Forces Unseen

Appearance

$ email blame

By Matt Hamilton
June 20, 2022

A recent Hacker News post made me realize that something I've been doing for many years isn't as uncommon as I had thought.

I have a catch-all email address for one of my domains. *@mydomain.example all goes to one folder.

This approach has a few benefits as opposed to handing out the same email address everywhere:

  • When a company sells my email address, I know who to blame.
  • DB leaks (and of course unique and random passwords) nullify credential stuffing.
  • I can easily null-route email for any particular email address if they become annoying.

A few people in the HN comments pointed out a weaknesses with this approach:

If you know my email for [email protected], you know my email for [email protected]. The naive approach does not mitigate the targeted phishing/spam risk.

You could use a random email address, but then it becomes difficult to share your email address (customer support, friends on service, etc.) or you may lose track of them.

Problem solved

The one-liner solution:

$ globalsalt='abc'; domain='mydomain.example'; echo -n $(echo -n amazon.com+$globalsalt | md5sum | cut -c1-8)@${domain}

[email protected]
$ globalsalt='abc'; domain='mydomain.example'; echo -n $(echo -n amazon.com+$globalsalt | md5sum | cut -c1-8)@${domain}

[email protected]

This generates an email address through a simple one-way function. I can produce and reproduce these email addresses easily while others can't.

Here's the same thing but as a more convenient shell function:

email() {
  globalsalt='abc'
  domain='mydomain.example'
  echo -n $(echo -n ${1}+${globalsalt} | md5sum | cut -c1-8)@${domain}
}
email() {
  globalsalt='abc'
  domain='mydomain.example'
  echo -n $(echo -n ${1}+${globalsalt} | md5sum | cut -c1-8)@${domain}
}
$ email amazon.com

[email protected]
$ email amazon.com

[email protected]

If you want to try this out in your browser head on over to blame.email.

Addendum

BuT PrECoMPuTaTiON! If you're worried about this, check out the example below of juicing up this function:

emailaes() {
  globalsalt='abc'
  domain='mydomain.example'
  echo -n $(echo -n ${1}+${globalsalt} | openssl enc -e -pbkdf2 -aes-256-cbc -a -nosalt | md5sum | cut -d' ' -f1)@${domain}
}
emailaes() {
  globalsalt='abc'
  domain='mydomain.example'
  echo -n $(echo -n ${1}+${globalsalt} | openssl enc -e -pbkdf2 -aes-256-cbc -a -nosalt | md5sum | cut -d' ' -f1)@${domain}
}

If you want to save your email address mappings:

emailsave() {
  globalsalt='abc'
  domain='mydomain.example'
  email=$(echo -n $(echo -n ${1}+${globalsalt} | md5sum | cut -c1-8)@${domain})
  echo “${1} - ${email}” >> ~/emails.txt
}
emailsave() {
  globalsalt='abc'
  domain='mydomain.example'
  email=$(echo -n $(echo -n ${1}+${globalsalt} | md5sum | cut -c1-8)@${domain})
  echo “${1} - ${email}” >> ~/emails.txt
}

Copyright © Forces Unseen