The Case for Per-Service Email Addresses
Phishing, online scams, and identity theft are big problems. All three of them are quite closely related, and to a significant degree revolve around something virtually everyone has these days - an email address. Let's look at the definitions real quick:
Phishing is a type of social engineering where an attacker sends a fraudulent (deceptive) message designed to trick a person into revealing sensitive information to the attacker.
A scam is a deceptive scheme or trick used to cheat someone out of something, especially money.
Identity theft is the crime of obtaining the personal or financial information of another person to use their identity to commit fraud, such as making unauthorized transactions or purchases.
Not Your Granny's Spam Anymore
In general these activities are performed as organized crime; i.e. an actual company specializes in crafting attacks and deploying them against tens, sometimes hundreds of thousands of victims, in waves. Even a relatively low success rate of maybe 1 in 1000 will still result in a positive business case.
Everyone has received what we like to call spam emails. These used to be "call this number for cheap Viagra" type mass mailings which were easily identified and deleted. Not any more. Well, they still roll in but more concerningly nowadays you also receive a well-prepared email which appears to be from your actual bank asking you to download a bank statement by clicking on a link. Or a message from the insurance advising you they made an accounting error for which you can claim your money back by reviewing the attached PDF. Or the tax advisor asking you to confirm their declaration. Etc.
They have well-formatted letterheads, use wording consistent with their claimed origin, have legal disclaimers attached, ... In other words, at first (and sometimes, second and third) glance they look legit. And usually they try to rush you into immediate action, almost invariably because money appears to be at risk.
Why Is This A Thing?
The main reason such large-scale waves can be efficiently executed is because "harvested" email addresses are bought and sold on the black market, for pennies apiece. If an organization buys 100,000 email addresses for 1,000 Euros, launches a wave, and manages to steal several thousand Euros from just a few victims, they come out making a profit.
The underlying problem is that email addresses are used everywhere, can be easily obtained, and can be used to very cost-efficiently deliver such attack waves, at zero risk to the attackers.
Where Do The Addresses Come From?
Preventing having your email address being stolen is surprisingly hard. For example, you may have registered it at Amazon, and you purchase something from a marketplace vendor. Amazon automatically submits your order, including your email address, into the vendor's IT system for them to process the order and ship your product. This system may be infected with malware, or may just be operated by shady characters, and your email address is siphoned off of it; in other words, harvested. It will actually be a comparatively valuable (i.e., expensive on the dark web) address because it is verified -- you've been using it to log on to Amazon just a minute ago and you are receiving emails there. All this happened without your knowledge, on a computer somewhere owned by a company you've never heard of.
Other avenues include mailing list and website registrations. Everywhere you go on the web these days, sites will ask you to register or sign up for some petty benefits, like daily newsletters, coupon codes, rebates, or even just to tweak settings. The usual way to do that is by providing an email address. And of course if something is "free", usually you are the product. Some sites will outright sell that information, but in many cases their security is lacking and sooner or later a hack will lead to the address database being copied/leaked/stolen.
The same goes for your brick & mortar tire dealer or the motel you stayed at that ask for your email address to send you the invoice, etc. Want to bet their system still runs Windows XP, has no virus scanner, and is riddled with questionable software?
What To Do?
Ok so it's hard to prevent email addresses going places. What can you do? Two things:
- be mindful what you sign up to and err on the side of caution1
- use per-service email addresses
This will not prevent getting hit with phishing or scam emails, but it will make it easier to identify them as such. Here's how.
Let's say you register at that motel because you want to get the reduced
members' rate. To register you use the address <fedops-motel@your.domain>
.
From now on that motel chain's communication will reach you at that address, and
that address only.
Next, you need to give your bank an email address to reach you, and you use
<fedops-bank@your.domain>
. Same deal, bank emails will now go to that address.
None of these addresses will get used anywhere else - for every company and
every service you come up with a new address.
