Is A Catch-All Address Worth The Spam? 579
wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."
No brainer (Score:4, Insightful)
Disagree (Score:5, Interesting)
If it is a personal domain with perhaps a couple of description pages and even a blog then, like me, you will get no more (from personal experience) than 10+ random (random in the way they are sent to webmaster/admin or anything that * catches other than regular) messages/week. No big deal
A better known site seems to get a greater ranking in auto-traffic (let me generate logos, banners, security, etc for your website). But an email address listed on the site (my site) gets far more spam than a generic catch-all (e.g., I have "email webmonster@....com" as the auto admin address, more emails come to that than webmaster coz it's googled/harvested on those lists).
But the original statement said "I decided to pay the extra money to have email for the domain I registered" WFT?! Go to something like directnic.com, get your domain for $15/yr and get mail forwarding included (including wildcard)!
Re:Disagree (Score:3, Interesting)
But I think it depends on what you are using your domain for; wildcard spam is minor/rare compared to targetted spam:
My main address (unmunged, in this message's header) gets about 500 spams per day. Before I removed the catch-all I was getting almost twice that. Granted I am not everyone, but a few other people are in the same boat as I am. My web host [pair.com] has its own private news server (i.e. not connected to Usenet), and quite a few people who post there talk about getting thousands of spams sent to nonex
Re:Disagree (Score:3, Interesting)
The best is no more 200 virus messages going through names A to Z. I'm sure a good spam filter would take care of the catch-all spam.
My spam rate went way up with my previous provider (servercentral). I don't know if I just got hit hard or if they're just crappy. Lots of it w
Re:Disagree (Score:3, Insightful)
Re:Disagree (Score:5, Interesting)
Re:Disagree (Score:5, Informative)
What is the difference of DirectNIC and PairNIC? I have been using DirectNIC 5 years with no probs.
They are just different registrars. pairNIC is very customer-friendly, offers extra features like IPv6 and SPF, allow direct editing of DNS entries for people who are control freaks (most registrars just allow editing contact info, anything else is like pulling teeth). You can do email forwarding with them too, but I also have web hosting through their parent company and this includes an extensive email system including a custom qmail setup and procmail. I can install ClamAV and other software on my server if I want.
These servers run FreeBSD, a dead operating system, so the Slashdot trolls should have fun with this post :-)
Re:Disagree (Score:5, Interesting)
My company's primary domain is registerd with technical contacts of "hostmaster@[our_domain.com]" and for years we never got a spam. Then about 2 years ago, somebody must have included it in a big master list; now it takes about 30-50 spams a day on average, mostly true "bottom feeder" crap like cialis and vicodin and *adult* crap.
My work email's been out there a lot longer, but doesn't draw nearly the number of spams and about 80% of them are financial/economic scams - mortgage and stock touts, lottery, 419, etc.
Upstream filters are blocking emails with virus attachments; I have no idea how many of those are coming in...
Re:Disagree (Score:5, Informative)
I eventually killed the catch all, resulting in losing email from some places I'd given unique email addresses to. Also went with a 3rd party spam filter ( spamcop.net ) so most spam never makes it to my desktop at all, getting filtered upstream.
Recently I got a Gmail account. Just for grins I thought I'd test their spam filtering capabilities before using it for anything "real". I reactivated my catch all, forwarding it to my Gmail account. In the last 3 weeks my Gmail spam folder has accumulated 163MB of spam, or almost 27,000 individual messages. Gmail is only catching 30-50 percent of it, I've had to manually tag the remainder.
So while all my catch all addresses bounced these past two years the flow has reduced from 3k a day to about 1k a day.
The only reason to have a catch all is if you want lots of untargeted spam. I don't know how these yahoos do their billing, but if any of them base it on what bounces vs. what's read, then having an open address might just mean they'll make more money because of you.
Re:Disagree (Score:5, Informative)
On the contrary wildcard spam is extremely common. When was the last time you ever watched the maillog of a busy MTA? I garuntee you it will be riddled with User Unknown errors from dictionary, Rumplestiltskin and wildcard attacks. It's that way on every mail system I've ever administrated, including the ones I administrate now.
Re:Disagree (Score:4, Insightful)
Well, I think there are wild differences from one domain to another. One of the domains that my company uses for email has been under a sustained dictionary attack for months now. Others get only targetted spam (real or former email addresses plus postmaster@, sales@, etc).
