Skip to main content

Separate Addresses and Have I Been Pwned

Many years ago, I started giving out a different email address to every places that asked for one. To do this, I had to own a domain and set up email hosting. When I first set this up, I accepted email addressed to any address at my domain. Since then, email security has improved a lot. To use security features like DMARC, I had to stop accepting all addresses and had to only accept mail from a list of valid addresses.

A few years ago, a guy by the name of Troy Hunt started collecting the lists of compromised databases and passwords that were floating around the internet. He put together a site called Have I Been Pwned (HIBP) and after proving your ownership of a domain, you can request a list of all of the accounts at that domain that have been compromised. You can also do the same thing for a single email address if you don't own a domain.

It's important to remember that this isn't a list of ALL compromised accounts -- only the ones that have made their way to HIBP. That said, I thought that you might be interested in seeing what that list looks like.


In most cases, I left the account name, but a few of these accounts don't belong to me (they're accounts created for friends or family), so I've blocked them out entirely. One that's interesting is sales -- that's an address that I NEVER used or gave out. Someone tried it at random back when I accepted mail to all addresses. Since it didn't bounce, they added it to their spam list.

When I discover that an account has been compromised, I do a few things. 
  1. I think about whether I even need the account any more. It turned out that I didn't need many of the compromised accounts, so I closed those accounts entirely.
  2. If I'm going to keep the account, I change the password. I use a long, unique password generated by my password manager. 
  3. I change the email address associated with the account. Since I own the domain, that's easy to do.
  4. I remove the compromised address from the list of allowed addresses. You can go ahead and try to send email to any of the addresses in the picture. It won't work.
It's probably worth mentioning that this is all part of a larger email strategy.
  1. Most of these service-specific addresses are forwarded to a "junkmail" address that I read once or twice a week.
  2. Mail from friends and family goes to a separate address that I check roughly daily.
  3. A small number of service-specific addresses forward to a "critical services" account that alerts me right away for every message. Things like bank security alerts go here.
It's all a bit complicated to set up and maintain, but it works well for me. It makes it easy to get my head into the right frame of mind for every email message that I receive, and it makes it easy to block anyone who abuses my trust.

Comments

Popular posts from this blog

The Chromecast conceptual model

Google makes a device called Chromecast . It's a relatively inexpensive way to turn any TV into a "Smart" TV capable of playing movies or music. It's a clever bit of engineering, but I've run into a few people who have trouble understanding how they work. The key thing to understand is that the Chromecast is the device that's actually receiving and playing the movie (or whatever), and your phone is just the remote. Here's how the process works at a high level: You start watching a video on Youtube 30 seconds in, you decide that you'd like to watch the rest on your TV, so you press the "Cast" button. Your phone stops playing and tells the Chromecast "Get this video directly from Youtube and start playing at the 0:30 mark"  When your phone initially asks the Chromecast to start playing, it also specifies a "default thing" to do when the Chromecast is finished. If the Chromecast is playing a Youtube video, it might...

The Virus By the Numbers

I'm writing this because there's some really insane stuff that's being said by people who should really know better, and I'm sick of discussing it one post or email at a time. So, this is my One Big Post that I'll point people toward rather than bringing it up again and again. In case you haven't noticed, we're in the middle of a pandemic. Just so that we're all using the same terminology:  The virus is Severe acute respiratory syndrome Coronavirus 2 . It's usually abbreviated SARS-CoV-2. It's a brand new kind of Coronavirus, so for a while, before it had this awkward name, people were calling it "novel coronavirus". (For the non-English speakers and D students, "novel" is another word for "new".) The disease that the virus causes is called Coronavirus Disease 2019 , and it's usually abbreviated COVID-19. It's called that because it was discovered in 2019. This came out of nowhere in China in late ...

Fixing Linux Audio

This is somewhat technical, and it's aimed at people who use Linux and are comfortable editing files from the command line. I was looking for a quick fix, but discovered that most of the documentation out there is wrong. So, I had to research what it all meant, figure out what the correct settings were, and write it all down. For the Impatient If you use Linux, and you're just looking for a quick way to make your sound better, add these lines to /etc/pulse/daemon.conf or $HOME/.config/pulse/daemon.conf   default-sample-format = s32ne default-sample-rate = 192000 high-priority = yes default-fragments = 8 resample-method = speex-float-10 I've tested this on Fedora and Ubuntu with no problems. Also, if you're using an external DAC (if you're not sure, then you're not using one), be sure that it has sufficient power (either plugged directly into the computer or into a powered USB hub. DO NOT plug it into an unpowered hub or dongle. A...