The basic premise of email

I remember when spam was just something you got in a can, as far as the internet was concerned. In fact, you couldn't even get it where I live, but we did get the occasional Monty Python sketch. Then, it got out of hand, what with Bill Gates offering my relatives cash for forwarding an email to 10 acquaintances, or threats of death and misfortune if you fail to spam your peers. There are many sites that have collected some of these messages, if you are curious and too young - or too old - to remember, like this from Mashable.

Eventually things escalated from annoying to dangerous, with virus alert emails with the antivirus software attached to it which, obviously, was the virus itself.

There were some pretty funny ones too, like the The Hampster Dance or the one that explains how to identify a Mad Cow, but even these grew a bit old after receiving them the first hundred times around, half of which from the same colleague.

Better times, to a point

One of the many rodents that populated every inbox oh, so many years ago

With the advent of spam filters things got a bit better, particularly for those of us that ran our own mail servers, and with webmail came spam filters for the masses. More data points, courtesy of the explosive growth of internet users, and of course email, gave birth to better heuristics, and since we were more than happy to share all our personal data with the email service without even considering any nefarious implications (remember, this was before Google or Facebook or Twitter even existed), smart people made smart filters even smarter, though they were still not even close to how efficient they are today.

I'm sure there was a point where simple manually tuned heuristics were augmented, and then replaced, by machine learning, at least on large email providers. But spam became less of an issue, though it will probably never go away. It is also very hard to keep an open relay on your local machine to bulk send emails, and blacklisting of known offenders is quite simple these days, something which will work against us in a moment, though obviously for very good reasons.

Even chain emails, those depending on you to forward to others, are much less of an issue, what with email clients warning you if you address (TO) or carbon copy (CC) many addresses on your reply, which would make them all visible to every recipient, and using the blind carbon copy (BCC) is now ubiquitous.

The issue now, as I experience it, is slightly different; privacy, and more specifically when you do get spammed, be it by email or phone, how can you tell where the data being used was collected from?

Enter wildcard email addresses

The premise is very simple... every online account will have a unique email address associated with it. There are many ways to deal with this but the simplest by far is a catchall address for a domain name you hold.

That is exactly how I started with it, using my currently preferred DNS provider Namecheap, got a new domain just for this and set up a catch-all address that forwards every single email received to a defined email external to that domain, in this case one of my main mailboxes.

So, in a nutshell, every time I register for a new service, newsletter or support system I use a "something_unique@my.domain", where the unique something somehow allows for easy matching with the service being registered to, and if I receive an unrelated email on that address I know something nasty is happening. It also allows for another layer of separation when companies inevitably sell their user data and emails are used for joining disparate results.

Or, anonymous email services

Services such as Mailinator allow you to use some random email address (using their domain) to create an ad-hoc, although publicly available mailbox, which you can use without even having to register. This, of course, has a number of drawbacks, not the least of which anyone holding the email address can see the emails there, but also there is no forwarding, you use a web browser to access the inbox, which is not ideal for my needs.

Some other services do quite a bit more, almost everything, like E4ward. You get some control over which forwarding aliases are in use so you can censor specific addresses, you can do catch all like my DNS only solution, and they even add a reply-to header for their own mail proxy that, when you reply and use that address, will remove your real address and replace it with your alias, so the receiving party is none the wiser. You can even use your own custom domain for your emails. Of course, not all is rainbows and sunshine, as rewriting headers is a no-no for many services and will get your emails flagged as untrustworthy, and while there is a free tier that is quite generous for my use, it does require payment for using the custom domain, and there is a lot of personal information that you are leaving on their hands potentially. I'm not saying they are evil in any way, but truth be told everyone and their dogs are being hacked these days, so the fact the interface for their website feels like it was designed in the early 2000s (well, it does say copyright 2012 on the documentation pages) does not fill me with confidence about the effort made to keep the services up do date with security and whatnot. Again, I have no reason to believe there is any risk, but also nothing biasing me to trust them either.

These two examples are the two extremes of such implementations I could find, but there are tens of them at least, likely more, I just didn't find anyone implementing things to fit my admittedly niche needs.

