Slashdot Mirror
Is A Catch-All Address Worth The Spam?
wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."
If the mail is from an intelligent human being they will generally conclude from the returned mail that they have erred, and readdress it accordingly. In the event of any other outcome you are probably better off not receiving the mail.
Buying your own domain is a smart move. As long as you keep paying for the domain, your e-mail address can travel with you, even when you change ISPs.
From personal experience, I've found that only a very small percentage of spam I get comes from using the catch-all address. I get only a few junk e-mails to "webmaster", "postmaster", and other generic usernames. A far greater portion of it is addressed to the "real" e-mail address I use that's been plastered all over the web for years and years.
Judging only from my inbox, it would seem that spammers are more likely to use lists of known e-mail addresses than trying to guess valid usernames for a domain. My advice would be to use the catch-all address and just wait and see if spam becomes a problem. Turning off the catch-all wildcard, if need be, is a very simple operation.
If you use a spam filter, you sould not have to worry about it. You are not exposed to more kinds of spam, just more instances. And since spam filters currently have no issue with volume, you should be ok.
who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
just be glad you're not asdf@asdf.com.
set it up, but make sure you have a good bayesian filter to weed out the crap.
if anyone really emails your domain, and it bounces, won't they figure it out?
Seems like a useless feature.
What does it matter if it opens you up to spam. It's a catch-all account right, isn't that what it's supposed to do?!?
As someone who has been using a catch-all account for years, and has enjoyed the benefits and suffered the consequences, I would suggest you do it (though not without some warnings and recommendations). I do receive a fair amount of SPAM for accounts which have never existed on the system. I have also endured several periods when some SPAMmer referred to fake accounts at my domain in the return-to of the SPAM they were sending out (they were not using my mail server, they simply made up random usernames for my domain). Since they were random (both the names they used and the content of the SPAM) it was impossible to easily filter out. That sucked. I would receive hundreds of bounce messages per day. Ultimately I was able to make it stop by writing a script to post every bounce message I received through to the support form on the websites being advertised (modifying for each of the three or four sites which were involved), making the normal "cease and desist" legal threats. It seemed to work, since the SPAMs did stop soon after (presumably those sites complained to the SPAMmer they employed), and the SPAMmer no doubt moved on to some other fake accounts. Bastard. One of the best features of the catch-all is that you can totally control to whom you give out your "real" e-mail address, as well as track who is using the e-mail addresses you are giving out. For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering). You'll be able to receive that sites mail until you either don't want to, or until you see that they have abused the privilege of e-mailing you. Often I will see six months after registering to some site, I start getting tons of SPAM from the e-mail I gave to that site, and I can then simply block that on the mail server, bouncing them or sending them to /dev/null (via aliases, for example). This is the greatest strength in using catch-all addresses.
To mitigate the danger I mentioned previously of fake usernames, one should (though I am no sendmail expert and don't know how) set up a rule that any incoming recipient address must correspond to an existing account/alias, OR the catch-all structure you want (the whole PREFIX.SITENAME@yourdomain.com).
Q
Don't vote for Eugene Papansanovich for Congress!
I just write mail back. It's rather funny when you get a reply from the spammer. That isn't automated.
Not at all.
The ideal setup is to have several addresses.
One for close friends, associates, individuals and people who the address is sent to privately.
A second address for mailing lists, and any kind of public posting.
And a third address for anything guarenteed to end up in you getting spam. (Website signups for instance)
Then you simply drop it into three different folders. This method combined with a good spam filter can eliminate virtually all spam.
It is great. You never have to worry about giving out an indiscriminate address again. Signing up for a fantasy league on cnn/si? I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there. And I can trivially filter and nuke them, with the added bonus that I know never to send them my business again. amtrak has amtrak@mydomain, I get all the mail from it, and can easily track that they have never violated their TOS. It's the greatest thing- I heartily recommend it to anyone who can.