So a catch all may be OK until some spammer decides to make it the target of a dictionary attack. The problem is: what does one do then? At that point, turning off the catch all will probably mean losing lots of non-spam emails.
Re:Disagree (Score:5, Interesting)
Wow. Could you be more wrong? As sysad for two smallish ISPs, I've been seeing serious SPAM attacks as (random string)@domain.com.
As many as 200,000 attempts in 24 hours. Repeatedly, for multiple domains. From hundreds of different sources. (We even put in a double bounce handler to identify source addresses; it was rare to see any single IP addresses attempt to deliver more than 10-20 in a 24 hour period)
While your other points are valid ones, on this one you are dead, dead wrong.
And, to the article poster, NEVER USE A WILDCARD. EVER. A bayesian filter running at 99.98% effectiveness would still not be as accurate as sending all wildcard email to
So close.... (Score:5, Insightful)
The trick is to put useful info into the reply. Try setting up a message in the 'this address does not exist' autoreply. Put in something like 'bob@domain.com does not exist. If you are trying to reach Robert Smith, please resend to robert@domain.com. If you want to reach someone in an administrative capacity, send an e-mail to admin@domain.com'.
You can extend this to all the positions that matter, postmaster, webmaster etc, and a few key people at the domain. The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.
The people who DO need to contact you and did either screw up or guess wrong will simply get the info that they need to do right. Win/Win.
-Charlie
Re:So close.... (Score:3, Insightful)
Re:So close.... (Score:5, Insightful)
As a "poor twink" on the receiving end of a lot of spam, I've found that my filters are effective against everything but auto-replies.
Getting a ton of auto-replies from people on vacation, with invalid addresses, support addresses that have changed, and the ever-helpful "you've sent us spam and we've rejected it but our spam filter is too stupid to realize the sender was forged" really gets old after the first week.
Don't use an autoreply and turn your problem into my problem.
Re:So close.... (Score:5, Insightful)
The spammer's SMTP engine will get a mark against the email as bad, and valid ISP's relaying emails for there customers will generate a nice email for you saying that the address is invalid.
Re:No brainer (Score:5, Insightful)
Re:No brainer (Score:4, Informative)
Re:No brainer (Score:3, Interesting)
Re:No brainer (Score:5, Insightful)
His time was very valuable and he just wanted it to work.
Of course, the odds are good that nearly 50% of the people out there are of below-average intelligence, so any plan has to deal with both ends of the bell curve.
Re:No brainer (Score:5, Insightful)
For instance, if a user:
- has used a computer for a number of years (by the sounds of it the very same applications for that same time)
- depends on using the computer for important work
and still can't use it properly (and won't take the time to actually *learn* to use it properly - eg, basic typing/clicking skills), I consider that an intellectual defect.
It's like any other field - if you depend on a particular tool, you have to be able to actually use the tool properly or you'll mess things up repeatedly. And if you do mess things up on a regular basis, that's no one's fault but your own.
Think of all the "valuable time" he has wasted by simply not learning to use his tools.
Re:No brainer (Score:4, Insightful)
But probably the main problem with folks like him is that after going through 7-10 years of schooling he is now "educated" and therefore doesn't need to listen to you or anyone else or take 5 minutes to learn how to do some minor thing correctly the first time. He's got that framed certificate on the wall and his "office manager" to keep him in this "educated" frame of mind for the next 40 years. Doesn't matter how smart you are now or were in the past if your mind is closed to further learning.
If his time was so valuable he would spend an hour sometime and sit down and learn to use the tool, rather than continually breaking the tool and asking someone else to always be there to fix it.
Of course, none of this precludes the fact that 90% of the time the software could be made easier to use in the first place. But it doesn't mean a PhD is a genius. Most of them are just consistent hard workers, and there's something to be said for that too, no matter what their intelligence level.
Re:No brainer (Score:4, Funny)
Q: What do you call someone who finishes at the bottm of his class in medical school?
A: Doctor.
For those unfamiliar with some of the eponymous terms, the Peter Principle says, "Everyone rises at least one level above their competitive skill level." IOW, whereever you end up, you should have been at least one level below that. (and the evidence tends to support this.
