For many years now I’ve wanted to tackle the problem of SPAM e-mail. The source is quite simple, it comes from phishing attacks where you enter your e-mail address into a fake site, or idiotic chain e-mails that contain countless addresses. Perhaps even more sinister, addresses are harvested from hacking attacks on organisations (SQL injection being very common) that hold your details or organisations that illegally sell your data. Heck, even e-mail addresses are enumerated to discover mailboxes. The latest breach was an employee stealing and disclosing e-mail addresses.
I’ve been quite sickened over the years to the extent my personal data has been stolen and used for SPAM. Having my own domain name has meant over the years I’ve been able to use a unique e-mail address for certain suppliers, for example: [email protected].
An e-mail address of 16 alpha-numeric characters yields 7,958,661,109,946,400,884,391,936 possible mailboxes. That’s a gigantic number and would be impossible to guess a mailbox name. Using this approach, I can tell that at least 9 organisations have lost, had breached, or sold my personal data over the last 10+ years.
Most organisations have gone into “cover up” mode, but here’s a list of known breaches of my data:
- A ransomware attack / exfiltration of an employer
- A ransomware attack / exfiltration of a large competition company
- A large property estate agent website
- A small company selling flying accessories
- A small company selling batteries (SPAM arrived one day after registering on their website)
- An Internet Service Provider (two separate breaches)
- A competition company illegally selling their e-mail list
- Kaspr scraping e-mail addresses from LinkedIn using a browser plugin
- LinkedIn breach (disclosed; started receiving SPAM e-mails with my LinkedIn password in it)
- TAP Airlines Portugal (disclosed)
The problem? I’ve only applied this approach to around 20 percent of the organisations that hold my e-mail address. That means I get a lot of SPAM to my most common e-mail address used by 80 percent of the organisations that hold my data.
The solution? This is a multi-part approach.
Firstly, the exercise is to ensure my e-mail address is unique to the remaining 80 percent. I like to think of this as somewhat inverted. Think of it like this: I have an e-mail address for them rather than them having an e-mail address for me. If I ever get SPAM to a mailbox I will immediately know where the data got leaked from. (Shockingly only TWO of the 10+ organisations that I know to have leaked my data in the past reported the breach).
Secondly, the approach is to set up my own private mail server. The advantages are: It’s private. No more Google or Microsoft spying on e-mail content. No more flight bookings magically going into my calendar. It’s dedicated to me, so it’s lightning fast. Breached mailboxes (in this case, aliases) can easily be completely shut down and e-mail rejected.
The whole e-mail system needs a total re-design as it’s so insecure and not private, but the incumbent system is so ubiquitous this is unlikely to improve any time soon. There are many disadvantages, but this really does put me back firmly in control.
I’ll add some more posts on this subject as I tune the system but in the meantime check out https://haveibeenpwned.com. You might be surprised what you find about your own e-mail address.
Update: As of early 2023 every single organisation I am an active customer of has a unique e-mail address for me. I no longer get SPAM at all anymore, not a single e-mail. I have NO SPAM detection on incoming e-mails nor have a SPAM folder; >> I don’t need one!