IAAL,BIANLY
I fought it for a year or so, coding up custom filters, using spam assassin, you name it, and finally just gave up and blackholed it.
Spammers are trying dictionary attacks against domains to try and guess live accounts. I would get 500+ copies of the same message to made up names in alphebetical order a day.
That being said, I have since gotten on the Gmail beta, and just forward all my mail there now. It has a far better spam rejection rate then anything else I have tried, so if you forward all your mail to a google account and let them try and sort out the spam, it would probably be usable (and maybe even helpful to them to train their filters).
Mathematically impossible requirements are technically not against policy.
On the other hand if you leave the * account on, you don't need to creat a new account eact time you need one. I for instance only have one account on my mail server and that is the postmaster this allows me to invent e-mail addresses on the fly.
With this ability you can make an e-mail address for each use of your e-mail for sites and forums like Slashdot@Domain.com and if you start getting spam at that address you can quiet happily block it via the filter.
I have one of my e-mail addresses configured to catch all the "bad" addresses as you are talking about. There is an extraordinary amount of crap that account gets every day. It really isn't worth it, especially if you have the admin and postmaster addresses dump to your primary mail account.
This sig seemed like a good idea at the time....
so, if you get spam on this specific address you know where to complain.
As a geek, I run my own mail server. A "catch all" that goes to /dev/null is great.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I run several catch-alls on my domains for several years, and I've never been spammed at [all]@[domains].com. However, just last week all my domains were hit by an email virus that did a dictionary-based attack. While it was all still caught by my spam filter, my spam filter is client-side, and after downloading 18200 emails, I decided it was time to shut down the catchalls.
The only thing I really had to do was notify my friends, who are long used to typing whatever they want into the username section of the domain, tailored to whatever it is they want (eg boywhowillfixmycomputer@, bikemechanicmanwhowillalsofixmycomputer@ etc).
I have a catch-all address at my domain. YES, there are huge amounts of spam. BUT, it is definitely worth the trouble IMHO, and here's why.
1 - most of the spam seems to come to 5 or 6 addresses only - admin, root, sales, webmaster, etc etc. That's cake to filter out straight to trash.
2 - The convinience of being able to sign up for random websites with a different address on the fly is great. For example, signing up on ebay to buy something and using the address "fromebay@mydomain.com" means you KNOW that only one person in the world has your email address so you know who to blame if spam starts coming in, and it is also a piece of cake to automatically filter those ebay emails straight to an ebay inbox, for example.
3 - Not as significant as my first 2 points but still a nice perk in my setup is that I'm able to create email addresses for family and friends on the fly and just setup my own server to split the addresses out into their own inboxes.
So if you will be running the server(s) yourself over slow dsl or cable, the volume of spam MAY be a concern to you. I get about 600-700 spams a day to the common webministrater addresses I mentioned, but it's no concern to me because I don't run the incoming email server and my dsl is more than fast enough to d/l them in a few seconds.
But in any other case, I'd say it's well worth it! And on a slightly different note, I have been very impressed with the honesty and adherence just about everywhere has to their privacy policies regarding email addresses. over 2 years of using my system with about 50 "from@domain.com" addresses, only one of them screwed up and got the address on a spam list somehow - cancelling my account with them and filtering those spams straight to trash solved the problem.
"This is Zombo Com, and welcome to you who have come to Zombo Com" - www.zombo.com
I've been running my own mail account off of my own domain for about 2.5 years now, and I don't regret it. I do have the catch-all set to dump to my personal account, and it's not been a major problem. Most of the spam I get is addressed to a "real" address (either mine or one of my older accounts I have forwarded to me), and there's a lot of that, so the amount I get from the catch-all is negligible.
:-)
In practice, actually, most of the spam-related stuff I get is mail bounces attempting to a random address with a faked from line of 63745624573@mydomain.com (or something like that). I really should look into implementing SenderID, but that would require hosting the server myself on a my dynamic IP instead of letting my web host take care of it.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
From my personal experience I've been getting a LOT of spam lately which is addressed to "made up" addresses at my domain. Either an awful lot of people lately have been giving out fake email addresses at my domain or spammers are somehow making them up from reasonable sounding usernames that never existed at my domain.
is this a good idea or not?
