Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is A Catch-All Address Worth The Spam?

Posted by timothy on from the so-much-trouble-in-the-world dept.

wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."

36 of 579 comments (clear)

  1. No brainer by tarquin_fim_bim · · Score: 4, Insightful

    If the mail is from an intelligent human being they will generally conclude from the returned mail that they have erred, and readdress it accordingly. In the event of any other outcome you are probably better off not receiving the mail.

    1. Re:No brainer by Anonymous Coward · · Score: 2, Insightful

      Having worked end-user tech support, I think you're overestimating the intelligence of the average email user :)

      You'd be surprised at the sheer volume of users who invert a couple of letters or add a space in the middle of the address, and then *insist* that it's spelled correctly, and something must be wrong with our server for not delivering the mail properly to some random domain (not hosted by us). And yes, if they don't believe us over the phone we get them to forward the bounce message to us so we can confirm that.

      So, if the concern is old Mrs. Pepperpot isn't going to remember the proper address to type and may in fact enter it into her email address book incorrectly, that's actually a pretty fair assumption.

    2. Re:No brainer by studerby · · Score: 4, Insightful
      I don't think it has anything to do with intelligence, per se. I've seen an MD/PhD with an annual reseach grant total of $100 million struggle with this; I had to go to train his office manager on how to update his mail aliases, 'cause the mail client he liked was funky. If it wasn't in his alias list, and therefore clickable, he'd fubar it about 10% of the time and force the manager to fix it right now , 24/7, and he never understood anti-spam obfuscation (his staff filtered his incoming email for him).

      His time was very valuable and he just wanted it to work.

      Of course, the odds are good that nearly 50% of the people out there are of below-average intelligence, so any plan has to deal with both ends of the bell curve.

      --

      .sig generation error:468(3)

    3. Re:No brainer by geminidomino · · Score: 4, Insightful

      I agree. I bought my own domain as well, and I turned on a catch-all address (called "spamtrap") specifically TO catch spam. That's all it does catch. If someone types your address wrong, they should be smart enough to figure out "55x No such User" (or whatever the error is) and double-check the address. Anyone saying "random" spam is far less than targeted probably doesn't run a mailserver and watch the dictionary attacks mount up in the log file. "adam@domain", "anthony@" all the way up to "zachary@" (not to mention the various permutations of aaabbbccc, etc...). Unless you're trying to track where the spam is coming from (by reading recieved: headers, not "From:" lines), a catch-all address is nothing but a spam-catcher.

    4. Re:No brainer by Anonymous Coward · · Score: 5, Insightful

      Well, frankly I *would* consider that as a measure of intelligence (at least to some degree).

      For instance, if a user:

      - has used a computer for a number of years (by the sounds of it the very same applications for that same time)

      - depends on using the computer for important work

      and still can't use it properly (and won't take the time to actually *learn* to use it properly - eg, basic typing/clicking skills), I consider that an intellectual defect.

      It's like any other field - if you depend on a particular tool, you have to be able to actually use the tool properly or you'll mess things up repeatedly. And if you do mess things up on a regular basis, that's no one's fault but your own.

      Think of all the "valuable time" he has wasted by simply not learning to use his tools.

    5. Re:No brainer by tarquin_fim_bim · · Score: 3, Insightful

      That's as maybe, RFC 822 suggests otherwise, with a couple of exceptions.

    6. Re:No brainer by mysidia · · Score: 2, Insightful

      It's not true that catch all is necessarily a violation of any RFCs.

      Simply put the situation with catch all is that any possible user exists.

      If you accidentally sent your mail to nillgates at yahoo.com instead of billgates at yahoo.com; chances are "nillgates" is also a valid user.

      Hence no delivery error occures, and it's perfectly fine.

      The MTA isn't required to read minds and determine if the user made a typo. Only to act based on whether the destination mailbox exists are not.

      And of course, for catch all... every legal mailbox does exist.

      Certain addresses like postmaster@ have to work and have to go to a human, but there's no requirement that ppostmaster@ be considered a typo: after all, the user can exist!

