Thread: Spam protection
View Single Post
Old 19 Jul 2019, 10:29 AM   #17
Mr David
Senior Member
 
Join Date: May 2003
Location: Melbourne, Aus
Posts: 116
Quote:
Originally Posted by xyzzy View Post
Just thought of something related to this, specifically, the sending identities.
I know how to handle subdomain addressing and aliases, but the use of identities makes my head spin.

In superseded iterations of the FM web user interface, it used to be simple enough to change the From address field on the fly when drafting a reply. It is not possible to do this in my account these days. Options to change the From address for outgoing messages in my account are limited to the alias addresses I have registered, and my main account address used for login. These can be selected from a drop down menu on the Compose screen.

If you know of a link to FM documentation explaining how to create sender identities that can be applied to the From field in outgoing messages I'd like to see it.

Quote:
Originally Posted by xyzzy View Post
Of course if you assume you are never going to send to these guys and they are only used to receive you don't need sending identities.
This is more or less the way I use subdomain addressing, or aliases with subdomain addressing. In the main, I use these FM features to make unique email addresses for organisations that send me mail. When messages are received from these unique addresses, they will be filed automatically, and if an address goes rogue it can be dispatched.

On occasion, when such an address has been provided to an online retailer with whom I've needed to engage in customer service correspondence, I haven't bothered trying to set up an identity. I just use the base identity/alias email address in my replies.

In many instances the customer support begins with filling out a web form on the site of the entity. The entity's reply is sent to the unique address I gave them; my reply to the first customer service response does not have subdomain details in the From address. I have never had anyone create a fuss over the slightly different address used in my replies; same if I create a customer service query from first principles. If an alias address has been provided, I make sure to use the correct one in messages I send.

When unsolicited mail issues have arisen from subdomain addresses provided, initially the spammers used crude techniques. I'm not an expert with an intricate understanding of the back-end tech that make email possible, my understanding of the dark arts of email subterfuge is only superficial. Looking at the problem broadly, spammers harvest huge numbers of email addresses for their mail-out campaigns. These numbers require machine processing.

Initially, in the rare instances my unique subdomain addresses received spam, it was sent to the full subdomain address, This was simple for me to block with a rule. Later, spammers got trickier, and stripped the subdomain details from the front of the address and substituted them with details created by machine.

Eg. shop.dodgybrothers@mrdavid.fmdomain.dom
... or whichever subdomain address had been purloined (when subdomain details were stripped, I couldn't tell which site had been compromised - I used to have only 3 aliases, not 500) became something like:
ivm@mrdavid.fmdomain.dom
A random name might also be substituted for the subdomain details.
Of course these substituted details were themselves unique, so it was easy to block them with a rule. Spam with continued random substitution of subdomain address details has not so far made it through to my account.

For spam defence, aliases are much more powerful. If an alias address is harvested by spammers, it doesn't matter if they try cunning stunts with subdomain details. You're going to see the alias you made somewhere in To:, cc:, or bcc:.

However, if unique aliases are made for every online entity you deal with, you could very quickly wind up managing a list of dozens of aliases. Selecting the right one from a very long list in a drop down menu might be tedious and prone to error.
Mr David is offline   Reply With Quote