Now, if that motel's Windows XP machine gets popped and your and thousands of
other email addresses end up being hit with a scam wave, all of a sudden you
will receive an email which purports to be from your bank (or your insurance or
your car leasing firm). But it will be addressed to
<fedops-motel@your.domain>
, because that's the addresses that got stolen. You
have never given that address to your bank (or insurance). So with just one look
you can identify this mail as being fake, no matter how legit it looks, and
delete it. Case closed. Plus, you can even tell which entity lost your address.
Isn't This Hard?
There's clearly additional effort on your part:
- You need to come up with addresses per-service as you go.
- I strongly recommend you keep track of the addresses you used so you know who's the perpetrator and also to prevent you from accidentally using the same address multiple times. A good way to do that is to put the address into your password manager where you also store the password and any other information related to that account, such as your motel membership number.
- You need some way to register all those addresses and to somehow collect them into your mailbox.
The last part is the most difficult one. You don't want to deal with dozens of mailboxes, so you need some service to collect them and forward them to your actual mailbox.
If you self-host your email you have that covered. Either you create email aliases on your server, or you use what's called a catch-all address. Following the pattern above everything after the "-" is stripped off and the mail is forwarded to the "fedops" mailbox on your server.
If you use hosted email (as 90+% of the population do nowadays) you can either use a virtual address service that your mail provider offers (check their services offerings), or you can use sites such as Namecheap or ForwardEmail which provide that independent of where your actual email lives. Search for "email forwarders" to find other companies or organizations providing such services.
Be mindful who you use though, because if that service closes up shop you will suddenly be cut off from receiving mails at any of those addresses. It may be worth paying a reputable provider which hosts both your email /and/ provides that service. And, please, get off of Gmail and Outlook.com while you're at it.
Is This a Replacement for Per-Service Passwords?
Absolutely not! You should absolutely use distinct passwords for your online accounts, and you should maintain this information in your password manager.
But having per-service email addresses further reduces the attack surface, especially in brute-force attacks. If someone obtains the user list of a service they hacked into, utilizing this list in an attack against another service will not help them to gain access to your account since it's not the same address (i.e., user name).
What If An Address Is Compromised?
So you're receiving mails at one of your addresses, and it's driving you nuts. Nigerian spam kings, Viagra, fake bank statements, they just keep rolling in on that motel address.
The best way forward is to go to the motel's site, log in with your account
credentials (which you have saved in your password manager, right?), and change
your email address. You retire <fedops-motel@your.domain>
and change it to
<fedops-motelnew@your.domain
>. Only the actual motel emails will go to that new
address, the spam continues to arrive at the old one. And this one you simply
block in your forwarding setup, or alternatively filter out in your mail
software to go to trash immediately. None of your other email addresses are
affected by this change.
Is This Practical?
I think it is. I've been using this system for about 20 years with a current total of just over 300 email addresses. In that time I have retired about 20 addresses due to unwanted emails, some of them even multiple times.
The most problematic ones have been my (long retired) Adobe account (they have had multiple episodes of parts of their customer databases being stolen2 3), EBay and Amazon (3rd party vendors with no opsec on their systems), Paypal (same issue, I don't think Paypal themselves ever got hacked), and 2 web forum registrations where the phpBB installations got hacked4.
Oh, and the one I used for South African National Parks which I knew was a goner when upon check-in at a rest camp I saw the PC was so full of malware it had basically slowed to a crawl. In addition to the email address I also got my credit card information stolen. That was in 2008, and to this day I'm still getting 1-2 spam mails per day to that address. It would take SANParks another 9 years to finally implement security standards to become PCI DSS-compliant5.
So yeah - it's some additional work but it's worth it.
-
And also, provide as few personal details as possible. That motel doesn't need to know your real birth date or marital status. Just fake something. Identity theft is everywhere. ↩
-
https://www.zdnet.com/article/adobe-left-7-5-million-creative-cloud-user-records-exposed-online/ ↩
-
I was in this one: https://www.bbc.com/news/technology-24740873 ↩
-
phpBB is just a complete security trainwreck: https://www.cvedetails.com/vulnerability-list/vendor_id-1529/Phpbb.html ↩