The simplest example? I could ROT 13 an answer in a couple of sentences for you to guess but it should be obvious: PHBs. They have to come from some place(!)If you've been around one in particular and watched them achieve the lofty position, them since they were in position(s) before that. Somewhere along the line they were in a position which matched some part of their skill set. Then someone saw how efficient they were in that job and jacked them upward, and *poof*, PHB Level 1.0.
They reach a point where they can't go up, won't go down[1], even at another facility, and aren't capable enough to move laterally, current company or elsewhere.
As a professor of mine pointed out about twenty-five years ago, they're at the apex of their profession (their own skill-levelwise), waiting for the next 10-20-30-40 years to pass by so they can retire. Mostly because they've clogged the ladder and frequently taken training in a field which "had a job waiting for them when they finished". That is one f%cking sickening thought for the tech industry: "The requirement in the USA will be 600k each year for the next ten years...blah, blah, blah". Lots of positions for people to take classes and get a B.S. because that field is like a siren song...God, what a scary thought. It's bad enough now.
[1] Okay, I played a straight line there...I figured if I didn't say something most people wouldn't have caught it.
Re:No brainer (Score:5, Interesting)
Joe Sixpack
Street, City etc...
You'd expect to get it.
If I sent a letter, but with the name in any of these variations:
JoeSixpack
J Sixpack
Joe T Sixpack
You'd still expect to get it, right?
Now do you understand why people are telling you it's spelt correctly, when infact there's an extra space in there?
Perhaps it's the original designers of the email systems we use, who's intelligence has been overestimated. Because they made addresses far to easy to get wrong.
Now, as a web designer. I understand why these things are that way. But many--including intelligent--people don't understand these little technicalites. Because the expectations of other things in life has taught them differently.
Re:No brainer (Score:3, Funny)
IT Management... Where the less you know, the further you go! (I guess it's because you can "relate" better with the average 1D10T...)
Re:No brainer (Score:3, Insightful)
Seems quite reasonable. RFC 821 says:
The only email address required to be case insensitive is postmaster.
Re:No brainer (Score:3, Interesting)
Re:No brainer (Score:3, Insightful)
Re:No brainer (Score:4, Informative)
Chapter 6 concerns itself with address specifications.
The syntax in paragraph 6.1 specifies:
addr-spec = local-part "@" domain
local-part = word *( "." word ) ; uninterpreted, case-preserved
So the local-part is UNINTERPRETED and has its case PRESERVED, presumably to allow case-sensitive handling locally. Moreover, the use of a "."-separated list of words does not imply any structure imposed or recognised by SMTP, it is merely a conveient way to avoid quotes in a large number of cases ("... such occurences carry NO semantics.").
The exception is the local-part "Postmaster" which is required to be recognized using any mixture of case.
So SMTP-servers are not case sensitive, but case preserving when it comes to the local part. The delivery or non-delivery of a message to a recipient however, is a local matter, and SMTP doesn't care about what happens, and whether case-sensitivity is used for this.
It just so happens that local mail systems these days are not case sensitive, although I believe the broken SVR2.2+some bsd+some SVR3/4 based A/UX system I used in the early nineties might very well have been.
(Quotes typed manually from the copy of RFC-822 which I printed out in about 1991 or so. Yes, about the same time some Berners-Lee guy made a few grave mistakes which would end up as the mess we now know as WWW.)
-Lasse
Re:a benefit of catch-all addresses (Score:5, Informative)
It DID help me bust someone for passing on an address which was instantly traced back to them.
Spam however has completely ruined it though for the problems outlined in this article. Unfortunately I can't turn off the catch-all as there are so many 'legacy' addresses from which I might only hear once a year but don't want to miss their email.
I now use http://www.spamgourmet.com/ [spamgourmet.com] instead to create disposable accounts as I have the luxury of being able to kill them (or let them die) if need be. It's free and I highly recommend it.
Re:a benefit of catch-all addresses (Score:3, Informative)
You don't need a catch-all for that. You just need a hosting service that lets you set up forwarders. So, in your example, I'd simply set up a forwarder for yourfreepron@mydomain.net to forward to myrealaddress@mydomain.net. My hosting service adds an "Envelope-To" h
Re:a benefit of catch-all addresses (Score:5, Informative)
My catch-all spam control method (Score:3, Informative)
No big problems here (Score:5, Insightful)
From personal experience, I've found that only a very small percentage of spam I get comes from using the catch-all address. I get only a few junk e-mails to "webmaster", "postmaster", and other generic usernames. A far greater portion of it is addressed to the "real" e-mail address I use that's been plastered all over the web for years and years.
