Skip to main content

Separate Addresses and Have I Been Pwned

Many years ago, I started giving out a different email address to every places that asked for one. To do this, I had to own a domain and set up email hosting. When I first set this up, I accepted email addressed to any address at my domain. Since then, email security has improved a lot. To use security features like DMARC, I had to stop accepting all addresses and had to only accept mail from a list of valid addresses.

A few years ago, a guy by the name of Troy Hunt started collecting the lists of compromised databases and passwords that were floating around the internet. He put together a site called Have I Been Pwned (HIBP) and after proving your ownership of a domain, you can request a list of all of the accounts at that domain that have been compromised. You can also do the same thing for a single email address if you don't own a domain.

It's important to remember that this isn't a list of ALL compromised accounts -- only the ones that have made their way to HIBP. That said, I thought that you might be interested in seeing what that list looks like.


In most cases, I left the account name, but a few of these accounts don't belong to me (they're accounts created for friends or family), so I've blocked them out entirely. One that's interesting is sales -- that's an address that I NEVER used or gave out. Someone tried it at random back when I accepted mail to all addresses. Since it didn't bounce, they added it to their spam list.

When I discover that an account has been compromised, I do a few things. 
  1. I think about whether I even need the account any more. It turned out that I didn't need many of the compromised accounts, so I closed those accounts entirely.
  2. If I'm going to keep the account, I change the password. I use a long, unique password generated by my password manager. 
  3. I change the email address associated with the account. Since I own the domain, that's easy to do.
  4. I remove the compromised address from the list of allowed addresses. You can go ahead and try to send email to any of the addresses in the picture. It won't work.
It's probably worth mentioning that this is all part of a larger email strategy.
  1. Most of these service-specific addresses are forwarded to a "junkmail" address that I read once or twice a week.
  2. Mail from friends and family goes to a separate address that I check roughly daily.
  3. A small number of service-specific addresses forward to a "critical services" account that alerts me right away for every message. Things like bank security alerts go here.
It's all a bit complicated to set up and maintain, but it works well for me. It makes it easy to get my head into the right frame of mind for every email message that I receive, and it makes it easy to block anyone who abuses my trust.

Comments

Post a Comment

Popular posts from this blog

The Chromecast conceptual model

Google makes a device called Chromecast . It's a relatively inexpensive way to turn any TV into a "Smart" TV capable of playing movies or music. It's a clever bit of engineering, but I've run into a few people who have trouble understanding how they work. The key thing to understand is that the Chromecast is the device that's actually receiving and playing the movie (or whatever), and your phone is just the remote. Here's how the process works at a high level: You start watching a video on Youtube 30 seconds in, you decide that you'd like to watch the rest on your TV, so you press the "Cast" button. Your phone stops playing and tells the Chromecast "Get this video directly from Youtube and start playing at the 0:30 mark"  When your phone initially asks the Chromecast to start playing, it also specifies a "default thing" to do when the Chromecast is finished. If the Chromecast is playing a Youtube video, it might...
Post a Comment
Read more

Sometimes, things work as intended

A small computer success story: I have a Synology NAS at home. For those who aren't familiar with them, they're small computers that are set up to make storing and sharing files easy. They keep your data across multiple hard drives so that if a hard drive fails, no data is lost. Or, at least, that's the theory. After we moved last year, I set up the NAS and ran all of the status checks. It reported that one drive was still working but starting to have problems. I bought another drive, plugged it in, and set it as a "hot spare" (basically, the system knew about it, but it wasn't being used). I also turned on monthly disk checks. Months passed with no more problems. ...until last Tuesday. On Tuesday night, the system automatically sent us mail to tell us that The troubled disk had finally failed. Since we had a hot spare, it would be used as a replacement disk and our data would be copied to it. When everything was finished, the system would let us k...
2 comments
Read more

Stinky cheese, man

I'm living in a place that's known for it's cheese. There are hundreds of kinds of cheese at my local grocery store. I try something different every time I go shopping, and I've still barely scratched the surface of what's available. There's one kind of cheese that deserves special mention: Raclette . Raclette is strange for a few different reasons. Most notably, it's almost always served cooked, and there's a bit of a ritual around cooking it. You will never be offered raw raclette. Why? Raw raclette is pungent stuff. It's hard to describe the smell, but I've heard it described as a cross between sweat socks, vomit, and curdled milk. To say that it stinks is a polite understatement. So, why on earth would anyone eat it? Because when you cook it, you somehow cook the stink out of it, and what's left is sublime. It's a sort of oily cheese, and you get something like the best pizza or nacho cheese you've ever had. I've hea...
3 comments
Read more