iSOMEWHAT-EFFECTIVE SPAM FILTERS null (FALSE) 0 i null (FALSE) 0 i2024-06-04 null (FALSE) 0 i null (FALSE) 0 iI've tried a variety of unusual strategies to combat email spam over the years. null (FALSE) 0 i null (FALSE) 0 iHere are some of them (each rated in terms the geekiness of its implementation null (FALSE) 0 iand its efficacy), in case you'd like to try any yourself. They're all still null (FALSE) 0 iin use in some form or another: null (FALSE) 0 i null (FALSE) 0 iSPAM FILTERS null (FALSE) 0 i null (FALSE) 0 iGeekiness: 1/10 null (FALSE) 0 iEfficacy: 5/10 null (FALSE) 0 i null (FALSE) 0 IA colander filters spam email out of a stream of emails. /2024/06/filter.svg danq.me 70 i null (FALSE) 0 iYour email provider or your email software probably provides some spam null (FALSE) 0 ifilters, and they're probably pretty good. I use Proton's and, when I'm at my null (FALSE) 0 idesk, Thunderbird's. Double-bagging your spam filter only slightly reduces the null (FALSE) 0 iamount of spam that gets through, but increases your false-positive rate and null (FALSE) 0 isome non-spam gets mis-filed. null (FALSE) 0 i null (FALSE) 0 iA particular problem is people who email me for help after changing their name null (FALSE) 0 ion FreeDeedPoll.org.uk, probably because they're not only "new" unsolicited null (FALSE) 0 icontacts to me but because by definition many of them have strange and unusual null (FALSE) 0 inames (which is why they're emailing me for help in the first place). null (FALSE) 0 i null (FALSE) 0 iFrankly, spam filters are probably enough for many people. Spam filtering is null (FALSE) 0 iin general much better today than it was a decade or two ago. But skim the null (FALSE) 0 iother suggestions in case they're of interest to you. null (FALSE) 0 i null (FALSE) 0 iUNIQUE EMAIL ADDRESSES null (FALSE) 0 i null (FALSE) 0 iGeekiness: 3/10 null (FALSE) 0 iEfficacy: 8/10 null (FALSE) 0 i null (FALSE) 0 iIf you give a different email address to every service you deal with, then if null (FALSE) 0 ione of them misuses it (starts spamming you, sells your data, gets hacked, null (FALSE) 0 iwhatever), you can just block that one address. All the addresses come to the null (FALSE) 0 isame inbox, for your convenience. Using a catch-all means that you can come up null (FALSE) 0 iwith addresses on-the-fly: you can even fill a paper form with a unique email null (FALSE) 0 iaddress associated with the company whose form it is. null (FALSE) 0 i null (FALSE) 0 iOn many email providers, including the ever-popular GMail, you can do this null (FALSE) 0 iusing plus-sign notation. But if you want to take your unique addresses to the null (FALSE) 0 inext level and you have your own domain name (which you should), then you can null (FALSE) 0 isimply redirect all email addresses on that domain to the same inbox. If Bob's null (FALSE) 0 iBuilding Supplies wants your email address, give them bobs@yourname.com, which null (FALSE) 0 iworks even if Bob's website erroneously doesn't accept email addresses with null (FALSE) 0 iplus signs in them. null (FALSE) 0 i null (FALSE) 0 iThis method actually works for catching people misusing your details. On one null (FALSE) 0 ioccasion, I helped a band identify that their mailing list had been hacked. On null (FALSE) 0 ianother, I caught a dodgy entrepreneur who used the email address I gave to null (FALSE) 0 ione of his businesses without my consent to send marketing information of a null (FALSE) 0 idifferent one of his businesses. As a bonus, you can set up your null (FALSE) 0 ifiltering/tagging/whatever based on the incoming address, rather than the null (FALSE) 0 