Judging only from my inbox, it would seem that spammers are more likely to use lists of known e-mail addresses than trying to guess valid usernames for a domain. My advice would be to use the catch-all address and just wait and see if spam becomes a problem. Turning off the catch-all wildcard, if need be, is a very simple operation.
Re:No big problems here (Score:2)
If I ever run into trouble, I'll simply identify the valid emails explicitly and put everything else into spam.
Re:No big problems here (Score:2, Insightful)
Spammers ruin it for everybody.
Re:No big problems here (Score:3, Informative)
Also for $9 a year you can buy a redirected e-mail address that changes every 10 days that appears as your whois contact.
Re:No big problems here - not correct for me (Score:2, Interesting)
Re:No big problems here (Score:5, Interesting)
My experience doesn't match. I've got my own domain, hosted on my home computers. I don't use a catch-all address, but my mail logs show anywhere from 400 to 1200 emails daily bounced because they're addressed to invalid email addresses. Roughly 80% of these come with an envelope from address of (null, supposed to be used only by bounce messages). Because spammers are sometimes known to use as an envelope from address on spam, I can't be sure that these are all bounce messages. I am pretty sure, though, that they represent either spammers using a dictionary attack on my domain, or spammers using @mydomain> as a From address for that spam. And the other ~20% are pretty well for sure dictionary attacks on my domain.
Now, I'll admit that while I'm by no means a big-time anti-spammer, I have done my share of reporting spammers to their ISPs and posting on nanae. It's possible that I've gotten on a list of 'known anti-spammers' that spammers use for generating spam from addresses, just for harrassment potential. My experience may apply mostly to those who go beyond filtering in fighting spam. But it is another data point.
Re:No big problems here (Score:3, Informative)
Aside from those, I get virtually no spam, or at least it gets filtered quite reliably.
And I just have a regular yahoo account.
Re:No big problems here (Score:3, Informative)
I am anti-spam, but not particularly vehement about it. I can imagine thought that if I were getting that many mails, I'd probably be howling for blood...
Re:No big problems here (Score:3, Interesting)
My experience so far has been the opposite. I got my own domain about four months ago and put my website there. So far, the only address at that domain that I've publicised on the web has been webmaster@. To date, this address has received only one spam. (To be fair, I think most spammers filter "webmaster" out - my old ISP let me use webmaster@
Re:No big problems here (Score:3, Informative)
Re:No big problems here (Score:3, Interesting)
The same was true for me until a few months ago. My tactic was, whenever I needed to give out an email address, it would be their_company_name@my_domain. If I started getting spam to that address, I'd know who was to blame for selling me out. I could also just blacklist that address.
Then, very recently, after my domain started getting popular on google, I started getting spam sent
Re:No big problems here (Score:3, Informative)
Moderators, please moderate the parent down for being a fool giving fool's advice.
Re:No big problems here (Score:4, Funny)
In other news,
Yep, it's great living in 1997.
(Sorry if it seems I'm piling flames on a fire that's already burning just fine... it's just that your post contained such tempting kindling!)
Re:No big problems here (Score:3, Interesting)
Re:No big problems here (Score:4, Interesting)
BTW, you're intentionally inciting a DoS attack on the RFCI folks. Don't you know that's illegal? Maybe you should just step away from the computer now before you really get yourself into trouble.
Your shouldn't worry about that (Score:4, Insightful)
conditions (Score:2, Funny)
Re:conditions (Score:3, Funny)
I think foo@bar.org might get even more.
I'm too lazy for that (Score:2)
Re:conditions (Score:2)
bayesian filter is your friend (Score:2, Insightful)
It'd be like filtering a firehose (Score:3, Informative)
Accepting email from 1000's of possible email addresess @ your domain when you know they're all bogus is just asking for punishment.
bounce? (Score:2, Insightful)
Seems like a useless feature.