But wait, there's more

Even using my minimalist approach of a basic catch-all mail forwarder is not all simple and clean, though. Sometimes I register for a service and use the service name as my email address (think hulu@my.domain), and more than once that got my email address flagged and my account locked, or simply not registered. I've had many a support person say something to the tone of "I'm sorry, our system must have made an error with your email address..." so I take a deep breath and explain. But that's something one learns to live with, not really a problem that occurs too often.

The major issue I had with this approach, as far as receiving mail goes, was that more than once my DNS provider caught emails before forwarding and flagged them as spam, so I never saw the failures. There is no interface to look at a spam folder because there is no mailbox configured, you just get the emails flagged system wide, their system, so catching this is not easy. And you can't just ask for all emails sent to you to be "released", you need to state the sender and the date for each one you know you should have gotten but didn't, so this is a good way to get a notification missed without ever having a clue the attempt was made.

This happened to me with Kickstarter, where I didn't receive the "it's time to fill out the form" email, but actually had received emails from them on that same campaign previously. I only noticed because I wanted to reset my password and the password reset email wasn't arriving, so I started going down the stack; my local client spam folder, my email host spam folder... well, only the sender and forwarder are left. I contacted both, and obviously it was the forwarder's fault.

I did ask if there was some way to either give access to a spam folder, which there isn't because they don't keep separate flagged emails by domain, and also if they could "turn off" spam filtering completely for me, in my mind this made sense: there is a spam filter on my forwarded to address, and even if there wasn't, it would still be my responsibility, as for all they know I might want the damn spam email, thank you very much.

Turns out there is a caveat I hadn't thought of, as they have to forward the email, and if a lot of "known spam" gets forwarded to, say, mail.google.com addresses, or outlook.com ones, they might get flagged themselves, and if Google or Microsoft don't accept mailed from your servers, well, that can't be good for business, I guess.

I might one day get my own mail server configured for forwarding, it is on my todo list...

The flipside

This covers receiving email, but what about sending? Why would I even need it? Well, it turns out some services, like financial institutions, require email inquiries to be sent from the address registered with them, go figure... So I configured my whole system with a catch-all receiving address at gmail, and used the "Send mail as" functionality to add one such forwarded address, then another as need arose. It became obvious quite quickly this didn't really scale.

And as I go back and review this, it seems now google mail doesn't even attempt the delivery as an alias on external domains without submitting it directly to that domain's SMTP server, which... well, makes perfect sense, doesn't it? This is how people impersonate other people's emails, and while it is not hard to do without gmail's help, it seems fitting you at least don't get to have your hand held while you try and scam someone. It does preclude my "I'll just add this address as an alias to my main account" solution above.

It was a good solution for a handful of addresses, if you happened to also use Gmail or your email provider (still) supports that functionality, but I crave something more... generic, and if it actually works that would be an added bonus of course.

There are anonymous (or anonymizing) email services like the above mentioned E4ward that solve this with some header trickery and an SMTP server, which is good but not great.

I asked around for a service that would allow me to use a "send-all" approach on an owned domain name, starting with Namecheap and including several other email providers, but it seems my use case is not something anyone else wants? That would be flattering, of course, but I highly doubt it. Not that it is a common thing by any stretch, but can it be unique to me?

Actually, this would be a great service on this day and age, where privacy is all the rage and people really need to up the ante to stay a step ahead of the threats and abuses. Instead of getting a full email service for your domain, with storage, multiple inboxes and all the complexities therein, You would get a single inbox with storage and the ability to forward all email to an external address, and this simply to allow for spam storage for later review. Or do without the stored email completely and just forward everything like I'm doing, with an SMTP server account that allows for sending using "any_address@your_domain". This feels like a very small technical hurdle in order to allow for a completely new service I would be happy to pay for... nudge, nudge, say no more :)

Honestly, this SMTP server feels like a project and a future blog entry, maybe even go the full mile eventually and also receive and forward emails for a domain? We'll see what I can do with my very limited attention span...