It’s also possible that one scammer is trying to take control of some junk Gmail accounts that another scammer set up, and is making a typo when entering the recovery domain. Bill

16 Jun 2023, 06:56 AM	#30
j_b Junior Member Join Date: May 2018 Posts: 13	Hi Bill mydomain is my surname, a very common surname, on a gtld, that I got (by chance) more than 2 decades ago when there were only 5 accessible gtlds (com net org info biz). So yes it is theoretically quite possible that the whole thing was/is accidental... ... however I doubt this very much, as I think on the contrary it is quite deliberate, because - this is no one-off mistake, they have been using <whatever>@mydomain.tld as recovery emails for almost 2 years now, for over 30 or so Google accounts, so they must by now be aware that they have lost control of a few of those, and thus make correction to their script (if they use one) to correct the mistake. I just received the latest recovery email notification from Google no later than earlier this week. - the handles xyz67890 are never the same, each is always unique / used only once, very long, combining characters and digits, very spammy-looking. - quite a few of these Google accounts are newly created, with recovery email set (presumably for the 1st time) directly as xyz67890@mydomain.tld, so disproving the theory of someone taking over an existing account and resetting recovery email. I know these are newly created, because I could see the Welcome to Google email in their Inbox with the date & as well as the browing history. These people know that mydomain.tld has a catch-all (very easy to guess if they look up my DNS MX records), and I strongly believe they set their recovery emails (but never with the same handle twice) as @mydomain.tld deliberately, not accidentally. But for what purpose..?