Unique Email Addresses

An Eccentric Anomaly: Ed Davies's Blog

Lots of websites, forums, etc, ask you for your email address. I usually make up a unique email address for each for a number of good reasons, including a new one I've just realised today. However, there are also some downsides to the scheme.

I own the edavies.me.uk domain and have the configuration on my email service provider set so that <nearly-anything>@edavies.me.uk gets delivered to my normal inbox. When I need to give an email address to a service, particularly one I don't overly trust, I make up a different local name based on the name of the service, the year and month and a couple of letters I make up on the spot so the address is less guessable. If I was signing up to example.com's website I might use something like eg1608tn@edavies.me.uk.

Even if you don't own your own domain it may be that you can do something of the sort. Some email providers allow additional characters to be added in the local part of the address, often marked with a '+' sign. E.g., fred.bloggs@example.com might, additionally, get messages addressed to fred.bloggs+eg1608tn@example.com.



Thunderbird is a bit annoying in this respect in that if there isn't an identity that it knows about in an email it just picks an account to use for replies and not the one which is set as the default. In my case it picks an email account that I only check once in a while. Twice this has left me on the back foot thinking somebody hadn't replied to messages when actually they had - just that their reply was sitting in an obscure mail box I hadn't looked at for a while.

I've now got a partial workaround to that: for the account it picks I've created a PGP signing key and set the account to sign by default but I've given that signing key a different password from my main key so if I do accidentally try to send a reply from the wrong account I'll notice before it's actually sent.

Today, reading Troy Hunt: Website enumeration insanity: how our personal data is leaked, I realised an additional advantage to this scheme.

Many sites use the email address not just as a means of communication but also as a means of identification: the email address is used as the user name. In many cases it's possible to find out if a particular user name is in use on a site - when it's also the email address that allows fairly reliable determination whether a particular person is registered which is not at all ideal (never mind the ridiculous leakage of personal information documented by Troy Hunt). Even if you're not doing anything nefarious it's good to be able to keep different aspects of your identity apart.

By using unique email addresses containing slightly difficult to guess elements (the year/month and random letters) it makes it much more awkward to determine if a person is registered on a particular site. It especially makes it a lot slower to troll through a long list of email addresses if there are few thousand different combinations which need to be guessed for each.