    7. Re:No brainer by RedBear · · Score: 3, Insightful

      As you have just demonstrated, having a PhD/MD does not equate to intelligence. What a PhD often equates to is mere perserverence shown by the fact that someone trudged through 7-10 years of some sort of schooling and wrote a hundred page thesis with mostly complete sentences. Now, after accomplishing that, this person you've described (and many like him) has a framed certificate on his wall and a complete inability to learn how to properly use a tool that he uses every single day. This is the very definition of moron, someone who can't learn.

      But probably the main problem with folks like him is that after going through 7-10 years of schooling he is now "educated" and therefore doesn't need to listen to you or anyone else or take 5 minutes to learn how to do some minor thing correctly the first time. He's got that framed certificate on the wall and his "office manager" to keep him in this "educated" frame of mind for the next 40 years. Doesn't matter how smart you are now or were in the past if your mind is closed to further learning.

      If his time was so valuable he would spend an hour sometime and sit down and learn to use the tool, rather than continually breaking the tool and asking someone else to always be there to fix it.

      Of course, none of this precludes the fact that 90% of the time the software could be made easier to use in the first place. But it doesn't mean a PhD is a genius. Most of them are just consistent hard workers, and there's something to be said for that too, no matter what their intelligence level.

    8. Re:No brainer by SplasPood · · Score: 2, Insightful

      I have a customer who has complained on *3* separate occasions that they cannot email sales@randomdomain. When we inform them that they need to have a top level domain on there they *insist* it worked before.

      After 3 or four emails/calls they finally get the point. Until a few weeks later when it starts again.

      Argh.

    9. Re:No brainer by Albanach · · Score: 2, Insightful
      I've had more than one IT Manager specify to me that their email address is 'lower case', so I stand by my original post.

      Seems quite reasonable. RFC 821 says:

      For some hosts the user name is case sensitive, and SMTP implementations must take case to preserve the case of user names as they appear in mailbox arguments.

      The only email address required to be case insensitive is postmaster.

  2. No big problems here by andyrut · · Score: 5, Insightful

    Buying your own domain is a smart move. As long as you keep paying for the domain, your e-mail address can travel with you, even when you change ISPs.

    From personal experience, I've found that only a very small percentage of spam I get comes from using the catch-all address. I get only a few junk e-mails to "webmaster", "postmaster", and other generic usernames. A far greater portion of it is addressed to the "real" e-mail address I use that's been plastered all over the web for years and years.

    Judging only from my inbox, it would seem that spammers are more likely to use lists of known e-mail addresses than trying to guess valid usernames for a domain. My advice would be to use the catch-all address and just wait and see if spam becomes a problem. Turning off the catch-all wildcard, if need be, is a very simple operation.

    1. Re:No big problems here by Anonymous Coward · · Score: 2, Insightful

      That is, until the DSL provider you host your domain on decides to block port 25 because someone else on your ISP was spamming or relaying spam. :|

      Spammers ruin it for everybody.

    2. Re:No big problems here by jrockway · · Score: 2, Insightful

      Are you a two-year-old?

      Spam is annoying. Spam is trashy and "unethical". But it's not worth killing someone over.

      Just get a new email address. I got a new one and don't get spam anymore (the gmail one above does get spam, though...)

      Every time I post this, I get modded down (slashbots hate spam, I guess... I'm pretty indifferent myself), but I'll say it again. I actually think spam is a good way to motivate ISPs to upgrade themselves. If their mail servers die every few days because of the load spam inflicts, they upgrade their servers. That means new features (or more uptime) for you! Bandwidth is the same way... spam uses a lot of bandwidth so the Big ISPs have to upgrade their links. And they aren't doing the bare minimum (when you've dug up the cable, you're going to put more than you need down... digging is expensive, fibre is cheap), they're adding more bandwidth than they need. Which means that slashdot loads faster (or your movie downloads faster). That's a good thing.

      Just don't give your email to anyone who asks, and you'll avoid spam. I hear putting numbers in your username helps against dictionary attacks (jrockway in in a dictionary, but jrockw2 isn't).

      In closing, please have a drink of your choice and relax a bit. No need to get worked up over spam. And if a gmail invite would calm you down, I'll give you one :)

      --
      My other car is first.
    3. Re:No big problems here by killjoe · · Score: 2, Insightful

      Since that RFC was written before the advent of spam they should change it. I got tired of getting hundreds of spam to postmaster@mydomain.com and simply shut it off. If anybody blacklists me then fuck them.

