Skip to main content

Separate Addresses and Have I Been Pwned

Many years ago, I started giving out a different email address to every places that asked for one. To do this, I had to own a domain and set up email hosting. When I first set this up, I accepted email addressed to any address at my domain. Since then, email security has improved a lot. To use security features like DMARC, I had to stop accepting all addresses and had to only accept mail from a list of valid addresses.

A few years ago, a guy by the name of Troy Hunt started collecting the lists of compromised databases and passwords that were floating around the internet. He put together a site called Have I Been Pwned (HIBP) and after proving your ownership of a domain, you can request a list of all of the accounts at that domain that have been compromised. You can also do the same thing for a single email address if you don't own a domain.

It's important to remember that this isn't a list of ALL compromised accounts -- only the ones that have made their way to HIBP. That said, I thought that you might be interested in seeing what that list looks like.


In most cases, I left the account name, but a few of these accounts don't belong to me (they're accounts created for friends or family), so I've blocked them out entirely. One that's interesting is sales -- that's an address that I NEVER used or gave out. Someone tried it at random back when I accepted mail to all addresses. Since it didn't bounce, they added it to their spam list.

When I discover that an account has been compromised, I do a few things. 
  1. I think about whether I even need the account any more. It turned out that I didn't need many of the compromised accounts, so I closed those accounts entirely.
  2. If I'm going to keep the account, I change the password. I use a long, unique password generated by my password manager. 
  3. I change the email address associated with the account. Since I own the domain, that's easy to do.
  4. I remove the compromised address from the list of allowed addresses. You can go ahead and try to send email to any of the addresses in the picture. It won't work.
It's probably worth mentioning that this is all part of a larger email strategy.
  1. Most of these service-specific addresses are forwarded to a "junkmail" address that I read once or twice a week.
  2. Mail from friends and family goes to a separate address that I check roughly daily.
  3. A small number of service-specific addresses forward to a "critical services" account that alerts me right away for every message. Things like bank security alerts go here.
It's all a bit complicated to set up and maintain, but it works well for me. It makes it easy to get my head into the right frame of mind for every email message that I receive, and it makes it easy to block anyone who abuses my trust.

Comments

Post a Comment

Popular posts from this blog

The Virus By the Numbers

I'm writing this because there's some really insane stuff that's being said by people who should really know better, and I'm sick of discussing it one post or email at a time. So, this is my One Big Post that I'll point people toward rather than bringing it up again and again. In case you haven't noticed, we're in the middle of a pandemic. Just so that we're all using the same terminology:  The virus is Severe acute respiratory syndrome Coronavirus 2 . It's usually abbreviated SARS-CoV-2. It's a brand new kind of Coronavirus, so for a while, before it had this awkward name, people were calling it "novel coronavirus". (For the non-English speakers and D students, "novel" is another word for "new".) The disease that the virus causes is called Coronavirus Disease 2019 , and it's usually abbreviated COVID-19. It's called that because it was discovered in 2019. This came out of nowhere in China in late
Post a Comment
Read more

Audio upgrade: Schiit Fulla 2

I recently purchased a Schiit Fulla 2 . I was on the fence about it for a long time, but it's held up well, and I'm pretty happy with it. So, here's a small product review. I should probably mention that I'm generally skeptical about "audiophile" anything. I've known too many people who spend way too much money on voodoo like "oxygen-free speaker cables". This makes me reluctant to trust reviews or spend money on anything that I can't test for myself.  I've heard good audio. I go to concerts. I know what music is  supposed to  sound like, and it wasn't what I was getting from any of my computers, even with decent headphones, lossless audio codecs, etc. On the other hand, we have some  Sonos speakers , and with those speakers and a good audio source, music can sound really good. Since I wasn't getting that level of quality at the computer, it meant that there was something between the computer and my ears that was part of
Post a Comment
Read more

The Chromecast conceptual model

Google makes a device called Chromecast . It's a relatively inexpensive way to turn any TV into a "Smart" TV capable of playing movies or music. It's a clever bit of engineering, but I've run into a few people who have trouble understanding how they work. The key thing to understand is that the Chromecast is the device that's actually receiving and playing the movie (or whatever), and your phone is just the remote. Here's how the process works at a high level: You start watching a video on Youtube 30 seconds in, you decide that you'd like to watch the rest on your TV, so you press the "Cast" button. Your phone stops playing and tells the Chromecast "Get this video directly from Youtube and start playing at the 0:30 mark"  When your phone initially asks the Chromecast to start playing, it also specifies a "default thing" to do when the Chromecast is finished. If the Chromecast is playing a Youtube video, it might
Post a Comment
Read more