isender, for the most accurate finding, prioritisation, and blocking. null (FALSE) 0 i null (FALSE) 0 IEmails to multiple email addresses reach the same inbox. Spam emails are blocked based on the addresses they're sent to. /2024/06/uniques.svg danq.me 70 i null (FALSE) 0 iAlso, it makes it easy to have multiple accounts with any of those services null (FALSE) 0 ithat try to use the uniqueness of email addresses to prevent you from doing null (FALSE) 0 iso. That's great if, like me, you want to be in each of three different null (FALSE) 0 iFacebook groups but don't want to give Facebook any information (not even that null (FALSE) 0 iyou exist at the intersection of those groups). null (FALSE) 0 i null (FALSE) 0 iSIGNED UNIQUE EMAIL ADDRESSES null (FALSE) 0 i null (FALSE) 0 iGeekiness: 10/10 null (FALSE) 0 iEfficacy: 2/10 null (FALSE) 0 i null (FALSE) 0 iUnique email addresses introduce two new issues: (1) if an attacker discovers null (FALSE) 0 ithat your Dreamwidth account has the email address dreamwidth@yourname.com, null (FALSE) 0 ithey can probably guess your LinkedIn email, and (2) attackers will shotgun null (FALSE) 0 i"likely" addresses at your domain anyway, e.g. admin@yourname.com, null (FALSE) 0 imanagement@yourname.com, etc., which can mean that when something gets through null (FALSE) 0 iyou get a dozen copies of it before your spam filter sits up and takes notice. null (FALSE) 0 i null (FALSE) 0 iWhat if you could assign unique email addresses to companies but append a null (FALSE) 0 isignature to each that verified that it was legitimate? I came up with a way null (FALSE) 0 ito do this and implemented it as a spam filter, and made a mobile-friendly null (FALSE) 0 iwebapp to help generate the necessary signatures. Here's what it looked like: null (FALSE) 0 i* The domain directs all emails at that domain to the same inbox. null (FALSE) 0 i* If the email address is on a pre-established list of valid addresses, that's null (FALSE) 0 ifine. null (FALSE) 0 i* Otherwise, the email address must match the form of: null (FALSE) 0 i null (FALSE) 0 i A string (the company name), followed by null (FALSE) 0 i A hyphen, followed by null (FALSE) 0 i A hash generated using the mechanism described below, then null (FALSE) 0 i The @-sign and domain name as usual null (FALSE) 0 i null (FALSE) 0 iThe hashing algorithm is as follows: concatenate a secret password that only null (FALSE) 0 iyou know with a colon then the "company name" string, run it through SHA1, and null (FALSE) 0 itruncate to the first eight characters. So if my password were swordfish1 and null (FALSE) 0 iI were generating a password for Facebook, I'd go: null (FALSE) 0 i* SHA1 ( swordfish1 : facebook) [ 0 ... 8 ] = 977046ce null (FALSE) 0 i* Therefore, the email address is facebook-977046ce@myname.com null (FALSE) 0 i* If any character of that email address is modified, it becomes invalid, null (FALSE) 0 ipreventing an attacker from deriving your other email addresses from a single null (FALSE) 0 ipoint (and making it hard to derive them given multiple points) null (FALSE) 0 i null (FALSE) 0 iI implemented the code, but it soon became apparent that this was overkill and null (FALSE) 0 iI was targeting the wrong behaviours. It was a fun exercise, but ultimately null (FALSE) 0 ipointless. This is the one method on this page that I don't still use. null (FALSE) 0 i null (FALSE) 0 iHONEYPOTS null (FALSE) 0 i null (FALSE) 0 iGeekiness: 8/10 null (FALSE) 0 iEfficacy: ?