      They are ones that are ignorant. Blindly following an RFC that ignores the reality of what is happening today is the height of stupidity. Blacklisting somebody for not doing it just plain moronic and asshololic behavior.

      But then again there is no shortage of assholes on this planet are there.

      --
      evil is as evil does
  3. Your shouldn't worry about that by toetagger1 · · Score: 4, Insightful

    If you use a spam filter, you sould not have to worry about it. You are not exposed to more kinds of spam, just more instances. And since spam filters currently have no issue with volume, you should be ok.

    --
    who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
  4. bayesian filter is your friend by elucubra · · Score: 2, Insightful

    set it up, but make sure you have a good bayesian filter to weed out the crap.

  5. bounce? by Anonymous Coward · · Score: 2, Insightful

    if anyone really emails your domain, and it bounces, won't they figure it out?
    Seems like a useless feature.

  6. spammers should be shot by Anonymous Coward · · Score: 0, Insightful

    read the title. FP?

  7. Isn't that the POINT? by SuperRob · · Score: 5, Insightful

    What does it matter if it opens you up to spam. It's a catch-all account right, isn't that what it's supposed to do?!?

  8. Nope by Inominate · · Score: 2, Insightful

    Not at all.

    The ideal setup is to have several addresses.
    One for close friends, associates, individuals and people who the address is sent to privately.
    A second address for mailing lists, and any kind of public posting.
    And a third address for anything guarenteed to end up in you getting spam. (Website signups for instance)

    Then you simply drop it into three different folders. This method combined with a good spam filter can eliminate virtually all spam.

  9. the whole /point/ of a catchall address is spam by luge · · Score: 5, Insightful

    It is great. You never have to worry about giving out an indiscriminate address again. Signing up for a fantasy league on cnn/si? I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there. And I can trivially filter and nuke them, with the added bonus that I know never to send them my business again. amtrak has amtrak@mydomain, I get all the mail from it, and can easily track that they have never violated their TOS. It's the greatest thing- I heartily recommend it to anyone who can.

    --

    IAAL,BIANLY

    1. Re:the whole /point/ of a catchall address is spam by luge · · Score: 5, Insightful

      This is a good approach, and the one I'd use, /if/ I had an easy admin interface to add accounts. But most don't (and it certainly sounds like the questioner on the original question doesn't.)

      --

      IAAL,BIANLY

    2. Re:the whole /point/ of a catchall address is spam by droleary · · Score: 3, Insightful

      I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there.

      Are you sure they sold it, or were you merely a target of a dictionary attack (the dictionary being domains)? Same will go for amtrack@. All a spammer has to do is decide it's a significant enough domain to add to a dictionary and, BAM, you're getting spam there without any kind of TOS violation on Amtrack's part. Common word domains like amazon@ have long been dinged, and it is foolish to blame the company for your own poorly thought out system.

      If you really want to use a catch-all to track who sells your address, you have to use a hash or something else that you keep entirely secret and is not easy to guess, like c66915c4ff6a27e5f3aac08f58130ba9 for . . . guess who! :-) Otherwise you're just adding to the abuse that the spammers are dishing out to you.

      My own experience with a catch-all is that you're safe until you're hit by a dictionary attack, and then it never stops. I have domains with next to no traffic and a catch-all is fine, but in the last year I've had two of them get hit by dictionary attacks and after that each domain gets an increasing stream of spam attempts, currently around 1000/day. That's bad enough that I shut off the catch-all for the one I don't really use it with. The other one keeps SpamCop full.

  10. Speaking from experience by Bradee-oh! · · Score: 5, Insightful

    I have a catch-all address at my domain. YES, there are huge amounts of spam. BUT, it is definitely worth the trouble IMHO, and here's why.

    1 - most of the spam seems to come to 5 or 6 addresses only - admin, root, sales, webmaster, etc etc. That's cake to filter out straight to trash.

    2 - The convinience of being able to sign up for random websites with a different address on the fly is great. For example, signing up on ebay to buy something and using the address "fromebay@mydomain.com" means you KNOW that only one person in the world has your email address so you know who to blame if spam starts coming in, and it is also a piece of cake to automatically filter those ebay emails straight to an ebay inbox, for example.