No, it's not a good idea. Looking through my mail server (and other mail servers I administer) I've seen A LOT of attempts by spammers to harvest email addresses by just trying a lot of common names on the domain (and some strange not so common addresses). If you had a wildcard address, you'd get all that spam to that box.
With no wildcard email address if people miss-spell a name on your domain, they'll get a prompt bounce message (and they'll probbably figure out the miss-spelling). With a wildcard they'll never figure out the miss-spelling, and may continue to use that wrong address.
There's also the problem of auto-generated virus bounce messages from other peoples servers. Most viruses lie about their from address, and can even make up a @yourdomain.tld. If you had a wildcard all those erroneous "you sent a virus" messages would go to your wildcard box instead of just bouncing.
Unless you want an account that's deluged with spam and like wading through it every so often on the off-chance someone sent a message to admin or postmaster, I'd not create a wildcard box.
AccountKiller
All I can suggest is to give it a try for a while (couple of months, a year) and see what happens. If you get a ton of spam and no important email, then turn it off.
When I had my catch-all account, I rarely got any spam, and that's probably because most spammers won't really bother with trying to send you something at afhg329087dsfljifd90hlg@domain.com or whatever.
I think it's best to just reject mail addressed to non-existent users during the SMTP transaction. My outside relay uses Postfix's relay_recipient_map to validate all recipients before relaying inside... anything not matching gets rejected with a 550. This saves my content filters (amavis/clamav) alot of work since we get TONS of spam to non-existent recipients.
e cipient_maps = mysql:/etc/postfix/mysql-recipient.cf,t = relay:mx2.somethingawful.com
relay_domains = mysql:/etc/postfix/mysql-relaydomains.cf
relay_r
mysql:/etc/postfix/mysql-alias.cf
relay_transpor
If you don't validate recipients, then you probably SHOULD use a catch-all address. The alternative to this would be bouncing spam back to the (usually forged) sender, in which case you become part of the problem and can cause yourself major queueing problems.
I recently switched to using e-mail from my registar/hosting company, they included one free address and I paid for an additional 5 mailboxes.
I set up an account for myself and my wife, and used the free account for a spam bucket. My account is set up as a catch-all. Whenever I sign up for something I use and address in the form slashdot.org@<mydomain>.com so if it does start getting spam I know who sold my e-mail address.
If any spam comes in being caught by the catch-all I set up a forwarder to my spam account. For example dns@<mydomain>.com gets forwarded to spam@<mydomain>.com I then just set up my e-mail client to dump anything that comes in via the spam account directly into the trash.
To date I have received spam on three addresses that didn't really exist (dns@, sales@ and info@), but overall it works very well.
I host my own personal domain (something like johndoe.com) with a hosting company. I had a catchall account, and used it to great success when giving out my e-mail addy. (For example I'd give stores their own name: homedepot@johndoe.com, walgreens@johndoe.com, etc. Not these specific example, but you get the gist.)
:(
Anyhoo, somehow, someway, somewhy, a spammer got ahold of my domain. And they created just about every possible name you could imagine for my domain: janey123@johndoe.com, rty5632@johndoe.com, ricksmith@johndoe.com, etc. Of course, it's just me at the site. But I suppose they didn't care. To make a long story short, I started getting over 1,000 spam messages per day in my catchall. And now it's grown exponentially. The assholes even send the same spam to the same addy, like, ten at a time. So basically my domain is fucked. And of course, once you get on some dumbass spammer list, they ALL start sending it to you. I've had my catchall account turned off for the last several months, and it's set to bounce back. But it makes no difference.
Every month or so I turn it back on to see if they've given up, but it's just more and more and more of the same. Until a cure for spam is found, I'm dying over here. It makes my e-mail almost useless. Sheesh. Please someone do something about this stuff.
