My Solution for Email Aliases

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Clip5

New member
Mar 6, 2024
1
2
Hi @Steve and Security Now Listeners,
Long time, first time - After recent discussions in SN965 regarding Mark's issues, as well as Emma in SN963, I wanted to share my solution for email aliases. I was previously a long time user of plus aliases with gmail. Like Mark, I received occasional issues with services not supporting the plus sign in the email field. I most commonly ran into weird issues where a website frontend would accept the plus alias for sign up but the backend would seemingly have issues - I would maybe not receive the confirmation email, or not be able to log into the app.

I have also received spam to username+xxxxxxxxxxx[at]gmail.com - where the x's are literally in the address. They didn't strip the alias, they just overwrote it with x's! I found this especially galling.

So I looked for an alternative solution that wouldn't use the plus sign. When I was searching, this was well prior to many of the current alias solutions that have been discussed in recent episodes, and I believe my solution remains superior on many aspects. I have used this solution at several different providers over the years.

I settled on an email forwarding provider that allows setting regex aliases on a personal domain. I can set simple patterns to match, and corresponding email address or addresses to forward matching emails to. The best part about this solution is that, once setup, I have infinite aliases that I can create on the fly. Its not a solution I would recommend for most people, but I don't think it should be very complicated for Security Now listeners. Here are some examples of my use cases:
  • ^bob-.+@mydomain.tld forwards to usename+bob[at]gmail.com
    • Using this I can create any email alias on the fly, just like plus aliasing. Anything sent to bob-[anything] is forwarded to me: bob-amazon[at]mydomain.tld, bob-facebook[at]mydomain.tld, etc.
    • I typically use this for sites where I want to create an account.
    • A site cannot "strip" the alias (like plus aliasing) because it is a non-standard format and only known to me.
    • I can subsequently blackhole any specific aliases that are abused, leaked, or spammed.
  • My whole domain won't be blocked like commercial alias services (e.g. @duck.com, etc.)
  • I can still subscribe to breach notifications on haveibeenpwned.com/DomainSearch
    • This cannot (easily) be done with a commercial alias provider, or plus aliasing
  • The on-the-fly creation is even more convenient that using a browser addon
    • It can be used in-real-life too - like when at a kiosk or at a coffee shop
  • I save the address used for signup in my password manager so I don't have to remember what term I used for any particular website
  • I can create gmail filters to match and sort these alias patterns to organize my inbox
  • More examples of my regex aliases:
    • ^news-.+@mydomain.tld forwards to usename+news[at]gmail.com - this could be used for those news websites that now require a valid email address to be entered in order to read a website. I can filter these in gmail to archive automatically, or send to spam, etc.
    • ^family-.+@mydomain.tld forwards to both myself and family members to share an account which regularly requires an email 2FA code (*cough* streaming services *cough*), or for a website that doesn't have a password and uses magic links to login, as has been discussed on the recent podcast episode.
    • ^receipt-.+@mydomain.tld forwards to myself
      • I travel often and need to keep receipts. It is increasingly common for places to only offer emailed receipts. So you need a receipt and the only way to get it is to give them your email. The store will also now automatically sign you up for their rewards and spam list (I find this extremely offensive). Using this alias, I can collect my receipt and mitigate the unrelenting spam that is sure to follow.
    • ^blackhole-.+@mydomain.tld is setup to blackhole at the forwarding provider. It is valid and I could enable forwarding if ever needed
My solution is not without some cons compared to other alias solutions:
  • All of my aliases can be linked under a common domain
    • I believe my pros outweigh this con. This is no different than using plus aliases and this is moot when an alias service is blocked (e.g. @duck.com, etc.)
  • Email replies
    • I cannot easily reply from my alias. I can set up a new sending address through my provider, but this is manual and a hassle.
    • I haven't come across any issues with this this in practice. I can reply from name[at]mydomain.tld
I hope you and any Security Now fans finds this interesting, happy to answer any questions! @Steve I would love to hear your thoughts on my email alias solution on the podcast!
 
  • Like
Reactions: SeanBZA and CSPea
Apple also offers a Hide-My-Email service as part of iCloud+.
Many people already have a real iCloud.com email address, so it would be hard for a vendor to block them all.
It requires iOS 15, iPadOS 15, or macOS 12.
 