Really , (Score:2, Funny)
Isn't that the POINT? (Score:5, Insightful)
Here's one way to get the most from it (Score:5, Informative)
Use subdomains (Score:5, Informative)
What I've been doing for the last couple of years is using a catchall at a subdomain of my actual domain. The typical dictionary spams (postmaster, sales, etc) don't come in, because they only work on top level domains (otherwise spammers would be wasting a large amount of time spamming "sales@www.domain.com" which pretty much never exists..
When I sign up for an account at example.com, I just register as example.com@catch.mydomain.com. If I get spam, I can block it, and it doesn't interfere with my actual domain. If I decided one day I get too much spam to it, I could just switch to another subdomain name.
Re:Here's one way to get the most from it (Score:4, Informative)
This is what I do... (Score:3, Funny)
Nope (Score:3, Insightful)
The ideal setup is to have several addresses.
One for close friends, associates, individuals and people who the address is sent to privately.
A second address for mailing lists, and any kind of public posting.
And a third address for anything guarenteed to end up in you getting spam. (Website signups for instance)
Then you simply drop it into three different folders. This method combined with a good spam filter can eliminate virtually all spam.
the whole /point/ of a catchall address is spam (Score:5, Insightful)
I agree (Score:2)
I've gotten maybe a dozen spams with "made up" to: fields. I think the OP is over-analyzing all this.
Re:the whole /point/ of a catchall address is spam (Score:5, Informative)
Re:the whole /point/ of a catchall address is spam (Score:5, Insightful)
Re:the whole /point/ of a catchall address is spam (Score:5, Interesting)
I do this as well. I used to have an email address from MailBank (later changed to NetIdentity). They buy up domains with last names so you can do firstname@lastname.com. They started off charging $5 a year for email and now it's $25/year. I got fed up with it and bought my own domain name.
Best move I did. I have greater control over it and feel more security about it as well.
There is a free DNS service held by ZoneEdit [zoneedit.com]. If you only use it for one domain, it allows free email forwards, web forwards, etc. It has about all the services I could ask for (except hosting) for free (assuming you don't go over a quota).
I have emails redirected to my gmail account as well as comcast (which also hosts my personal website). I could host this on my own computer or elsewhere and I have a lot of freedom to do what I want.
And as the parent said, being able to create email addresses on the fly allows you to catch businesses that sell your email address, or find out where the spammers mostly target (and as another poster said, Slashdot is worst of all the ones I've created). It also makes it easier to filter with gmail and do searches and so forth.
I know I'm being mostly redundant as others, but I can't emphasize enough how valuable this is, especially to a computer geek. And I'm only paying $7/year for all this! I can't mod the parent up any more so I just want to re-iterate the value of catchall addresses and owning your own domain name.
Re:the whole /point/ of a catchall address is spam (Score:4, Insightful)
I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there.
Are you sure they sold it, or were you merely a target of a dictionary attack (the dictionary being domains)? Same will go for amtrack@. All a spammer has to do is decide it's a significant enough domain to add to a dictionary and, BAM, you're getting spam there without any kind of TOS violation on Amtrack's part. Common word domains like amazon@ have long been dinged, and it is foolish to blame the company for your own poorly thought out system.
If you really want to use a catch-all to track who sells your address, you have to use a hash or something else that you keep entirely secret and is not easy to guess, like c66915c4ff6a27e5f3aac08f58130ba9 for . . . guess who! :-) Otherwise you're just adding to the abuse that the spammers are dishing out to you.
My own experience with a catch-all is that you're safe until you're hit by a dictionary attack, and then it never stops. I have domains with next to no traffic and a catch-all is fine, but in the last year I've had two of them get hit by dictionary attacks and after that each domain gets an increasing stream of spam attempts, currently around 1000/day. That's bad enough that I shut off the catch-all for the one I don't really use it with. The other one keeps SpamCop [spamcop.net] full.
Do It (Score:2)
lots of spam (Score:2)
I gave it up after a year (Score:5, Interesting)
Spammers are trying dictionary attacks against domains to try and guess live accounts. I would get 500+ copies of the same message to made up names in alphebetical order a day.
That being said, I have since gotten on the Gmail beta, and just forward all my mail there now. It has a far better spam rejection rate then anything else I have tried, so if you forward all your mail to a google account and let them try and sort out the spam, it would probably be usable (and maybe even helpful to them to train their filters).
