Is A Catch-All Address Worth The Spam?

wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."

No big problems here

[andyrut]

Buying your own domain is a smart move. As long as you keep paying for the domain, your e-mail address can travel with you, even when you change ISPs.

From personal experience, I've found that only a very small percentage of spam I get comes from using the catch-all address. I get only a few junk e-mails to "webmaster", "postmaster", and other generic usernames. A far greater portion of it is addressed to the "real" e-mail address I use that's been plastered all over the web for years and years.

Judging only from my inbox, it would seem that spammers are more likely to use lists of known e-mail addresses than trying to guess valid usernames for a domain. My advice would be to use the catch-all address and just wait and see if spam becomes a problem. Turning off the catch-all wildcard, if need be, is a very simple operation.

Isn't that the POINT?

[SuperRob]

What does it matter if it opens you up to spam. It's a catch-all account right, isn't that what it's supposed to do?!?

Here's one way to get the most from it

[quinxy]

As someone who has been using a catch-all account for years, and has enjoyed the benefits and suffered the consequences, I would suggest you do it (though not without some warnings and recommendations). I do receive a fair amount of SPAM for accounts which have never existed on the system. I have also endured several periods when some SPAMmer referred to fake accounts at my domain in the return-to of the SPAM they were sending out (they were not using my mail server, they simply made up random usernames for my domain). Since they were random (both the names they used and the content of the SPAM) it was impossible to easily filter out. That sucked. I would receive hundreds of bounce messages per day. Ultimately I was able to make it stop by writing a script to post every bounce message I received through to the support form on the websites being advertised (modifying for each of the three or four sites which were involved), making the normal "cease and desist" legal threats. It seemed to work, since the SPAMs did stop soon after (presumably those sites complained to the SPAMmer they employed), and the SPAMmer no doubt moved on to some other fake accounts. Bastard. One of the best features of the catch-all is that you can totally control to whom you give out your "real" e-mail address, as well as track who is using the e-mail addresses you are giving out. For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering). You'll be able to receive that sites mail until you either don't want to, or until you see that they have abused the privilege of e-mailing you. Often I will see six months after registering to some site, I start getting tons of SPAM from the e-mail I gave to that site, and I can then simply block that on the mail server, bouncing them or sending them to /dev/null (via aliases, for example). This is the greatest strength in using catch-all addresses. To mitigate the danger I mentioned previously of fake usernames, one should (though I am no sendmail expert and don't know how) set up a rule that any incoming recipient address must correspond to an existing account/alias, OR the catch-all structure you want (the whole PREFIX.SITENAME@yourdomain.com). Q

the whole /point/ of a catchall address is spam

[luge]

It is great. You never have to worry about giving out an indiscriminate address again. Signing up for a fantasy league on cnn/si? I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there. And I can trivially filter and nuke them, with the added bonus that I know never to send them my business again. amtrak has amtrak@mydomain, I get all the mail from it, and can easily track that they have never violated their TOS. It's the greatest thing- I heartily recommend it to anyone who can.

Re:the whole /point/ of a catchall address is spam

[luge]

This is a good approach, and the one I'd use, /if/ I had an easy admin interface to add accounts. But most don't (and it certainly sounds like the questioner on the original question doesn't.)

I gave it up after a year

[killbill]

I fought it for a year or so, coding up custom filters, using spam assassin, you name it, and finally just gave up and blackholed it.

Spammers are trying dictionary attacks against domains to try and guess live accounts. I would get 500+ copies of the same message to made up names in alphebetical order a day.

That being said, I have since gotten on the Gmail beta, and just forward all my mail there now. It has a far better spam rejection rate then anything else I have tried, so if you forward all your mail to a google account and let them try and sort out the spam, it would probably be usable (and maybe even helpful to them to train their filters).

Speaking from experience

[Bradee-oh!]

I have a catch-all address at my domain. YES, there are huge amounts of spam. BUT, it is definitely worth the trouble IMHO, and here's why.

1 - most of the spam seems to come to 5 or 6 addresses only - admin, root, sales, webmaster, etc etc. That's cake to filter out straight to trash.

2 - The convinience of being able to sign up for random websites with a different address on the fly is great. For example, signing up on ebay to buy something and using the address "fromebay@mydomain.com" means you KNOW that only one person in the world has your email address so you know who to blame if spam starts coming in, and it is also a piece of cake to automatically filter those ebay emails straight to an ebay inbox, for example.

3 - Not as significant as my first 2 points but still a nice perk in my setup is that I'm able to create email addresses for family and friends on the fly and just setup my own server to split the addresses out into their own inboxes.

So if you will be running the server(s) yourself over slow dsl or cable, the volume of spam MAY be a concern to you. I get about 600-700 spams a day to the common webministrater addresses I mentioned, but it's no concern to me because I don't run the incoming email server and my dsl is more than fast enough to d/l them in a few seconds.

But in any other case, I'd say it's well worth it! And on a slightly different note, I have been very impressed with the honesty and adherence just about everywhere has to their privacy policies regarding email addresses. over 2 years of using my system with about 50 "from@domain.com" addresses, only one of them screwed up and got the address on a spam list somehow - cancelling my account with them and filtering those spams straight to trash solved the problem.

So close....

[Groo+Wanderer]

You are so close to the right solution. Spam almost universally will have a spoofed address, so sending something back to the 'sender' will not net you any more spam. Sending back is OK.