Hopefully this won't happen to you, but if it does, you're screwed.
They're bloody cheap and'll do anything an extra few cents..........
DK
Greece is the Word
I also use the method of giving out lots of different E-mail addresses to track down who sells my info. Those who say, "you can always turn off the catch-all" are missing the point, because those of us using this method don't usually remember all the addresses we've given out, and therefore, using a "whitelist" isn't practical. Now, this system works great as others have said. You get a few occasional spams to things like webmaster@, sales@, info@, etc. but those can be easily filtered. The big problem is with annoying worms that generate random E-mail addresses. Of course, all of them get sent to your catch-all account -- in one day I got 150 Zafi.B worm E-mails from somewhere in Mexico. When you get one of these, what do you do? If you don't bounce the message, it's likely that the randomly generated E-mail address will be treated as valid and added to some spammer's database. Sure, you can blacklist each address, but then you're playing catch-up to a random generator algorithm. Not likely to win at that kind of game. Anybody know a good way to generate bounce messages in this kind of situation? Most mail bouncers assume you have only one address, and they create dangerous bounce messages that carry your *real* (i.e., desired) return address. I need a bounce script that grabs the "Received from... for ____" header and uses that to generate a bounce as if it originated from the randomly generated E-mail address. Can anybody help? PLEASE? Thanks!
When I hosted my domains I just had a few 'standard' addresses at the domains going to a 'stuff' mailbox. Aliases like:
- root
- webmaster
- postmaster
- admin
I thought it was better when people use other non-existent addresses that they get a bounceback rather than mail being accepted. Especially with the newer worms/trojans that forge headers to send out mails from blahblah81@yourdomain.com etc.
Uh, sorry, but that sounds just like the legitimate e-mail I get from some of my friends... :o)
--
Tomas
But I think it depends on what you are using your domain for; wildcard spam is minor/rare compared to targetted spam:
If it is a personal domain with perhaps a couple of description pages and even a blog then, like me, you will get no more (from personal experience) than 10+ random (random in the way they are sent to webmaster/admin or anything that * catches other than regular) messages/week. No big deal
A better known site seems to get a greater ranking in auto-traffic (let me generate logos, banners, security, etc for your website). But an email address listed on the site (my site) gets far more spam than a generic catch-all (e.g., I have "email webmonster@....com" as the auto admin address, more emails come to that than webmaster coz it's googled/harvested on those lists).
But the original statement said "I decided to pay the extra money to have email for the domain I registered" WFT?! Go to something like directnic.com, get your domain for $15/yr and get mail forwarding included (including wildcard)!
You are so close to the right solution. Spam almost universally will have a spoofed address, so sending something back to the 'sender' will not net you any more spam. Sending back is OK.
The trick is to put useful info into the reply. Try setting up a message in the 'this address does not exist' autoreply. Put in something like 'bob@domain.com does not exist. If you are trying to reach Robert Smith, please resend to robert@domain.com. If you want to reach someone in an administrative capacity, send an e-mail to admin@domain.com'.
You can extend this to all the positions that matter, postmaster, webmaster etc, and a few key people at the domain. The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.
The people who DO need to contact you and did either screw up or guess wrong will simply get the info that they need to do right. Win/Win.
-Charlie
For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering).
What I've been doing for the last couple of years is using a catchall at a subdomain of my actual domain. The typical dictionary spams (postmaster, sales, etc) don't come in, because they only work on top level domains (otherwise spammers would be wasting a large amount of time spamming "sales@www.domain.com" which pretty much never exists..
When I sign up for an account at example.com, I just register as example.com@catch.mydomain.com. If I get spam, I can block it, and it doesn't interfere with my actual domain. If I decided one day I get too much spam to it, I could just switch to another subdomain name.
Speak before you think
Forget the "Catch All" e-mail address. Use Mailinator.