Spam ID .. (Score:3, Informative)
With this ability you can make an e-mail address for each use of your e-mail for sites and forums like Slashdot@Domain.com and if you start getting spam at that address you can quiet happily block it via the filter.
One Person's Experience (Score:2, Interesting)
I have one of my e-mail addresses configured to catch all the "bad" addresses as you are talking about. There is an extraordinary amount of crap that account gets every day. It really isn't worth it, especially if you have the admin and postmaster addresses dump to your primary mail account.
mr_you_only_know_this_one@mydomain.com (Score:2, Interesting)
I've had one for years... (Score:2)
I say go for it, because you can use filters to direct different addresses to different folders, which can be useful.
Yes (Score:3, Funny)
It doesn't really happen (Score:2, Redundant)
NO! (Score:2)
Been there, done that (Score:4, Interesting)
I run several catch-alls on my domains for several years, and I've never been spammed at [all]@[domains].com. However, just last week all my domains were hit by an email virus that did a dictionary-based attack. While it was all still caught by my spam filter, my spam filter is client-side, and after downloading 18200 emails, I decided it was time to shut down the catchalls.
The only thing I really had to do was notify my friends, who are long used to typing whatever they want into the username section of the domain, tailored to whatever it is they want (eg boywhowillfixmycomputer@, bikemechanicmanwhowillalsofixmycomputer@ etc).
Re:Been there, done that (Score:5, Funny)
The worst thing is when your so-called friends figure out for themselves that you have a catchall set up, so you start receiving emails to pigfucker@yourdomain, grabass@yourdomain etc... and it's not even spam, it's from your friends!
I now use the free http://www.spamgourmet.com/ [spamgourmet.com] for my disposable addresses and highly recommend it.
Up your spam by a factor of 100 (Score:2)
In my limited experience, most of the dictionary attacks come from IP's that traceroute back to Singapore. Just blocking all incoming SMTP from Singapore IP's would be smart but I don't know how to do something like that.
Speaking from experience (Score:5, Insightful)
1 - most of the spam seems to come to 5 or 6 addresses only - admin, root, sales, webmaster, etc etc. That's cake to filter out straight to trash.
2 - The convinience of being able to sign up for random websites with a different address on the fly is great. For example, signing up on ebay to buy something and using the address "fromebay@mydomain.com" means you KNOW that only one person in the world has your email address so you know who to blame if spam starts coming in, and it is also a piece of cake to automatically filter those ebay emails straight to an ebay inbox, for example.
3 - Not as significant as my first 2 points but still a nice perk in my setup is that I'm able to create email addresses for family and friends on the fly and just setup my own server to split the addresses out into their own inboxes.
So if you will be running the server(s) yourself over slow dsl or cable, the volume of spam MAY be a concern to you. I get about 600-700 spams a day to the common webministrater addresses I mentioned, but it's no concern to me because I don't run the incoming email server and my dsl is more than fast enough to d/l them in a few seconds.
But in any other case, I'd say it's well worth it! And on a slightly different note, I have been very impressed with the honesty and adherence just about everywhere has to their privacy policies regarding email addresses. over 2 years of using my system with about 50 "from@domain.com" addresses, only one of them screwed up and got the address on a spam list somehow - cancelling my account with them and filtering those spams straight to trash solved the problem.
No catch-all problems (Score:5, Informative)
In practice, actually, most of the spam-related stuff I get is mail bounces attempting to a random address with a faked from line of 63745624573@mydomain.com (or something like that). I really should look into implementing SenderID, but that would require hosting the server myself on a my dynamic IP instead of letting my web host take care of it.
See if you can flip it the other way 'round (Score:2)
Well between the new viruses and SPAM tactics that try random first names, that wasn't at all working. So I flipped the mode. Now NOTHING gets forwarded, excpet for ones I specify. This means I have to go add a new forward before giving out a new e-mail to a compnay whereas before I'd
In a word... (Score:5, Informative)
is this a good idea or not?
No, it's not a good idea. Looking through my mail server (and other mail servers I administer) I've seen A LOT of attempts by spammers to harvest email addresses by just trying a lot of common names on the domain (and some strange not so common addresses). If you had a wildcard address, you'd get all that spam to that box.
With no wildcard email address if people miss-spell a name on your domain, they'll get a prompt bounce message (and they'll probbably figure out the miss-spelling). With a wildcard they'll never figure out the miss-spelling, and may continue to use that wrong address.
