81
submitted 8 months ago* (last edited 8 months ago) by syd@lemy.lol to c/technology@lemmy.world

I want to use my main mail address everywhere, even public places. But I doubt if I can guard myself against spam.

Is there a provider specialized in spam protection? Or at least good at it?

At last, given your experience, should I even do it?

top 50 comments
sorted by: hot top controversial new old
[-] Lemming421@lemmy.world 53 points 8 months ago

I want to use my main mail address everywhere, even public places.

No you don’t. It’s not quite as simple, but buy your own domain, get an email provider such as Fastmail that will let you use a catch-all, then use a unique address for every site you visit.

Then if one starts receiving spam, you can block that specific address and voila, no more spam. Plus you know what sites have either poor customer detail hygiene or are actively selling your details.

[-] syd@lemy.lol 10 points 8 months ago

I own my domain but I'm not sure about provider. I want to use "name@surname.net" on my public profiles so unique mails for services trick wouldn't work for me.

[-] Atemu@lemmy.ml 13 points 8 months ago
[-] syd@lemy.lol 2 points 8 months ago* (last edited 8 months ago)

I like this one. I guess I can use this for registrations. Thanks

[-] gofsckyourself@lemmy.world 7 points 8 months ago

I like Zoho. It can be free as long as you use the web/mobile app. If you want to use your own email software, it's $1/mo for the lowest paid tier.

[-] lemmyvore@feddit.nl 3 points 8 months ago

Then you're going to get spammed to hell, live with it.

There's no spam filters that will protect you 100% from putting the same email address everywhere.

Using personalized aliases for everything and never showing a public address if you can help it is the only way to fight spam these days.

[-] Hate@lemmy.dbzer0.com 2 points 8 months ago

There's no spam filters that will protect you 100% from putting the same email address everywhere.

Well, you could curate your own whitelist, but that's not very practical for most use cases.

[-] Jeff@lemm.ee 9 points 8 months ago

This is exactly what I have done since 2005 with them. Showed me years ago that 1800Flowers either was compromised or sells their email addresses.

[-] ColeSloth@discuss.tchncs.de 21 points 8 months ago

I know it's "big evil corporate overlord", but Gmail is pretty damned good at it, really.

If I get spam from a company I recognize I gave my email to, I'll go in it and click the unsubscribe button and do it that way. Anyone else and I just mark it as spam and Gmail does a pretty good job of sending swaths of junk emails into the spam folder. I don't get much that slips through. Very occasionally I'll sign up for something I'm supposed to get an email for but don't, and I'll find it in the spam folder. If I think I'll want more emails from that company, I move it to my regular folder.

[-] kalkulat@lemmy.world 3 points 8 months ago

There's a large org (@ hope.net) that has a non-profit convention every few years. It maintains a e-mail list to let its > 1000 previous attendees know about the upcoming convention and related info. In the past decades everything was fine.

This year (con in July) Gmail has been spam-binning ALL of those reminder e-mails aimed at attendees who use Gmail. Quite clearly it's not the users making that choice. The org is left with no other way to contact those attendees.

load more comments (2 replies)
[-] darreninthenet@sh.itjust.works 1 points 8 months ago

Have a read on the trouble the 2600 guys have been having sending out emails for the next HOPE conference - the junk filter is also great at filtering out topics it deems unsuitable.

[-] MonkderZweite@feddit.ch 0 points 8 months ago* (last edited 8 months ago)

Most spam i get is from a random @gmail address as source, can't be that great. And they are shit with attachements.

[-] AtmaJnana@lemmy.world 2 points 8 months ago* (last edited 8 months ago)

Tell us you don't understand how the "From" header works without telling us.

FYI, that is really just a text string. Most providers don't let you change it, but its not exactly hard to falsify. People are largely ignorant of the fact that email mostly isnt trustworthy. Spammers abuse this ignorance constantly.

In order to send email as another address, gmail requires you to verify the address by sending you an email there first. AFAIK, they never re-verify, but that's the main weakness I see.

[-] hperrin@lemmy.world 17 points 8 months ago

I created an email provider called Port87 that specializes in spam prevention, phishing prevention, and organization.