FYI -- mailinator is a non-passworded public catch-all system. Perfect for temporary site registrations. I use it frequently and its an unbelievably good service...
------ The best brain training is now totally free : )
From experience in operating multiple servers hosting many(read 10,000+) domains each, I can say that the catch all account is a VERY BAD thing.
Spammers recently have turned to more use of the random username approach and the catchall catches, well, all. This can in some cases total to more than 4500 emails a day in some cases. Hardly something you want to pull through a POP3 connection if your ISP doesn't have effective spam filtration.
Quite honestly the catch all serves little purpose if your email transactions are done in a correct manner. mailto: links have NO BUSINESS being on a web site for a company(or personal user for that matter) a simple CGI based contact form shields access from spam bots getting your email address and you can make sure ahead of time that your email address is properly configured.
Secondly, if you are emailing somebody else, most people use a context menu on the email you sent to add you to their address book. Again that eliminates the human error factor.
Also as others have already mentioned, a human will be able to read a mailer daemon response telling them that there was a mistake should they send directly.
My $0.02
SW
Make sure addresses like postmaster@ and abuse@ work. They're unlikely to get spammed, but may well receive important messages.
postmaster@ is actually required by rfc2821, btw.
As for the subject of the discussion; my catch-all addresses have been fine, but YMMV. If I was that worried about dictionary attacks, but still wanted the ability to give a new address out to each company, I'd do something like *-signup@mydomain or *@signup.mydomain or similar, but you might not have that level of control (in which case I'd recommend finding somewhere better to host your email, but *shrug*).
Catchalls are harmless until they explode. The results were not pretty. All it takes is to be targeted as a potential ISP goldmine of email accounts, and then be dictionary-attacked by a spammer, then lots of your email addresses are put on huge numbers of spam lists. Then you've moved from no spam to near infinite spam. Over one thousand spam per day, gobbling up your download bandwidth and slowing your Internet connection even if your spam filter filters 98% of it which still lets a couple dozen through, it becomes living hell!
/dev/random | mail myself@mydomain.com; done
while (true); do cat
If you have 1000s of messages coming to a person computer it doesn't mean squat what your filtering scheme is. Even if you don't "see" these messages, you machine is still going to have to read messages to evaluate them, or at the least download the headers (though header analysis isn't going to get you 100% filtered spam )
Accepting email from 1000's of possible email addresess @ your domain when you know they're all bogus is just asking for punishment.
I used to use my catchall for precisely that (e.g. slashdot@mydomain.
It DID help me bust someone for passing on an address which was instantly traced back to them.
Spam however has completely ruined it though for the problems outlined in this article. Unfortunately I can't turn off the catch-all as there are so many 'legacy' addresses from which I might only hear once a year but don't want to miss their email.
I now use http://www.spamgourmet.com/ instead to create disposable accounts as I have the luxury of being able to kill them (or let them die) if need be. It's free and I highly recommend it.
Do you or your partner snore? - Visit www.snoring.com.au
So many people use things like:
johnNOSPAM@example.com
john@NOSPAMexample.com
johnREMOVETHIS@example.com...
that the SpamHarvest bots seem to harvest emails and then REMOVE words like:
SPAM
REMOVE
THIS
NOSPAM
before adding the names to their "fresh" list of email addresses to sell.
but if they remove SPAM from SPAM@example.com, they are left with.....
@example.com
which should be undeliverable.
so if your email is SPAM@example.com, you should get email from your friends, but my extensive use of that username on USENET has shown me that it does in fact work! I received only ONE spam email to that address in the past year of using it.
getting back On Topic for a minute, see if you can "disable" the "catchall" or "*" email function at some point. While I have not been hit with a dictionary attack, its obvious from the other posters that it is not uncommon. If you can route all non-assigned usernames to null when you discover this to be a problem, you will save yourself some headaches.
I like microcars
>... the poor twinks who have their domain name spoofed will probably ignore it.
