Is A Catch-All Address Worth The Spam? 579
wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."
No brainer (Score:4, Insightful)
No big problems here (Score:5, Insightful)
From personal experience, I've found that only a very small percentage of spam I get comes from using the catch-all address. I get only a few junk e-mails to "webmaster", "postmaster", and other generic usernames. A far greater portion of it is addressed to the "real" e-mail address I use that's been plastered all over the web for years and years.
Judging only from my inbox, it would seem that spammers are more likely to use lists of known e-mail addresses than trying to guess valid usernames for a domain. My advice would be to use the catch-all address and just wait and see if spam becomes a problem. Turning off the catch-all wildcard, if need be, is a very simple operation.
Your shouldn't worry about that (Score:4, Insightful)
bayesian filter is your friend (Score:2, Insightful)
bounce? (Score:2, Insightful)
Seems like a useless feature.
spammers should be shot (Score:0, Insightful)
Isn't that the POINT? (Score:5, Insightful)
Nope (Score:3, Insightful)
The ideal setup is to have several addresses.
One for close friends, associates, individuals and people who the address is sent to privately.
A second address for mailing lists, and any kind of public posting.
And a third address for anything guarenteed to end up in you getting spam. (Website signups for instance)
Then you simply drop it into three different folders. This method combined with a good spam filter can eliminate virtually all spam.
the whole /point/ of a catchall address is spam (Score:5, Insightful)
Re:No big problems here (Score:2, Insightful)
Spammers ruin it for everybody.
Speaking from experience (Score:5, Insightful)
1 - most of the spam seems to come to 5 or 6 addresses only - admin, root, sales, webmaster, etc etc. That's cake to filter out straight to trash.
2 - The convinience of being able to sign up for random websites with a different address on the fly is great. For example, signing up on ebay to buy something and using the address "fromebay@mydomain.com" means you KNOW that only one person in the world has your email address so you know who to blame if spam starts coming in, and it is also a piece of cake to automatically filter those ebay emails straight to an ebay inbox, for example.
3 - Not as significant as my first 2 points but still a nice perk in my setup is that I'm able to create email addresses for family and friends on the fly and just setup my own server to split the addresses out into their own inboxes.
So if you will be running the server(s) yourself over slow dsl or cable, the volume of spam MAY be a concern to you. I get about 600-700 spams a day to the common webministrater addresses I mentioned, but it's no concern to me because I don't run the incoming email server and my dsl is more than fast enough to d/l them in a few seconds.
But in any other case, I'd say it's well worth it! And on a slightly different note, I have been very impressed with the honesty and adherence just about everywhere has to their privacy policies regarding email addresses. over 2 years of using my system with about 50 "from@domain.com" addresses, only one of them screwed up and got the address on a spam list somehow - cancelling my account with them and filtering those spams straight to trash solved the problem.
Re:No brainer (Score:2, Insightful)
You'd be surprised at the sheer volume of users who invert a couple of letters or add a space in the middle of the address, and then *insist* that it's spelled correctly, and something must be wrong with our server for not delivering the mail properly to some random domain (not hosted by us). And yes, if they don't believe us over the phone we get them to forward the bounce message to us so we can confirm that.
So, if the concern is old Mrs. Pepperpot isn't going to remember the proper address to type and may in fact enter it into her email address book incorrectly, that's actually a pretty fair assumption.
Give it a try (Score:3, Insightful)
When I had my catch-all account, I rarely got any spam, and that's probably because most spammers won't really bother with trying to send you something at afhg329087dsfljifd90hlg@domain.com or whatever.
Be Careful with Catch-All Accounts... (Score:2, Insightful)
Anyhoo, somehow, someway, somewhy, a spammer got ahold of my domain. And they created just about every possible name you could imagine for my domain: janey123@johndoe.com, rty5632@johndoe.com, ricksmith@johndoe.com, etc. Of course, it's just me at the site. But I suppose they didn't care. To make a long story short, I started getting over 1,000 spam messages per day in my catchall. And now it's grown exponentially. The assholes even send the same spam to the same addy, like, ten at a time. So basically my domain is fucked. And of course, once you get on some dumbass spammer list, they ALL start sending it to you. I've had my catchall account turned off for the last several months, and it's set to bounce back. But it makes no difference.
Every month or so I turn it back on to see if they've given up, but it's just more and more and more of the same. Until a cure for spam is found, I'm dying over here. It makes my e-mail almost useless. Sheesh. Please someone do something about this stuff.