You use it by giving a labeled address to all your accounts, so to Netflix, you would give something like yourname-netflix@port87.com. Then that becomes a label in your account that you can set quick settings for like mark as read or even just block that address if you’re done with it. And if you get something claiming to be from your bank there, you know it’s phishing.

Then you can have labels that are meant for real people like yourname-friends@port87.com, and when someone emails them for the first time it will email them back and ask them to verify they’re human.

And your bare address (yourname@port87.com) doesn’t go through, but rather responds with a list of your “public label” addresses. So that one you can share all over the internet and you won’t get spammed.

[-] Usul_00_@lemmy.world 6 points 8 months ago* (last edited 8 months ago)

Sounds like you have qmail at the root. I ran that with spamassassin, barracuda and some other custom rules for years. Didn't add on the auto response you have described, but really liked it back in the day.

Did I guess kinda close to what you have running?

I'd think the annoying part would be that you've forced the work to prove they are human back on the sender. Might be a good way to go though given how much spam there is.

[-] hperrin@lemmy.world 4 points 8 months ago

It’s actually built on Haraka. All of the queueing is custom written so I can do things like make it a flip of a toggle whether you want push notifications, sender screening, mark as read, etc. for a label. And there’s no inbox, since the bare address is not a usable address. Every email you receive already has at least one label.

[-] lemmyvore@feddit.nl 6 points 8 months ago

Ok but you can do this with aliases with any decent email service.

I guess an aliasing service like yours can be useful if you're stuck with a bad email provider, but since OP is looking to set things up they can just pick a decent one to begin with.

[-] hperrin@lemmy.world 4 points 8 months ago

Ok but you can do this with aliases with any decent email service.

As far as I know, there’s no email provider that lets you choose to enable sender screening on individual aliases. I also don’t know of any that explicitly do not use the bare address.

You can kind of achieve the same thing with Sieve scripts and a catch-all address (which is how I developed the prototype), but there is a lot that Port87 does automatically that you’d have to do manually in that system.

For example, you don’t need to set up a label before you use it with Port87. You can just give out a yourname-whatever@port87.com address and it will create the whatever label for you. These labels show up in your “Pending Labels” section. You can then approve them to move them into your regular labels, block them, or just let them expire.

I wrote this service around this concept, so it’s not like you’re using a regular email system a special way. The system is designed and built to be used this way.

[-] grilledcheesecowboy@kbin.social 17 points 8 months ago

The paid proton accounts let you use several custom domains, although I'm not sure if you can combine custom domains with email aliases. For random sites the email alias with the stand @proton.me would probably suit your needs.

After about 3 years of use I've been very happy with proton's spam filtering.

[-] Flying_Hellfish@lemmy.world 9 points 8 months ago

I use proton coupled with my own domain and SimpleLogin (which is now merged with Proton) to create infinite custom email addresses in my domain. I then use filters to move the recipient address to folders and I can turn off one of my SL addresses if it's compromised or sold and create a new one.

[-] lolcatnip@reddthat.com 12 points 8 months ago

OP: Asks about spam filtering

Lemmy: Recommends everything but spam filtering

[-] syd@lemy.lol 4 points 8 months ago
[-] angelsomething@lemmy.one 6 points 8 months ago

I self-host my own mail server but for anything else I use my anonymous @duck.com email address.

[-] cooopsspace@infosec.pub 6 points 8 months ago* (last edited 8 months ago)

Anonaddy

Use unique bullshit addresses for every site, that way WHEN they sell your data out or get hacked you know who is responsible.

Anonaddy forwards everything to your one true email address knowing that only anonaddy really knows your address.

[-] lemmyvore@feddit.nl 5 points 8 months ago

Agreed with the unique addresses but why not use aliases directly at your email provider? Why use a 3rd party service?

[-] hiajen@feddit.de 5 points 8 months ago

every provider who supports aliases. like foo+baa@bzz.tld where everything after the + is exchangeable. so you can use a 'different' mail for every service you use and just block where spam comes from via the alias.

[-] ccunning@lemmy.world 5 points 8 months ago

Isn’t it pretty widely known that many email providers support this?