This is *such* annoying advice. I have a long-duration (approximately 1993) very public email address, and it's spoofed a lot and one of my main annoyances is this auto-replied "You've reached a bogus address or domain" message.
DO NOT send any auto-replies for anything.
DO NOT send messages saying that the (probably spoofed) sender has sent you a virus.
You don't need a catch-all for that. You just need a hosting service that lets you set up forwarders. So, in your example, I'd simply set up a forwarder for yourfreepron@mydomain.net to forward to myrealaddress@mydomain.net. My hosting service adds an "Envelope-To" header line that tells what address the mail was for, so I can then easily filter it on my end.
This gives me all the throw-away addresses I want for spam protection and other purposes, without having to deal with the spam to a catch-all address.
I don't get so much generic spam to @mydomain.com but I do get tons of bounces from spam that's sent out with a spoofed from @mydomain.com
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
There is but one valid reason for ever having a catch-all address. That reason is if you actually, honestly, truely WANT spam. "Who wants spam?"/I you say? I do. I have a handful of domains that have no other purpose in life but to collect spam. I've seeded addresses from those domains into dozens of spammers' "remove" forms. I built a list of 525,000 proper pronouns and used that to compile a list of userid@spamme-domains.tld addresses to seed those remove forms with. The end result is hundreds of thousands pieces of spam per day flowing into those domains. I archive much of it and automatically report the rest to the FTC as spam. Oh happy day. That's the only valid reason for ever using a catchall address that's publicly exposed to the Internet.
I run a friends-and-family hosting site (DNS, mail, web) for about 50 domains, almost all of which have catchall enabled. One user was getting 500+ spams a day, day in and day out. I was seeing 200-300 per day myself.
Four weeks ago I built the latest sendmail with Milter turned on and installed relaydelay.pl. The next day that user received two (2) emails, both of which were from friends. I got 7 emails, only one of which was spam.
Greylisting is the single most powerful anti-spam system out there. It blocks over 95+% of the spam and it doesn't "false positive" because it isn't doing pattern matches, Bayesian filtering or anything like that. It simply gives a TEMPFAIL to any email that has an unknown (from, to, server-IP) triple. If they come back more than X minutes later and less than Y minutes later, they are let through. Spammers almost always are using fire-and-forget SMTP servers so they don't retry, and so you never see their garbage. Positively elegant.
If you are the sysadmin, check it out and install it. Otherwise, hound your admin/ISP to install it. It saves bandwidth, aggravation, and time.
The corks just don't come out the way they used to.
-- My Wife, dealing with one of the new Corqs(tm)
Not only do you get spam addressed to random accounts on that domain but all the Undeliverable Mail bounced back to spoofed addresses on that domain.
There are better ways to do this. First off there's Sendmail "plus notation," also known as "user+detail" format. If you haven't heard about this you should do some research on Sendmail's website. The other method if you own your own domain, which obviously you do if your using a catch-all address, is to simply use aliases. Add your custom alias to your local aliases file, rerun newaliases, and you're set. Personally I use a little of both. I use aliases all the time. I can add an alias in a matter of seconds at any given point and time. A quick look at my current aliases file shows me aliases for dictionary.com, outdoorsuperstore.com, The Wall Street Journal, The New York Times and more. The best part about aliases is I can turn off the flow of spam by simply removing the alias. To stop the flow of spam to an address using plus notation I have to whip up a procmail recipe. I've seen more than one spammer strip the plus notation from outgoing addresses though so it isn't always going to stop the flow of spam. Not all web forms accept the plus sign as a valid email character. YMMV, no, I take that back. I can guarantee your mileage won't vary. Catch-all addresses have only one valid use: to collect spam. Plus notation will work much of the time. Aliases will work all of the time.
I do it mainly to see what websites are spamming me. For example, when I subscribe to the NYTimes, I would subscribe using nytimes071704@mydomain.com and could then see what advertising and spam comes from that signup. (If I get tired of mails to an address, I will make a rule so that all mail to that address goes straight to my trash).