The trick is to put useful info into the reply. Try setting up a message in the 'this address does not exist' autoreply. Put in something like 'bob@domain.com does not exist. If you are trying to reach Robert Smith, please resend to robert@domain.com. If you want to reach someone in an administrative capacity, send an e-mail to admin@domain.com'.

You can extend this to all the positions that matter, postmaster, webmaster etc, and a few key people at the domain. The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.

The people who DO need to contact you and did either screw up or guess wrong will simply get the info that they need to do right. Win/Win.

-Charlie

Re:So close....

[Brad+Oliver]

Try setting up a message in the 'this address does not exist' autoreply. ... The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.

As a "poor twink" on the receiving end of a lot of spam, I've found that my filters are effective against everything but auto-replies.

Getting a ton of auto-replies from people on vacation, with invalid addresses, support addresses that have changed, and the ever-helpful "you've sent us spam and we've rejected it but our spam filter is too stupid to realize the sender was forged" really gets old after the first week.

Don't use an autoreply and turn your problem into my problem.

Re:So close....

[NoMercy]

Ideally the mail server shouln't accept the emails, not construct a nice reply, just send the relevant code and a short single-line message that the server is unable to relay/deliver the email.

The spammer's SMTP engine will get a mark against the email as bad, and valid ISP's relaying emails for there customers will generate a nice email for you saying that the address is invalid.

Re:No brainer

Well, frankly I *would* consider that as a measure of intelligence (at least to some degree).

For instance, if a user:

- has used a computer for a number of years (by the sounds of it the very same applications for that same time)

- depends on using the computer for important work

and still can't use it properly (and won't take the time to actually *learn* to use it properly - eg, basic typing/clicking skills), I consider that an intellectual defect.

It's like any other field - if you depend on a particular tool, you have to be able to actually use the tool properly or you'll mess things up repeatedly. And if you do mess things up on a regular basis, that's no one's fault but your own.

Think of all the "valuable time" he has wasted by simply not learning to use his tools.

Whatever you do...

[Fweeky]

Make sure addresses like postmaster@ and abuse@ work. They're unlikely to get spammed, but may well receive important messages.

postmaster@ is actually required by rfc2821, btw.

As for the subject of the discussion; my catch-all addresses have been fine, but YMMV. If I was that worried about dictionary attacks, but still wanted the ability to give a new address out to each company, I'd do something like *-signup@mydomain or *@signup.mydomain or similar, but you might not have that level of control (in which case I'd recommend finding somewhere better to host your email, but *shrug*).

Re:Disagree

[MDMurphy]

Catch all will kill your inbox. I had a catch all from 1996-2002. All of a sudden, around Labor Day 2002 I started getting up to 3000 spams a day. The vast majority were to bogus addresses. Even with local spam filtering my email client was spending near 100% of the time downloading mail.

I eventually killed the catch all, resulting in losing email from some places I'd given unique email addresses to. Also went with a 3rd party spam filter ( spamcop.net ) so most spam never makes it to my desktop at all, getting filtered upstream.

Recently I got a Gmail account. Just for grins I thought I'd test their spam filtering capabilities before using it for anything "real". I reactivated my catch all, forwarding it to my Gmail account. In the last 3 weeks my Gmail spam folder has accumulated 163MB of spam, or almost 27,000 individual messages. Gmail is only catching 30-50 percent of it, I've had to manually tag the remainder.

So while all my catch all addresses bounced these past two years the flow has reduced from 3k a day to about 1k a day.

The only reason to have a catch all is if you want lots of untargeted spam. I don't know how these yahoos do their billing, but if any of them base it on what bounces vs. what's read, then having an open address might just mean they'll make more money because of you.

Re:Been there, done that

[lewko]

The only thing I really had to do was notify my friends, who are long used to typing whatever they want into the username section of the domain, tailored to whatever it is they want (eg boywhowillfixmycomputer@, bikemechanicmanwhowillalsofixmycomputer@ etc).

The worst thing is when your so-called friends figure out for themselves that you have a catchall set up, so you start receiving emails to pigfucker@yourdomain, grabass@yourdomain etc... and it's not even spam, it's from your friends!

I now use the free http://www.spamgourmet.com/ for my disposable addresses and highly recommend it.

One word: greylisting

[hedronist]

Checkout Greylisting.

I run a friends-and-family hosting site (DNS, mail, web) for about 50 domains, almost all of which have catchall enabled. One user was getting 500+ spams a day, day in and day out. I was seeing 200-300 per day myself.

Four weeks ago I built the latest sendmail with Milter turned on and installed relaydelay.pl. The next day that user received two (2) emails, both of which were from friends. I got 7 emails, only one of which was spam.

Greylisting is the single most powerful anti-spam system out there. It blocks over 95+% of the spam and it doesn't "false positive" because it isn't doing pattern matches, Bayesian filtering or anything like that. It simply gives a TEMPFAIL to any email that has an unknown (from, to, server-IP) triple. If they come back more than X minutes later and less than Y minutes later, they are let through. Spammers almost always are using fire-and-forget SMTP servers so they don't retry, and so you never see their garbage. Positively elegant.

If you are the sysadmin, check it out and install it. Otherwise, hound your admin/ISP to install it. It saves bandwidth, aggravation, and time.

The corks just don't come out the way they used to.
-- My Wife, dealing with one of the new Corqs(tm)