Comment by fencepost
So I guess I should watch out for scams being sent to "soundcloud@" on a personal domain. Oh no, how will I distinguish them from my legitimate banking email???
So I guess I should watch out for scams being sent to "soundcloud@" on a personal domain. Oh no, how will I distinguish them from my legitimate banking email???
I have three different generations of email addresses associated with United Airlines that all receive spam. Never any disclosed breaches AFAIK, but clearly email addresses got out at several points. At some point I stopped bothering to check.
As for Soundcloud, the password I had saved for it and a tiny bit of profile information tells me a lot - a manually created password saved into a password manager, probably in 2010 or 2011 and unused after grabbing a single track.
Addresses for services I actually care about also get what's basically peppering, and have all had updates much more recently than the days of Blackberry devices.
Has this happened to you before?
I can't imagine anyone spamming in such low quantities that they'll notice a pattern like company@<domain> and act on it.
I have regularly gotten spam emails without a to, cc, or bcc field though. So I can't tell which email they were sent to. (my host doesn't bounce/drop them for some reason)
I do regularly do misspellings of the company name though, since that often trips the "invalid email" check on signup. e.g. twitter.
For the more shady sites, I use first names or fake usernames.
We are the minority of users that had enough foresight to do this. I'd bet that _most_ people on this breach don't even know about the plus/dot trick with gmail (and I am sure other providers, too).
Clever spammers (there are some!) see the presence of company@<domain> and assume the user will have similar emails for other accounts, so it might be worth trying ebays scams to ebay@<domain> or banking scams to chase@<domain> or boa@<domain>. Sending is cheap so why not, you're not trying to fool everyone, only a few.
I use a unique string per company but it's not guessable in advance, but it's obvious when looking at it and squinting a bit, for example (and these are not the exact ones I use): sundclod@<domain> or ebuy@<domain> or amzoon@<domain>
Sure I have to remember them but it's easy for me to check and my password manager is filling them in for me 99.99% of the time.
I can filter on those emails instead, and I also know that anything coming to soundcloud@<domain> or ebay@<domain> or amazon@<domain> is definitely spam as I've never used those addresses myself.
If sundclod@<domain> appears in a leak I can (hopefully) change my account email at Soundcloud to sondclud@<domain> and then confine sundclod@<domain> to /dev/null