Hopefully this won't happen to you, but if it does, you're screwed.
No catch-ALL, just a catch-SOME (Score:2, Insightful)
- root
- webmaster
- postmaster
- admin
I thought it was better when people use other non-existent addresses that they get a bounceback rather than mail being accepted. Especially with the newer worms/trojans that forge headers to send out mails from blahblah81@yourdomain.com etc.
Re:No brainer (Score:5, Insightful)
His time was very valuable and he just wanted it to work.
Of course, the odds are good that nearly 50% of the people out there are of below-average intelligence, so any plan has to deal with both ends of the bell curve.
So close.... (Score:5, Insightful)
The trick is to put useful info into the reply. Try setting up a message in the 'this address does not exist' autoreply. Put in something like 'bob@domain.com does not exist. If you are trying to reach Robert Smith, please resend to robert@domain.com. If you want to reach someone in an administrative capacity, send an e-mail to admin@domain.com'.
You can extend this to all the positions that matter, postmaster, webmaster etc, and a few key people at the domain. The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.
The people who DO need to contact you and did either screw up or guess wrong will simply get the info that they need to do right. Win/Win.
-Charlie
Re:No brainer (Score:5, Insightful)
Re:So close.... (Score:1, Insightful)
That is like when answering the phone and then saying "I am sorry Priest is not home right now.... and sounding off my best attempt at a *beep*
There are timestamps, mail headers etc. that are too time consuming to try to forge, you are better off hoping they will think the mail platforms spam filter ate it.
I say go with the catch all domain, that way you can give out temp aliases like ny-times-reg@domain.com and know when someone sells your alias for spam.
Another piece of advice, is to register the domain with OpenSRS rather than a register.com reseller, because register.com either sells your info or has an easier database to mine from my experience with snail mail from my register.com domains.
Re:No brainer (Score:5, Insightful)
For instance, if a user:
- has used a computer for a number of years (by the sounds of it the very same applications for that same time)
- depends on using the computer for important work
and still can't use it properly (and won't take the time to actually *learn* to use it properly - eg, basic typing/clicking skills), I consider that an intellectual defect.
It's like any other field - if you depend on a particular tool, you have to be able to actually use the tool properly or you'll mess things up repeatedly. And if you do mess things up on a regular basis, that's no one's fault but your own.
Think of all the "valuable time" he has wasted by simply not learning to use his tools.
Re:So close.... (Score:3, Insightful)
Re:the whole /point/ of a catchall address is spam (Score:5, Insightful)
CATCHALLS equals a BOMB = Harmless until exploding (Score:2, Insightful)
while (true); do cat
try this username: spam@example.com (Score:3, Insightful)
So many people use things like:
johnNOSPAM@example.com
john@NOSPAMexample.com
johnREMOVETHIS@example.com...
that the SpamHarvest bots seem to harvest emails and then REMOVE words like:
SPAM
REMOVE
THIS
NOSPAM
before adding the names to their "fresh" list of email addresses to sell.
but if they remove SPAM from SPAM@example.com, they are left with.....
@example.com
which should be undeliverable.
so if your email is SPAM@example.com, you should get email from your friends, but my extensive use of that username on USENET has shown me that it does in fact work! I received only ONE spam email to that address in the past year of using it.
getting back On Topic for a minute, see if you can "disable" the "catchall" or "*" email function at some point. While I have not been hit with a dictionary attack, its obvious from the other posters that it is not uncommon. If you can route all non-assigned usernames to null when you discover this to be a problem, you will save yourself some headaches.
Re:So close.... (Score:5, Insightful)
As a "poor twink" on the receiving end of a lot of spam, I've found that my filters are effective against everything but auto-replies.
Getting a ton of auto-replies from people on vacation, with invalid addresses, support addresses that have changed, and the ever-helpful "you've sent us spam and we've rejected it but our spam filter is too stupid to realize the sender was forged" really gets old after the first week.
Don't use an autoreply and turn your problem into my problem.
Re:So close.... (Score:5, Insightful)
The spammer's SMTP engine will get a mark against the email as bad, and valid ISP's relaying emails for there customers will generate a nice email for you saying that the address is invalid.
Re:the whole /point/ of a catchall address is spam (Score:4, Insightful)
I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there.
Are you sure they sold it, or were you merely a target of a dictionary attack (the dictionary being domains)? Same will go for amtrack@. All a spammer has to do is decide it's a significant enough domain to add to a dictionary and, BAM, you're getting spam there without any kind of TOS violation on Amtrack's part. Common word domains like amazon@ have long been dinged, and it is foolish to blame the company for your own poorly thought out system.
