Skip to main content

Separate Addresses and Have I Been Pwned

Many years ago, I started giving out a different email address to every places that asked for one. To do this, I had to own a domain and set up email hosting. When I first set this up, I accepted email addressed to any address at my domain. Since then, email security has improved a lot. To use security features like DMARC, I had to stop accepting all addresses and had to only accept mail from a list of valid addresses.

A few years ago, a guy by the name of Troy Hunt started collecting the lists of compromised databases and passwords that were floating around the internet. He put together a site called Have I Been Pwned (HIBP) and after proving your ownership of a domain, you can request a list of all of the accounts at that domain that have been compromised. You can also do the same thing for a single email address if you don't own a domain.

It's important to remember that this isn't a list of ALL compromised accounts -- only the ones that have made their way to HIBP. That said, I thought that you might be interested in seeing what that list looks like.


In most cases, I left the account name, but a few of these accounts don't belong to me (they're accounts created for friends or family), so I've blocked them out entirely. One that's interesting is sales -- that's an address that I NEVER used or gave out. Someone tried it at random back when I accepted mail to all addresses. Since it didn't bounce, they added it to their spam list.

When I discover that an account has been compromised, I do a few things. 
  1. I think about whether I even need the account any more. It turned out that I didn't need many of the compromised accounts, so I closed those accounts entirely.
  2. If I'm going to keep the account, I change the password. I use a long, unique password generated by my password manager. 
  3. I change the email address associated with the account. Since I own the domain, that's easy to do.
  4. I remove the compromised address from the list of allowed addresses. You can go ahead and try to send email to any of the addresses in the picture. It won't work.
It's probably worth mentioning that this is all part of a larger email strategy.
  1. Most of these service-specific addresses are forwarded to a "junkmail" address that I read once or twice a week.
  2. Mail from friends and family goes to a separate address that I check roughly daily.
  3. A small number of service-specific addresses forward to a "critical services" account that alerts me right away for every message. Things like bank security alerts go here.
It's all a bit complicated to set up and maintain, but it works well for me. It makes it easy to get my head into the right frame of mind for every email message that I receive, and it makes it easy to block anyone who abuses my trust.

Comments

Post a Comment

Popular posts from this blog

Stinky cheese, man

I'm living in a place that's known for it's cheese. There are hundreds of kinds of cheese at my local grocery store. I try something different every time I go shopping, and I've still barely scratched the surface of what's available. There's one kind of cheese that deserves special mention: Raclette . Raclette is strange for a few different reasons. Most notably, it's almost always served cooked, and there's a bit of a ritual around cooking it. You will never be offered raw raclette. Why? Raw raclette is pungent stuff. It's hard to describe the smell, but I've heard it described as a cross between sweat socks, vomit, and curdled milk. To say that it stinks is a polite understatement. So, why on earth would anyone eat it? Because when you cook it, you somehow cook the stink out of it, and what's left is sublime. It's a sort of oily cheese, and you get something like the best pizza or nacho cheese you've ever had. I've hea...
3 comments
Read more

Sometimes, things work as intended

A small computer success story: I have a Synology NAS at home. For those who aren't familiar with them, they're small computers that are set up to make storing and sharing files easy. They keep your data across multiple hard drives so that if a hard drive fails, no data is lost. Or, at least, that's the theory. After we moved last year, I set up the NAS and ran all of the status checks. It reported that one drive was still working but starting to have problems. I bought another drive, plugged it in, and set it as a "hot spare" (basically, the system knew about it, but it wasn't being used). I also turned on monthly disk checks. Months passed with no more problems. ...until last Tuesday. On Tuesday night, the system automatically sent us mail to tell us that The troubled disk had finally failed. Since we had a hot spare, it would be used as a replacement disk and our data would be copied to it. When everything was finished, the system would let us k...
2 comments
Read more

Actual Size

I get a lot of questions about Switzerland's size. So, I put together a spreadsheet showing Switzerland's size relative to each US State. You can view the full spreadsheet on Google Sheets , but here are some highlights: The two states that are closest in size to Switzerland are Maryland and West Virginia. Maryland is 61% (about 2/3x) of the size of Switzerland. West Virginia is 151% (about 1 and 1/2x) of the size of Switzerland. Pennsylvania is 281% (about 3x) of the size of Switzerland. One of the nice things about living in a small country is the short distance to the borders. I can be in Germany in an hour. France, Lichtenstein, or Austria in 2 hours, or Italy in 4 hours (less when full service through t he Gotthard Tunnel opens later this year). This weekend, we're going to visit... somewhere, and "do you want to go to Milan or Munich" is about as difficult as "Do you want to go to Columbus or Buffalo?"
2 comments
Read more