Detect email sharing

When you give your email address everywhere for marketing subscription, product trial, small games, you don’t know if one of them is selling your email to spammers.  Or, if they were hacked.

These are 2 solutions you can use to detect where your spam came from.

First method: The “+” Sign

First, you need to know that:  Email addresses usually looks like that:
yourname @ yourdomain.com.  What you don’t know, if you can add some meta data inside your address, and it will works as usually, because all you type between the “+” and “@” sign are ignored.

When you subscribe to a service who needs your email address, you can try to type: yourname+servicename@yourdomain.com.  The part “+servicename” is ignored from smtp servers, and you will receive your mails as usual.  But, in the address, you will be able to see what’s after the + sign.

Then, if you receive a suspicious email, just look at the recipient email address. If it contains the “+servicename”, it means that “servicename” sold your email address!

  • Pros: very easy to use, just add +xyz to your email address.
  • Cons: the “+” sign can be see as invalid email address in some email validation system, so you can’t use it everywhere.

Second method: catchAll Account

The second one is more complicated.  It requires to have full control of your domain name and email configuration.

That method is by using a “catchAll” address.  A catchAll, is an email configuration that allow any email addressed to your domain name, to be redirected to the same inbox.  If someone try to contact any address of your domain, instead of receiving an error with “bad recipient”, every email will reach an inbox.  The catchAll inbox is used to receive all messages without specific account configured in your email system.

You need to have at least one real inbox account, like yourname@yourdomain.com.  Then you set it as a “catchAll” account.  Then, any incoming email to your domain, like “anything@yourdomain.com”, is sent to the inbox  “yourname@yourdomain.com”.  That way, when you subscribe to a service, you can use an email like thatservice@yourdomain.com.  If you create a twitter account, just set the email address to twitter@yourdomain.com.

Now, when you receive a suspicious email, you only need to look at the recipient “to” header.  If that mail is addressed to twitter@yourdomain.com, but that mail is not from twitter, you will know that they have sold your email! (twitter only used as example…)

  • Pros: email addresses used are all valid, without the “+” sign of the first method
  • Cons:
    • difficult to configure, you must have full control of your inbound email configuration and own your own domain name.
    • Sometimes, recipients will find suspicious that you use their domainname in your email address!

Example: how to configure a catchAll account at godaddy