Who sold my f$#%!ñ& information?


The bane of everyone’s internet existence is unsolicited mail, also known as SPAM. Over the years, I have relied on a series of strategies to combat it including software filters, fake email addresses, throw-away email addresses, and simply refusing to give out my email address except when absolutely necessary. These have had varying degrees of success, but for the most part I have not been overly burdened by SPAM in the past few years. And most big email providers have gotten pretty good about filtering out unsolicited mail. But recently, (at least in my email boxes) there has been an ever growing number of slips, with unwanted mail making its way past the filter and into my inbox. The reason for the vast majority of these is that they are from “legitimate” mass mailing companies who are complying with SPAM laws that allow an opt out or unsubscribe link at the bottom. So, even though I have never subscribed to any of these lists in the first place, I am bombarded with their crap and have to click an opt-out message with ever increasing frequency to get off their list. There is one main reason why one is added to these lists in the first place, and that is that one of the companies you have given your email to has sold your name and others to one of their “trusted” partners (also known as “anyone who will buy them”). The frustrating part in all of this is you have no idea how to trace it back. Who is the evil entity that sold you out? How can you disassociate yourself with them and refuse to use, buy or promote their services anymore? How can they be held accountable for selling you out?

This morning I implemented what is an imperfect solution, but should give me more information and help me to call out and shame the companies that are sharing my (and your) info, and stop doing business with them. I will maintain a list of the abusers and try to draw attention to them in the future so that others may benefit. This is not a solution that everyone can implement, but many can. For the more technical among you, here are the steps, and what you will need (before actually following these steps, read the update below):

1. Create your own domain or subdomain for this purpose (you can do this using any hosting company or for free –minus the cost of domain purchase — at Google Apps for example: http://www.google.com/apps/intl/en/group/index.html)

2. Create a “catch all” email address for the domain. This is an address that will catch any email sent to the domain, and most providers will offer one.

3. Start using this domain whenever you have to provide an email address to a website. So for example, if I am a new user of facebook, I would probably use the following format for my address: “facebook@mydomain.com”. If I am signing up for a flikr account, I would use something like “flikr@mydomain.com”.

Because I am using the name of the service I am signing up for, if I ever get an email going to that address that isnt directly related to that website, I will know who the culprit is. For example, if some magazine is trying to sell me a subscription at “flikr@mydomain.com” I will know that flikr sold me out. I can then blacklist or publicly shame that company. If enough people do this, maybe companies will think twice before disclosing your information without warning you.

UPDATE: As I was writing the above and verifying some information, I came across this site which makes it much easier (for anyone with a gmail account) to set up their own catch system for this type of thing. Go here to check it out. It would probably be a good idea to setup a separate gmail account for this purpose, though.



  1. Gene says:

    I’ve done this for years. My experience, however, is that web sites deny that the possibility that they were the source of the address. One music site (not connected with any computer company) tried to tell me that someone had just guessed the address. Riiiight. They “guessed” their domain @ my very obscure domain.

  2. Fritz says:

    I’ve been doing this for about fifteen years. In addition to busting people for giving out your addy, it’s also useful for filtering incoming mail into specific folders.

  3. Daniel A. Shockley says:

    Good post – this kind of thing can be very useful.

    I’ve done something like this, as well. I have a twist on it, though. Before mail is passed on to the “catch-all” email account, it is filtered (domain-level filtering). If the email ends with “.com@MyDomainName.com” or “.org@MyDomainName.com” or “.net@MyDomainName.com” or any other DOT (top-level domain) @MyDomainName.com, it gets filtered to my actual GMail account. Two good things about this:

    1. I only have to see (random_characters)@MyDomainName.com when I (very infrequently) check the catch-all account for MyDomainName.com. No one legitimate should be sending email there anyway, so it is unlikely to be a problem if I miss it.

    2. I get the benefit of #1 without having to add facebook@MyDomainName.com to a filter specifically. I can just sign up for services by using VendorDomainName@MyDomainName.com and know that I will see it. I’ll also know that if I get junk from someone else to that address, they sold the address (just like the post above). For example, to post this comment, I used the email address satoristephen.com@MyDomainName.com. *grin*

    It took me a little longer to set this up when I started using it because, like the post above, I had been using many addresses that didn’t follow the above pattern. For example, I might have given a vendor Vendor@MyDomainName.com, instead of the new pattern Vendor.com@MyDomainName.com.

    Also, if you want to create an address for a person/company/other that doesn’t have an obvious domain name, you can make a fake top-level-domain, like “.msg” or something like that, and include it in the filter for your domain’s email.

    The only downside is when the vendor expects you to reply FROM the non-existent address. You need an email client that lets you arbitrarily modify the FROM address, but uses your real account to authenticate with the SMTP server. Eudora did that, MailForge does, and I haven’t researched what other clients do. Any ideas or comments on that?

  4. Fritz says:

    That’s one of the reasons why I’m still using Eudora. Since Apple is dropping Rosetta from OS X 10.7, I’ll have to switch to something else eventually. I hold out hope that MailForge will be usable by then.