How I stopped worrying and learned to ignore spam

Last week I read a story about spam. A company called Criteo that specializes in unmasking anonymous visitors sold an email address of @fredbenenson. He wasn’t happy about it.

I wrote a short answer on how I think people that care about their email (enough to own spend a few dollars) should mitigate most spam, increase their privacy and reduce the danger of identity theft.

Wait, Why?

My proposed solution is not for everyone, but if you get annoyed by spam and you care about your privacy, my solution of setting up your own email domain and creating unique address for each site can really make an impact.

By creating a new email address and password for every site you register to, you’ll achieve 3 goals:

  1. accountability: When you receive spam, you’ll be able to tell which service was the source of the leak. Simply put - how did the spammers get my email address. In jurisdictions that respect privacy and sending spam is not legal, this will expand your legal options to act based on this information.
Adobe.com got pwned back in 2013.
  1. improved privacy: When a marketing service will try to aggregate data from multiple sources, like joining data from your music provider, your social network and your online shopping history, if you’ve used different email addresses you’re going to make it harder for them to build a comprehensive profile of every aspect of your life, as in many cases they’ll try to join the data not based on your device identifier, your cookie or your name but using the email address you provided them with.
I didn’t even notice that last.fm got hacked
  1. Improved security: When attackers will get your password after hacking to a popular service, like a support forum or a social network, they are going to test the list of email addresses and passwords against known services, and see where else did you use the same password and the same email address. If you reuse your password in multiple sites, you better not do that, and if you have, you’d be safer if you’d used a unique email address for each service. if the attackers try linkedin.com@example.com against your iCloud or Facebook account, you’ll be grateful to have set up a system that makes it harder for them to takeover your entire online life.

Buy a domain name

You might already have a domain name if you are a serious blogger, running small business or you’ve decided you want to host your own portfolio online. even if you have no interest in that level of exposure, a domain name is not expensive and can add to the perception reputation of your email address. It doesn’t actually require you to even host a website on that domain.

this domain is available, but might not be right one for you

I recommended shopping around, but you can get a .com domain for around 15$ and country level or generic domains are often cheaper, but i’m not sure what kind of impression does yourname.xyz would leave on people. check out gandi.net or namecheap.com for a reasonable domain registrar.

Set up DNS

Most domain registrars will provide you with a DNS service for free. All you you need to know is that you’ll need to specify which company will handle your mail. in the technical jargon, this is called an MX record for your domain. If you’re not happy with leaving the DNS service with the same company your registered the domain with, I recommend using the free basic DNS service provided by cloudflare, a company that specialize in handling high loads and can easily handle your domain’s traffic. Their alternatives include the free tier at Incapsula and Hurricane Internet that can provide you with a free dns service, although it won’t be including any website protection, just plain DNS hosting.

Sign up to a mail service

You’ll might want a server to host the email traffic for your domain. since maintaining a running a server just for this is too complicated, time consuming and needlessly expensive, you’ll want to use a company that specializes in this type of service. This is probably the most expensive part of the deal, since prices tend to go up as this is typically a service for businesses. Google’s Apps service would host your domain’s mail for $5 per month. A company like Zoho would charge you $10 for the same service. the cheapest options often is with mail service the domain registrar provides you. A designated mail hosting company, Fastmail, charges $40 per year. paying is not entirely necessary if you’re fine using a free email service to actually handle your mail.

Create a catch-all email address

Once you’ve set up a mail hosting service, you’ll create a single main email address. that’s going to be an address you’re not going to give out to people or services. You’ll create another alias to serves as your reply-to address. the address would be a long string of characters, nothing an address guessing bot would find easily, like fw8xdwjqhr9vasaz@example.com

Next you’ll create a catch all address; this set up differs by the mail hosting provider you’d go with, but essentially it requires them to forward everything that land at your domain (that doesn’t match a real email account) into the catch all account. that account can be hosted on your domain, but you can also continue to use Gmail if that’s easier. you can setup that all mail from fw8xdwjqhr9vasaz@exmaple.com would go to your gmail account.

If you really don’t want to pay at all, Alexander Tereshkin created improvmx.com just for you.

It’s 2016, you still don’t have to pay for things

You won’t need mail service if you’re using this solution and you’ll be able to keep you using your free email account from gmail, yahoo or outlook.com behind the new domain you’ve setup.

Follow these links to find exactly how to set up the catch all setting with these companies: Zoho, Google, Fastmail, namecheap.

If you’re not already using one-> use a password manager

Every year many services get hacked, David McCandless and Tom Evans created a beautiful visualization to remind you how many services got hacked all the time. If you’re still skeptic, try typing your email address in the search box of haveibeenpwned.com. If you’ve been using the internet for a few years, there’s a good chance it will appear there.

Since it’s just a matter of time until another service is hacked, there are two recommendations to make life somewhat easier:

  • Use a password manager and create a unique very long password for each services. Since you don’t have to remember it, why not use 25 characters for your password? There are few leading ones, give them a shot: lastpass, 1password and dashlane aren’t too bad.
  • Enable 2-factor authentication on every site that supports it. here’s a list of all sites that do: twofactorauth.org.

You can probably register domain and set it up with improvmx in under 10 minutes.

If you can do it faster and or have any other helpful recommendations, please comment.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.