    3 - Not as significant as my first 2 points but still a nice perk in my setup is that I'm able to create email addresses for family and friends on the fly and just setup my own server to split the addresses out into their own inboxes.

    So if you will be running the server(s) yourself over slow dsl or cable, the volume of spam MAY be a concern to you. I get about 600-700 spams a day to the common webministrater addresses I mentioned, but it's no concern to me because I don't run the incoming email server and my dsl is more than fast enough to d/l them in a few seconds.

    But in any other case, I'd say it's well worth it! And on a slightly different note, I have been very impressed with the honesty and adherence just about everywhere has to their privacy policies regarding email addresses. over 2 years of using my system with about 50 "from@domain.com" addresses, only one of them screwed up and got the address on a spam list somehow - cancelling my account with them and filtering those spams straight to trash solved the problem.

    --
    "This is Zombo Com, and welcome to you who have come to Zombo Com" - www.zombo.com
  11. Give it a try by phalse+phace · · Score: 2, Insightful

    All I can suggest is to give it a try for a while (couple of months, a year) and see what happens. If you get a ton of spam and no important email, then turn it off.

    When I had my catch-all account, I rarely got any spam, and that's probably because most spammers won't really bother with trying to send you something at afhg329087dsfljifd90hlg@domain.com or whatever.

  12. Be Careful with Catch-All Accounts... by Anonymous Coward · · Score: 2, Insightful

    I host my own personal domain (something like johndoe.com) with a hosting company. I had a catchall account, and used it to great success when giving out my e-mail addy. (For example I'd give stores their own name: homedepot@johndoe.com, walgreens@johndoe.com, etc. Not these specific example, but you get the gist.)

    Anyhoo, somehow, someway, somewhy, a spammer got ahold of my domain. And they created just about every possible name you could imagine for my domain: janey123@johndoe.com, rty5632@johndoe.com, ricksmith@johndoe.com, etc. Of course, it's just me at the site. But I suppose they didn't care. To make a long story short, I started getting over 1,000 spam messages per day in my catchall. And now it's grown exponentially. The assholes even send the same spam to the same addy, like, ten at a time. So basically my domain is fucked. And of course, once you get on some dumbass spammer list, they ALL start sending it to you. I've had my catchall account turned off for the last several months, and it's set to bounce back. But it makes no difference.

    Every month or so I turn it back on to see if they've given up, but it's just more and more and more of the same. Until a cure for spam is found, I'm dying over here. It makes my e-mail almost useless. Sheesh. Please someone do something about this stuff.

    Hopefully this won't happen to you, but if it does, you're screwed. :(

  13. No catch-ALL, just a catch-SOME by mejh · · Score: 2, Insightful

    When I hosted my domains I just had a few 'standard' addresses at the domains going to a 'stuff' mailbox. Aliases like:
    - root
    - webmaster
    - postmaster
    - admin

    I thought it was better when people use other non-existent addresses that they get a bounceback rather than mail being accepted. Especially with the newer worms/trojans that forge headers to send out mails from blahblah81@yourdomain.com etc.

  14. So close.... by Groo+Wanderer · · Score: 5, Insightful

    You are so close to the right solution. Spam almost universally will have a spoofed address, so sending something back to the 'sender' will not net you any more spam. Sending back is OK.

    The trick is to put useful info into the reply. Try setting up a message in the 'this address does not exist' autoreply. Put in something like 'bob@domain.com does not exist. If you are trying to reach Robert Smith, please resend to robert@domain.com. If you want to reach someone in an administrative capacity, send an e-mail to admin@domain.com'.

    You can extend this to all the positions that matter, postmaster, webmaster etc, and a few key people at the domain. The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.

    The people who DO need to contact you and did either screw up or guess wrong will simply get the info that they need to do right. Win/Win.

    -Charlie

    1. Re:So close.... by JPriest · · Score: 1, Insightful
      Insightful? You are suggesting I reply to all my spam and say, I am sorry xxx@domain does not exist, thank you.

      That is like when answering the phone and then saying "I am sorry Priest is not home right now.... and sounding off my best attempt at a *beep*

      There are timestamps, mail headers etc. that are too time consuming to try to forge, you are better off hoping they will think the mail platforms spam filter ate it.