My domains are not popular so I rarely get spam to emails that I never signed up anything for. Occasionally I will get an email to webmaster@mydomain or info@mydomain, but nothing more than a dozen a week. I say use it until you get too much spam, and then you can drop it while activating the emails that you still want to keep.
When I purchase something, I use @mydomain.com. This let's me track if they begin sending me spam or selling my address to someone who does.
For instance, let's say I buy something at Office Depot online. For my email address I enter officedepot@mydomain.com. If I start getting spam at that address, I know it's from them and can act accordingly.
I even had one company phone me thinking I'd screwed up entering my email address. Once I explained "why" I did that, they thought it was a really good idea.
I can't take credit for it though, I got the idea from my internet hosting company www.3-95.com.
My Tech Posts on Twitter
I own the domain of my last name, for example jones.com. Most spammers guess that a catchall will be placed upon that root domain. However, I create an MX record for my full name, john.jones.com, and then do a catchall of (at)john.jones.com pointing to my account. Spammers seem less aware (zero guesses so far) of MX domains. Then, wherever I have to give out my email address for a registration, I give a "unique" address used just for that site, such as slashdot(at)john.jones.com. This way, if any one address becomes abused, I just put a nouser entry in virtusertable for that address.
;-P . That would really reduce the effectiveness of this method as spammers would catch on. In which case, unique addresses would have to be explicit (many aliases) as opposed to implicit (via catchall). Slightly more time consuming.
I just hope this doesn't catch on too well
I am MuchTall
Having done the same thing before, I can say that without a doubt, it will increase your spam.
The thing is that alot of spammers seem to literally shotgun a domain with information harvested, then use those plausible usernames as email addresses. The end result is that your primary email account will get flooded with email not originally destined for it.
If you do intend to do this, I would suggest the following:
Having these on when you check and go through your mail will cause an increase of spam above what you are getting.
Best bet, have the domain name. Use one address, then close it and switch to another, within the domain. Have the original address just junk any future mails it gets once you are sure people have moved to your new address.
Seriously, it's just not a good idea.
Winged Power Photography
I control several domain names.
:)
In my experience, you need to block sales@, info@ and webmaster@. After that, most of the email (and spam) will be coming to the single @ wich you are actually using. There will be occasional bounces to random usernames (from spam spoofing from: addresses), but not very many in my experience.
By the way there is no spam to unpublished postmaster@ addresses, probably because this is not an address spammers want to irritate
Some other users have complained that they got under a dictionary attack like you describe. But not me.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
You don't understand correctly, I'd suggest you read the RFCs regarding SMTP.
When an SMTP session is started, two pieces of data MUST be sent before the message. Those fields amount to "from" and "to" fields and are sent sequentially by "MAIL FROM:" and "RCPT TO:" fields in that order. The "from" portion may be forged, but the "to" field must be correct as it is the address that the server delivers the message to or uses for further forwarding/processing. If the server does not recognize the to field, it will usually return a simple error (550) and may the session at that point. Also, if the server does not like the "from" field (for any reason you can program for), an error can be returned and the session ended.
Again, this is all before the body of the message is sent with the "DATA" command, thus saving potentially megabytes of data transfer. This does note require the "return" address to be correct, as this is happening at the time of delivery and the servers are talking directly about the message.
The body of a message may (but is not required to) contain other headers such as subject, to, from, received, date, content-type, message-id etc, but these fields in the data area have nothing to do with delivery as far as the receiving server is concerned.
Now.. it's possible to configure a server to operate differently, accepting all mail blindly, buffering the messages, then later figuring out where they should go.
My personal server takes the "MAIL FROM:" data and parses it, checking that the remote domain exists and there is an SMTP server that accepts mail for that domain. If any of those checks fail, I return a "not available" error (421) and close the connection.
Article X: The powers not delegated... by the Constitution...are reserved...to the people