There's also the problem of auto-generated virus bounce messages from other peoples servers. Most viruses lie about their from address, and can even make up a @yourdomain.tld. If you had a wildcard all those erroneous "you sent a virus" messages would go to your wildcard box instead of just bouncing.
Unless you want an account that's deluged with spam and like wading through it every so often on the off-chance someone sent a message to admin or postmaster, I'd not create a wildcard box.
Give it a try (Score:3, Insightful)
When I had my catch-all account, I rarely got any spam, and that's probably because most spammers won't really bother with trying to send you something at afhg329087dsfljifd90hlg@domain.com or whatever.
Just dump non-existent users (Score:5, Interesting)
relay_domains = mysql:/etc/postfix/mysql-relaydomains.cf
relay_r
mysql:/etc/postfix/mysql-alias.cf
relay_transpor
If you don't validate recipients, then you probably SHOULD use a catch-all address. The alternative to this would be bouncing spam back to the (usually forged) sender, in which case you become part of the problem and can cause yourself major queueing problems.
Spam not a problem if forwarding also included (Score:5, Informative)
I set up an account for myself and my wife, and used the free account for a spam bucket. My account is set up as a catch-all. Whenever I sign up for something I use and address in the form slashdot.org@<mydomain>.com so if it does start getting spam I know who sold my e-mail address.
If any spam comes in being caught by the catch-all I set up a forwarder to my spam account. For example dns@<mydomain>.com gets forwarded to spam@<mydomain>.com I then just set up my e-mail client to dump anything that comes in via the spam account directly into the trash.
To date I have received spam on three addresses that didn't really exist (dns@, sales@ and info@), but overall it works very well.
Automatically sorting out SPAM (Score:5, Funny)
Uh, sorry, but that sounds just like the legitimate e-mail I get from some of my friends... :o)
--
Tomas
Use Mailinator! (Score:5, Informative)
Forget the "Catch All" e-mail address. Use Mailinator [mailinator.com].
FYI -- mailinator is a non-passworded public catch-all system. Perfect for temporary site registrations. I use it frequently and its an unbelievably good service...
Catch All != Your Friend (Score:3, Informative)
Spammers recently have turned to more use of the random username approach and the catchall catches, well, all. This can in some cases total to more than 4500 emails a day in some cases. Hardly something you want to pull through a POP3 connection if your ISP doesn't have effective spam filtration.
Quite honestly the catch all serves little purpose if your email transactions are done in a correct manner. mailto: links have NO BUSINESS being on a web site for a company(or personal user for that matter) a simple CGI based contact form shields access from spam bots getting your email address and you can make sure ahead of time that your email address is properly configured.
Secondly, if you are emailing somebody else, most people use a context menu on the email you sent to add you to their address book. Again that eliminates the human error factor.
Also as others have already mentioned, a human will be able to read a mailer daemon response telling them that there was a mistake should they send directly.
My $0.02
SW
Whatever you do... (Score:5, Informative)
postmaster@ is actually required by rfc2821 [rfc-ignorant.org], btw.
As for the subject of the discussion; my catch-all addresses have been fine, but YMMV. If I was that worried about dictionary attacks, but still wanted the ability to give a new address out to each company, I'd do something like *-signup@mydomain or *@signup.mydomain or similar, but you might not have that level of control (in which case I'd recommend finding somewhere better to host your email, but *shrug*).
try this username: spam@example.com (Score:3, Insightful)
So many people use things like:
johnNOSPAM@example.com
john@NOSPAMexample.com
johnREMOVETHIS@example.com...
that the SpamHarvest bots seem to harvest emails and then REMOVE words like:
SPAM
REMOVE
THIS
NOSPAM
before adding the names to their "fresh" list of email addresses to sell.
but if they remove SPAM from SPAM@example.com, they are left with.....
@example.com
which should be undeliverable.
so if your email is SPAM@example.com, you should get email from your friends, but my extensive use of that username on USENET has shown me that it does in fact work! I received only ONE spam email to that address in the past year of using it.
getting back On Topic for a minute, see if you can "disable" the "catchall" or "*" email function at some point. While I have not been hit with a dictionary attack, its obvious from the other posters that it is not uncommon. If you can route all non-assigned usernames to null when you discover this to be a problem, you will save yourself some headaches.