      I say go with the catch all domain, that way you can give out temp aliases like ny-times-reg@domain.com and know when someone sells your alias for spam.

      Another piece of advice, is to register the domain with OpenSRS rather than a register.com reseller, because register.com either sells your info or has an easier database to mine from my experience with snail mail from my register.com domains.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
    2. Re:So close.... by nyseal · · Score: 2, Insightful

      Or, if someone REALLY needs to contact you, they can always pick up a phone and at least leave a message.

      --
      [SIG] Remember Mattel handheld games?
    3. Re:So close.... by Brad+Oliver · · Score: 5, Insightful
      Try setting up a message in the 'this address does not exist' autoreply. ... The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.

      As a "poor twink" on the receiving end of a lot of spam, I've found that my filters are effective against everything but auto-replies.

      Getting a ton of auto-replies from people on vacation, with invalid addresses, support addresses that have changed, and the ever-helpful "you've sent us spam and we've rejected it but our spam filter is too stupid to realize the sender was forged" really gets old after the first week.

      Don't use an autoreply and turn your problem into my problem.

    4. Re:So close.... by NoMercy · · Score: 5, Insightful

      Ideally the mail server shouln't accept the emails, not construct a nice reply, just send the relevant code and a short single-line message that the server is unable to relay/deliver the email.

      The spammer's SMTP engine will get a mark against the email as bad, and valid ISP's relaying emails for there customers will generate a nice email for you saying that the address is invalid.

  15. CATCHALLS equals a BOMB = Harmless until exploding by mdrejhon · · Score: 2, Insightful

    Catchalls are harmless until they explode. The results were not pretty. All it takes is to be targeted as a potential ISP goldmine of email accounts, and then be dictionary-attacked by a spammer, then lots of your email addresses are put on huge numbers of spam lists. Then you've moved from no spam to near infinite spam. Over one thousand spam per day, gobbling up your download bandwidth and slowing your Internet connection even if your spam filter filters 98% of it which still lets a couple dozen through, it becomes living hell!

    while (true); do cat /dev/random | mail myself@mydomain.com; done

  16. try this username: spam@example.com by microcars · · Score: 2, Insightful
    getting a little OT here, but after experimenting with the * or "catchall" email address on several domains, I have found the best username to be....SPAM

    So many people use things like:
    johnNOSPAM@example.com
    john@NOSPAMexample.com
    johnREMOVETHIS@example.com...

    that the SpamHarvest bots seem to harvest emails and then REMOVE words like:
    SPAM
    REMOVE
    THIS
    NOSPAM

    before adding the names to their "fresh" list of email addresses to sell.

    but if they remove SPAM from SPAM@example.com, they are left with.....
    @example.com
    which should be undeliverable.

    so if your email is SPAM@example.com, you should get email from your friends, but my extensive use of that username on USENET has shown me that it does in fact work! I received only ONE spam email to that address in the past year of using it.

    getting back On Topic for a minute, see if you can "disable" the "catchall" or "*" email function at some point. While I have not been hit with a dictionary attack, its obvious from the other posters that it is not uncommon. If you can route all non-assigned usernames to null when you discover this to be a problem, you will save yourself some headaches.

    --
    I like microcars
  17. Re:Disagree by macdaddy · · Score: 2, Insightful

    Turning it off? It's off to begin with. Only a fool would turn it on for any domain with legitimate uses. The only time you ever tunr it on is when you WANT spam. There are very few of us that want hundreds of thousands of pieces of spam per day.

  18. Re:Disagree by whoever57 · · Score: 3, Insightful
    But I think it depends on what you are using your domain for; wildcard spam is minor/rare compared to targetted spam:

    Well, I think there are wild differences from one domain to another. One of the domains that my company uses for email has been under a sustained dictionary attack for months now. Others get only targetted spam (real or former email addresses plus postmaster@, sales@, etc).

    So a catch all may be OK until some spammer decides to make it the target of a dictionary attack. The problem is: what does one do then? At that point, turning off the catch all will probably mean losing lots of non-spam emails.

    --
    The real "Libtards" are the Libertarians!