If you really want to use a catch-all to track who sells your address, you have to use a hash or something else that you keep entirely secret and is not easy to guess, like c66915c4ff6a27e5f3aac08f58130ba9 for . . . guess who! :-) Otherwise you're just adding to the abuse that the spammers are dishing out to you.
My own experience with a catch-all is that you're safe until you're hit by a dictionary attack, and then it never stops. I have domains with next to no traffic and a catch-all is fine, but in the last year I've had two of them get hit by dictionary attacks and after that each domain gets an increasing stream of spam attempts, currently around 1000/day. That's bad enough that I shut off the catch-all for the one I don't really use it with. The other one keeps SpamCop [spamcop.net] full.
Re:No brainer (Score:3, Insightful)
Re:Disagree (Score:3, Insightful)
Re:No big problems here (Score:2, Insightful)
Spam is annoying. Spam is trashy and "unethical". But it's not worth killing someone over.
Just get a new email address. I got a new one and don't get spam anymore (the gmail one above does get spam, though...)
Every time I post this, I get modded down (slashbots hate spam, I guess... I'm pretty indifferent myself), but I'll say it again. I actually think spam is a good way to motivate ISPs to upgrade themselves. If their mail servers die every few days because of the load spam inflicts, they upgrade their servers. That means new features (or more uptime) for you! Bandwidth is the same way... spam uses a lot of bandwidth so the Big ISPs have to upgrade their links. And they aren't doing the bare minimum (when you've dug up the cable, you're going to put more than you need down... digging is expensive, fibre is cheap), they're adding more bandwidth than they need. Which means that slashdot loads faster (or your movie downloads faster). That's a good thing.
Just don't give your email to anyone who asks, and you'll avoid spam. I hear putting numbers in your username helps against dictionary attacks (jrockway in in a dictionary, but jrockw2 isn't).
In closing, please have a drink of your choice and relax a bit. No need to get worked up over spam. And if a gmail invite would calm you down, I'll give you one
Re:Disagree (Score:4, Insightful)
Well, I think there are wild differences from one domain to another. One of the domains that my company uses for email has been under a sustained dictionary attack for months now. Others get only targetted spam (real or former email addresses plus postmaster@, sales@, etc).
So a catch all may be OK until some spammer decides to make it the target of a dictionary attack. The problem is: what does one do then? At that point, turning off the catch all will probably mean losing lots of non-spam emails.
Re:No big problems here (Score:2, Insightful)
They are ones that are ignorant. Blindly following an RFC that ignores the reality of what is happening today is the height of stupidity. Blacklisting somebody for not doing it just plain moronic and asshololic behavior.
But then again there is no shortage of assholes on this planet are there.
Re:No brainer (Score:2, Insightful)
It's not true that catch all is necessarily a violation of any RFCs.
Simply put the situation with catch all is that any possible user exists.
If you accidentally sent your mail to nillgates at yahoo.com instead of billgates at yahoo.com; chances are "nillgates" is also a valid user.
Hence no delivery error occures, and it's perfectly fine.
The MTA isn't required to read minds and determine if the user made a typo. Only to act based on whether the destination mailbox exists are not.
And of course, for catch all... every legal mailbox does exist.
Certain addresses like postmaster@ have to work and have to go to a human, but there's no requirement that ppostmaster@ be considered a typo: after all, the user can exist!
Re:No brainer (Score:4, Insightful)
But probably the main problem with folks like him is that after going through 7-10 years of schooling he is now "educated" and therefore doesn't need to listen to you or anyone else or take 5 minutes to learn how to do some minor thing correctly the first time. He's got that framed certificate on the wall and his "office manager" to keep him in this "educated" frame of mind for the next 40 years. Doesn't matter how smart you are now or were in the past if your mind is closed to further learning.
If his time was so valuable he would spend an hour sometime and sit down and learn to use the tool, rather than continually breaking the tool and asking someone else to always be there to fix it.
Of course, none of this precludes the fact that 90% of the time the software could be made easier to use in the first place. But it doesn't mean a PhD is a genius. Most of them are just consistent hard workers, and there's something to be said for that too, no matter what their intelligence level.
Re:No brainer (Score:2, Insightful)
After 3 or four emails/calls they finally get the point. Until a few weeks later when it starts again.
Argh.
Re:No brainer (Score:3, Insightful)
Seems quite reasonable. RFC 821 says:
The only email address required to be case insensitive is postmaster.