/10 null (FALSE) 0 i null (FALSE) 0 IEmails to multiple email addresses reach an inbox, but senders who reach a "honeypot" inbox are blocked from reaching the real inbox. /2024/06/honeypot.svg danq.me 70 i null (FALSE) 0 iA honeypot is a "trap" email address. Anybody who emails it get aggressively null (FALSE) 0 imarked as a spammer to help ensure that any other messages they send - even to null (FALSE) 0 ivalid email addresses - also get marked as spam. null (FALSE) 0 i null (FALSE) 0 iI litter honeypots all over the place (you might find hidden email addresses null (FALSE) 0 ion my web pages, along with text telling humans not to use them), but my null (FALSE) 0 ibiggest source of honeypots is formerly-valid unique addresses, or "guessed" null (FALSE) 0 icatch-all addresses, which already attract spam or are otherwise compromised! null (FALSE) 0 i null (FALSE) 0 iI couldn't tell you how effective it is without looking at my spam filter's null (FALSE) 0 ilogs, and since the most-effective of my filters is now outsourced to Proton, null (FALSE) 0 iI don't have easy access to that. But it certainly feels very satisfying on null (FALSE) 0 ithe occasions that I get to add a new address to the honeypot list. null (FALSE) 0 i null (FALSE) 0 iINSTANT THROWAWAYS null (FALSE) 0 i null (FALSE) 0 iGeekiness: 5/10 null (FALSE) 0 iEfficacy: 6/10 null (FALSE) 0 i null (FALSE) 0 iOpenTrashmail is an excellent throwaway email server that you can deploy in null (FALSE) 0 iseconds with Docker, point some MX records at, and be all set! A throwaway null (FALSE) 0 iemail server gives you an infinite number of unique email addresses, like null (FALSE) 0 iother solutions described above, but with the benefit that you never have to null (FALSE) 0 isee what gets sent to them. null (FALSE) 0 i null (FALSE) 0 IEmails are delivered to an inbox and to a trash can, depending on the address they're sent to. The inbox subscribes to the trash can using RSS. /2024/06/trashmail.svg danq.me 70 i null (FALSE) 0 iIf you offer me a coupon in exchange for my email address, it's a throwaway null (FALSE) 0 iemail address I'll give you. I'll make one up on the spot with one of my null (FALSE) 0 i(several) trashmail domains at the end of it, like null (FALSE) 0 ijustgivemethedamncoupon@danstrashmailserver.com. I can just type that email null (FALSE) 0 iaddress into OpenTrashmail to see what you sent me, but then I'll never check null (FALSE) 0 iit again so you can spam it to your heart's content. null (FALSE) 0 i null (FALSE) 0 iAs a bonus, OpenTrashmail provides RSS feeds of inboxes, so I can subscribe to null (FALSE) 0 iany email-based service using my feed reader, and then unsubscribe just as null (FALSE) 0 ieasily (without even having to tell the owner). null (FALSE) 0 i null (FALSE) 0 iSUMMARY null (FALSE) 0 i null (FALSE) 0 iWith the exception of whatever filters your provider or software comes with, null (FALSE) 0 imost of these options aren't suitable for regular folks. But you're only a null (FALSE) 0 idomain name (assuming you don't have one already) away from being able to give null (FALSE) 0 iunique email addresses to everybody you deal with, and that's genuinely a null (FALSE) 0 igame-changer all by itself and well worth considering, in my opinion. null (FALSE) 0 i null (FALSE) 0 iLINKS null (FALSE) 0 i null (FALSE) 0 hProtonMail URL:https://proton.me/mail (FALSE) 0 hMozilla Thunderbird URL:https://www.thunderbird.net/ (FALSE) 0 hFreeDeedPoll.org.uk URL:https://freedeedpoll.org.uk/ (FALSE) 0 hMy blog post about making unique email addresses in GMail using plus-sign notation URL:https://danq.me/2017/09/26/gmail-plus/ (FALSE) 0 hWhich you should URL:https://indieweb.org/personal-domain (FALSE) 0 hOpenTrashmail URL:https://github.com/HaschekSolutions/opentrashmail (FALSE) 0 .