$ email blame

June 20, 2022

A recent Hacker News post made me realize that something I've been doing for many years isn't as uncommon as I had thought.

I have a catch-all email address for one of my domains. *@mydomain.example all goes to one folder.

This approach has a few benefits as opposed to handing out the same email address everywhere:

When a company sells my email address, I know who to blame.
DB leaks (and of course unique and random passwords) nullify credential stuffing.
I can easily null-route email for any particular email address if they become annoying.

A few people in the HN comments pointed out a weaknesses with this approach:

If you know my email for amazon@mydomain.example, you know my email for google@mydomain.example. The naive approach does not mitigate the targeted phishing/spam risk.

You could use a random email address, but then it becomes difficult to share your email address (customer support, friends on service, etc.) or you may lose track of them.

Problem solved

The one-liner solution:

$ globalsalt='abc'; domain='mydomain.example'; echo -n $(echo -n amazon.com+$globalsalt | md5sum | cut -c1-8)@${domain}

868e940d@mydomain.example

This generates an email address through a simple one-way function. I can produce and reproduce these email addresses easily while others can't.

Here's the same thing but as a more convenient shell function:

email() {
  globalsalt='abc'
  domain='mydomain.example'
  echo -n $(echo -n ${1}+${globalsalt} | md5sum | cut -c1-8)@${domain}
}

$ email amazon.com

868e940d@mydomain.example

If you want to try this out in your browser head on over to blame.email.

Addendum

BuT PrECoMPuTaTiON! If you're worried about this, check out the example below of juicing up this function:

emailaes() {
  globalsalt='abc'
  domain='mydomain.example'
  echo -n $(echo -n ${1}+${globalsalt} | openssl enc -e -pbkdf2 -aes-256-cbc -a -nosalt | md5sum | cut -d' ' -f1)@${domain}
}

If you want to save your email address mappings:

emailsave() {
  globalsalt='abc'
  domain='mydomain.example'
  email=$(echo -n $(echo -n ${1}+${globalsalt} | md5sum | cut -c1-8)@${domain})
  echo “${1} - ${email}” >> ~/emails.txt
}

Forces Unseen is a specialized cybersecurity consulting firm helping companies with application and infrastructure security.

Check out our other blog posts as well.