My problem is the bounces from being joe jobbed (Score:3, Informative)
Absolutely not (Score:3, Interesting)
There is but one valid reason for ever having a catch-all address. That reason is if you actually, honestly, truely WANT spam. "Who wants spam?"/I you say? I do. I have a handful of domains that have no other purpose in life but to collect spam. I've seeded addresses from those domains into dozens of spammers' "remove" forms. I built a list of 525,000 proper pronouns and used that to compile a list of userid@spamme-domains.tld addresses to seed those remove forms with. The end result is hundreds of thousands pieces of spam per day flowing into those domains. I archive much of it and automatically report the rest to the FTC as spam. Oh happy day. That's the only valid reason for ever using a catchall address that's publicly exposed to the Internet.
One word: greylisting (Score:5, Interesting)
I run a friends-and-family hosting site (DNS, mail, web) for about 50 domains, almost all of which have catchall enabled. One user was getting 500+ spams a day, day in and day out. I was seeing 200-300 per day myself.
Four weeks ago I built the latest sendmail with Milter turned on and installed relaydelay.pl. The next day that user received two (2) emails, both of which were from friends. I got 7 emails, only one of which was spam.
Greylisting is the single most powerful anti-spam system out there. It blocks over 95+% of the spam and it doesn't "false positive" because it isn't doing pattern matches, Bayesian filtering or anything like that. It simply gives a TEMPFAIL to any email that has an unknown (from, to, server-IP) triple. If they come back more than X minutes later and less than Y minutes later, they are let through. Spammers almost always are using fire-and-forget SMTP servers so they don't retry, and so you never see their garbage. Positively elegant.
If you are the sysadmin, check it out and install it. Otherwise, hound your admin/ISP to install it. It saves bandwidth, aggravation, and time.
The corks just don't come out the way they used to.
-- My Wife, dealing with one of the new Corqs(tm)
It will increase your spam. period. (Score:3, Informative)
Having done the same thing before, I can say that without a doubt, it will increase your spam.
The thing is that alot of spammers seem to literally shotgun a domain with information harvested, then use those plausible usernames as email addresses. The end result is that your primary email account will get flooded with email not originally destined for it.
If you do intend to do this, I would suggest the following:
Having these on when you check and go through your mail will cause an increase of spam above what you are getting.
Best bet, have the domain name. Use one address, then close it and switch to another, within the domain. Have the original address just junk any future mails it gets once you are sure people have moved to your new address.
Seriously, it's just not a good idea.
Catch-all is usable if you block some usernames (Score:3, Informative)
In my experience, you need to block sales@, info@ and webmaster@. After that, most of the email (and spam) will be coming to the single @ wich you are actually using. There will be occasional bounces to random usernames (from spam spoofing from: addresses), but not very many in my experience.
By the way there is no spam to unpublished postmaster@ addresses, probably because this is not an address spammers want to irritate
Some other users have complained that they got under a dictionary attack like you describe. But not me.
Re:If I understand correctly, ... (Score:4, Informative)
When an SMTP session is started, two pieces of data MUST be sent before the message. Those fields amount to "from" and "to" fields and are sent sequentially by "MAIL FROM:" and "RCPT TO:" fields in that order. The "from" portion may be forged, but the "to" field must be correct as it is the address that the server delivers the message to or uses for further forwarding/processing. If the server does not recognize the to field, it will usually return a simple error (550) and may the session at that point. Also, if the server does not like the "from" field (for any reason you can program for), an error can be returned and the session ended.
Again, this is all before the body of the message is sent with the "DATA" command, thus saving potentially megabytes of data transfer. This does note require the "return" address to be correct, as this is happening at the time of delivery and the servers are talking directly about the message.
The body of a message may (but is not required to) contain other headers such as subject, to, from, received, date, content-type, message-id etc, but these fields in the data area have nothing to do with delivery as far as the receiving server is concerned.
Now.. it's possible to configure a server to operate differently, accepting all mail blindly, buffering the messages, then later figuring out where they should go.
My personal server takes the "MAIL FROM:" data and parses it, checking that the remote domain exists and there is an SMTP server that accepts mail for that domain. If any of those checks fail, I return a "not available" error (421) and close the connection.