I just assume spammers would know enough to remove everything from the ‘+’ until the ‘@‘. It’s not like they’re trying to be sparing with recipients. Why not just send to both?

[-] lemmyvore@feddit.nl 4 points 8 months ago* (last edited 8 months ago)

Isn’t it pretty widely known that many email providers support this?

Personally I'm not a fan of "plus aliasing" because it gives away your base address, and it's trivial for spammers to strip the alias. I prefer aliases that completely hide the base address.

[-] AtmaJnana@lemmy.world 2 points 8 months ago

Its also VERY poorly and haphazardly handled in websites. Often they won't let me create an account with it. Or I will be able to create an account using the alias, but then I am left unable to login.

[-] lemmyvore@feddit.nl 1 points 8 months ago

That's why we need formal rules. Once regulations are in place (with big penalties) websites magically start to function properly.

[-] kevincox@lemmy.ml 1 points 8 months ago

Yes. It is pretty easy to work around, but if that is the only tool you have it still can be used to junk a majority of the crap.

If you want a robust solution you can use disposable aliases (which are basically randomly generated) or signed addresses.

I do the latter. So I would generate an email like lemmy-example-59273625@kevincox.ca. If you strip or change the string at the end (which is a small HMAC) your message will go straight to junk. It isn't perfect because there is only 4 bytes of entropy in the signature but a dedicated attacker will find a better way to spam me anyways.

[-] Kissaki@feddit.de 1 points 8 months ago

... Until they randomize the part before the plus

[-] lemmyvore@feddit.nl 2 points 8 months ago

They don't need to randomize it, just strip it.

[-] AtmaJnana@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

They strip the part after and including the plus. And yea, that's exactly what is done. People need to stop assuming malicious actors are dumb and incapable of reading an RFC.

[-] syd@lemy.lol 1 points 8 months ago

Not best solution I guess. How about generic sites? Like Git commit mail, my website, Mastodon etc. where I can't add that postfix.

[-] kevincox@lemmy.ml 1 points 8 months ago

What I do is have some general mailboxes then signed addresses on top of that.

So if you email blog@ or kevincox@ you will get a fairly high level of spam filtering. I also have a few other "memorable" addresses that get reduced spam filtering. If you use the unique signed address that I use for signing up to services, newsletters or whatever where the address is private to a specific service then you basically skip spam filtering. Of course if you abuse that privilege then I will outright block the signed address.

Basically by allowing friends and "trusted" services through the spam filter I can crank up the difficulty for unknown senders.

[-] madsen@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

Why can't you use +-aliases in Git, Mastodon, etc.?

Edit: git config --local user.email "something+someotherstuff@example.com" shouldn't cause any issues.

[-] corsicanguppy@lemmy.ca 5 points 8 months ago

spams

Mass nouns don't need the 's'

[-] syd@lemy.lol 1 points 8 months ago* (last edited 8 months ago)

sure fixed it

[-] knobbysideup@sh.itjust.works 4 points 8 months ago

You can look for a service that provides a mail security gateway, or host your own. My personal solution is mimedefang milter on sendmail which will blow away any canned solution you will find. But you have to know what you are doing with it.

There is barracuda, but they are $$. Another option is proxmox mail gateway. Not as fast as mimedefang, but it has a nice gui.

https://www.proxmox.com/en/proxmox-mail-gateway/overview

[-] pineapplelover@lemm.ee 4 points 8 months ago

Protonmail with https://simplelogin.io aliases. If your email has spam, get a new email. But proton already has good spam filtering. Aliasing helps make your emails less identifiable to your identity.

[-] CyberTailor@lemmy.world 4 points 8 months ago

Addy and Firefox Relay

[-] Smokeydope@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

Tildes/pubnixes since nobody knows about them not even the spammers. sdf.org is the oldest pubnix but I prefer tilde.team

[-] centof@lemm.ee 2 points 8 months ago* (last edited 8 months ago)

What is a pubnix?

Edit: Short for Public access UNIX apparently.

load more comments
view more: next ›
this post was submitted on 24 Feb 2024
81 points (91.8% liked)

Technology

59414 readers
1231 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS