That's actually a very unadvisable scheme. By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks). If you have your own domain (which I assume you do based on your scheme), I suggest not doing this. You would be better off coming up with a random account name for each and using a password manager to keep track of these.
FYI, I used to do this too. And this is how (in a similar fashion) Mat Honan got Gizmodo's Twitter and his iCloud and Gmail accounts hacked and also had his computer remotely wiped because he used his name in every domain/service as his account name or email account name.
The key motivation is not security, but if any account starts receiving spam, I will have a good idea where it is coming from. It also lets me shut off mail from any source.
Some services will use that as the username, others allow me to pick my own. Using a password manager helps this whole scheme. Now that I do that, I could go to random email addresses and usernames.
The only problem I've found with this method is the spammers that try to guess your email, so they end up sending emails to "admin@domain.com", "webmaster@domain.com", etc. The catch-all forwards them all to me.
The only way around this, I think, is to only have uncommon emails, like instead of admin@domain.com, use contactadmin@domain.com. Put a block on the common ones and you're good to go.
It's not that spammers try to guess your email, but that if you accept any email address as valid they'll notice that you are accepting delivery.
Once i figured this out i just created wildcard aliases that end with a static prefix: netflix-blah@example.com, adobe-blah@example.com, etc. This cuts down on 99% of the random spam.
>By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks).
And if you use the same email for everything (as is the alternative), attackers can attempt to try that against popular sites. So I don't see the downside of this method?
The real key is to not use the same email address across accounts. If you have your own domain, then it's easy.
I actually don't like the idea of using email addresses as user IDs. I believe that was a lazy approach in the first place and this causes too many problems. I'm sure it all started that way because someone wanted your contact info, and since the only way to guarantee a valid email was to make you verify it. It has nothing to do with security.
Nobody said security was easy or convenient.
Anyway, to each his own. I have my own domains and do, unfortunately, have about 100 email addresses/aliases. Yeah, it can be inconvenient to maintain. I originally started using the aliases because I wanted to know who was giving out my email to spammers. I caught a few and stopped doing business with them.
If someone is directly targeting you, then yes it's an issue (but even so, it's less of an issue than using exactly the same email address for all of your accounts).
In a mass compromise like the Adobe one, it's highly unlikely that the hackers are going to go out of their way to attack people who use this method when there's millions of much easier targets already in their list.
Using this approach also makes it a lot easier to spot spam - if I get an email to "hackernews@myaccount.com" claiming to be from my bank, it's highly unlikely to be genuine. If it's coming to "mybank@myaccount.com", there's at least a fair chance that it's real - I still treat it with a fair amount of caution, but as I've filtered out the obvious junk I can spend more time checking out these reasonably genuine-lookuing one. Using a random email like hhj4378@myaccount.com would make this quick filtering a lot harder.
the downside is that using random accounts on your domain requires a catch-all email rules on your server (unless you add each address by hand, but frankly that's too much of a hassle)
I never use a catch-all. Deleting email would quickly exceed available time.
I go through the trouble of creating a new email each time. I've considered writing a script to make it easier, but my current mail provider makes that difficult.
If the website is important (ex. government), I use <sitename><4_numbers>@<private_domain>. My filtering rules are extremely strict, and every mail that doesn't come from the expected website gets automatically flagged as spam and deleted. If their DB leaks, I just change the 4 numbers.
If I know the website and it's not an startup, I use <sitename>@<public_domain>, ex. facebook@example.com. My filtering rules only flag the messages as "maybe spam" when the sender is not in my contacts. If their DB leaks, I change the filter from "maybe spam" to "spam".
If it's a website I don't know, or a startup, I use <full_domain>@<publc_domain>, ex. mystartup.io@example.com. I don't filter them, but if I start getting spam, I just simply set the email as an alias to my wormhole (an account I never check that flags anything it receives as spam).
If it's a spam blog, or a website that forces me to create an account by no apparent reason, I just use the wormhole address.
That seems like a lot of overhead to manage. Also, you're going to have a bad day if a spam bot decides to spam thousands of <common_user_name>@yourdomain.com. Maybe that's fallen out of practice, but I've seen it happen before.
Not really, in this year I had changed only 1 filter, the initial setup may be cumbersome, but the end result is worth the effort.
And about the spam to random addresses, in 8 years the most extreme problem I had faced is spam to censored addresses like git...@domain.com (thanks google code).
EG: twitter@example.com, facebook@example.com, hackernews@example.com
It also makes it a little harder for people to find me on social media. Not sure if that's a bug or a feature ;)