  • Like
Reactions: Steve
Hi @Steve and Security Now Listeners,
Long time, first time - After recent discussions in SN965 regarding Mark's issues, as well as Emma in SN963, I wanted to share my solution for email aliases. I was previously a long time user of plus aliases with gmail. Like Mark, I received occasional issues with services not supporting the plus sign in the email field. I most commonly ran into weird issues where a website frontend would accept the plus alias for sign up but the backend would seemingly have issues - I would maybe not receive the confirmation email, or not be able to log into the app.

I have also received spam to username+xxxxxxxxxxx[at]gmail.com - where the x's are literally in the address. They didn't strip the alias, they just overwrote it with x's! I found this especially galling.

So I looked for an alternative solution that wouldn't use the plus sign. When I was searching, this was well prior to many of the current alias solutions that have been discussed in recent episodes, and I believe my solution remains superior on many aspects. I have used this solution at several different providers over the years.

I settled on an email forwarding provider that allows setting regex aliases on a personal domain. I can set simple patterns to match, and corresponding email address or addresses to forward matching emails to. The best part about this solution is that, once setup, I have infinite aliases that I can create on the fly. Its not a solution I would recommend for most people, but I don't think it should be very complicated for Security Now listeners. Here are some examples of my use cases:
  • ^bob-.+@mydomain.tld forwards to usename+bob[at]gmail.com
    • Using this I can create any email alias on the fly, just like plus aliasing. Anything sent to bob-[anything] is forwarded to me: bob-amazon[at]mydomain.tld, bob-facebook[at]mydomain.tld, etc.
    • I typically use this for sites where I want to create an account.
    • A site cannot "strip" the alias (like plus aliasing) because it is a non-standard format and only known to me.
    • I can subsequently blackhole any specific aliases that are abused, leaked, or spammed.
  • My whole domain won't be blocked like commercial alias services (e.g. @duck.com, etc.)
  • I can still subscribe to breach notifications on haveibeenpwned.com/DomainSearch
    • This cannot (easily) be done with a commercial alias provider, or plus aliasing
  • The on-the-fly creation is even more convenient that using a browser addon
    • It can be used in-real-life too - like when at a kiosk or at a coffee shop
  • I save the address used for signup in my password manager so I don't have to remember what term I used for any particular website
  • I can create gmail filters to match and sort these alias patterns to organize my inbox
  • More examples of my regex aliases:
    • ^news-.+@mydomain.tld forwards to usename+news[at]gmail.com - this could be used for those news websites that now require a valid email address to be entered in order to read a website. I can filter these in gmail to archive automatically, or send to spam, etc.
    • ^family-.+@mydomain.tld forwards to both myself and family members to share an account which regularly requires an email 2FA code (*cough* streaming services *cough*), or for a website that doesn't have a password and uses magic links to login, as has been discussed on the recent podcast episode.
    • ^receipt-.+@mydomain.tld forwards to myself
      • I travel often and need to keep receipts. It is increasingly common for places to only offer emailed receipts. So you need a receipt and the only way to get it is to give them your email. The store will also now automatically sign you up for their rewards and spam list (I find this extremely offensive). Using this alias, I can collect my receipt and mitigate the unrelenting spam that is sure to follow.
    • ^blackhole-.+@mydomain.tld is setup to blackhole at the forwarding provider. It is valid and I could enable forwarding if ever needed
My solution is not without some cons compared to other alias solutions:
  • All of my aliases can be linked under a common domain
    • I believe my pros outweigh this con. This is no different than using plus aliases and this is moot when an alias service is blocked (e.g. @duck.com, etc.)
  • Email replies
    • I cannot easily reply from my alias. I can set up a new sending address through my provider, but this is manual and a hassle.
    • I haven't come across any issues with this this in practice. I can reply from name[at]mydomain.tld
I hope you and any Security Now fans finds this interesting, happy to answer any questions! @Steve I would love to hear your thoughts on my email alias solution on the podcast!
Hi Steve and everybody... Has anyone tried using periods in the email addresses for GMail? (Example: joe.public@gmail.com is the same as joepublic@gmail.com) I know this works with GMail, and you might be able to filter on that somehow inside GMail... just a thought.