Best email provider against spam? - eviltoast

I want to use my main mail address everywhere, even public places. But I doubt if I can guard myself against spam.

Is there a provider specialized in spam protection? Or at least good at it?

At last, given your experience, should I even do it?

  • Lemming421@lemmy.world
    link
    fedilink
    English
    arrow-up
    56
    arrow-down
    3
    ·
    8 months ago

    I want to use my main mail address everywhere, even public places.

    No you don’t. It’s not quite as simple, but buy your own domain, get an email provider such as Fastmail that will let you use a catch-all, then use a unique address for every site you visit.

    Then if one starts receiving spam, you can block that specific address and voila, no more spam. Plus you know what sites have either poor customer detail hygiene or are actively selling your details.

    • syd@lemy.lolOP
      link
      fedilink
      English
      arrow-up
      10
      ·
      8 months ago

      I own my domain but I’m not sure about provider. I want to use “name@surname.net” on my public profiles so unique mails for services trick wouldn’t work for me.

        • syd@lemy.lolOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          8 months ago

          I like this one. I guess I can use this for registrations. Thanks

      • go $fsck yourself@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        8 months ago

        I like Zoho. It can be free as long as you use the web/mobile app. If you want to use your own email software, it’s $1/mo for the lowest paid tier.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        Then you’re going to get spammed to hell, live with it.

        There’s no spam filters that will protect you 100% from putting the same email address everywhere.

        Using personalized aliases for everything and never showing a public address if you can help it is the only way to fight spam these days.

        • Hate@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          There’s no spam filters that will protect you 100% from putting the same email address everywhere.

          Well, you could curate your own whitelist, but that’s not very practical for most use cases.

    • Jeff@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      ·
      8 months ago

      This is exactly what I have done since 2005 with them. Showed me years ago that 1800Flowers either was compromised or sells their email addresses.

  • ColeSloth@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    2
    ·
    8 months ago

    I know it’s “big evil corporate overlord”, but Gmail is pretty damned good at it, really.

    If I get spam from a company I recognize I gave my email to, I’ll go in it and click the unsubscribe button and do it that way. Anyone else and I just mark it as spam and Gmail does a pretty good job of sending swaths of junk emails into the spam folder. I don’t get much that slips through. Very occasionally I’ll sign up for something I’m supposed to get an email for but don’t, and I’ll find it in the spam folder. If I think I’ll want more emails from that company, I move it to my regular folder.

    • kalkulat@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      8 months ago

      There’s a large org (@ hope.net) that has a non-profit convention every few years. It maintains a e-mail list to let its > 1000 previous attendees know about the upcoming convention and related info. In the past decades everything was fine.

      This year (con in July) Gmail has been spam-binning ALL of those reminder e-mails aimed at attendees who use Gmail. Quite clearly it’s not the users making that choice. The org is left with no other way to contact those attendees.

      • ColeSloth@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Then my guess is that someone got ahold of that email list and started using it to send spam and that caused Gmails algorithm to start flagging anything sent out to a bunch of members of that email group at the same time as such.

        • AtmaJnana@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          8 months ago

          Maybe someone spoofed the From field on some spam, using their email address. Thereby marking that From address as a spammer. I’ve seen this happen both ways.

    • darreninthenet@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      8 months ago

      Have a read on the trouble the 2600 guys have been having sending out emails for the next HOPE conference - the junk filter is also great at filtering out topics it deems unsuitable.

    • MonkderZweite@feddit.ch
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      edit-2
      8 months ago

      Most spam i get is from a random @gmail address as source, can’t be that great. And they are shit with attachements.

      • AtmaJnana@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        8 months ago

        Tell us you don’t understand how the “From” header works without telling us.

        FYI, that is really just a text string. Most providers don’t let you change it, but its not exactly hard to falsify. People are largely ignorant of the fact that email mostly isnt trustworthy. Spammers abuse this ignorance constantly.

        In order to send email as another address, gmail requires you to verify the address by sending you an email there first. AFAIK, they never re-verify, but that’s the main weakness I see.

  • hperrin@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    8 months ago

    I created an email provider called Port87 that specializes in spam prevention, phishing prevention, and organization.

    You use it by giving a labeled address to all your accounts, so to Netflix, you would give something like yourname-netflix@port87.com. Then that becomes a label in your account that you can set quick settings for like mark as read or even just block that address if you’re done with it. And if you get something claiming to be from your bank there, you know it’s phishing.

    Then you can have labels that are meant for real people like yourname-friends@port87.com, and when someone emails them for the first time it will email them back and ask them to verify they’re human.

    And your bare address (yourname@port87.com) doesn’t go through, but rather responds with a list of your “public label” addresses. So that one you can share all over the internet and you won’t get spammed.

    • Usul_00_@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      8 months ago

      Sounds like you have qmail at the root. I ran that with spamassassin, barracuda and some other custom rules for years. Didn’t add on the auto response you have described, but really liked it back in the day.

      Did I guess kinda close to what you have running?

      I’d think the annoying part would be that you’ve forced the work to prove they are human back on the sender. Might be a good way to go though given how much spam there is.

      • hperrin@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        It’s actually built on Haraka. All of the queueing is custom written so I can do things like make it a flip of a toggle whether you want push notifications, sender screening, mark as read, etc. for a label. And there’s no inbox, since the bare address is not a usable address. Every email you receive already has at least one label.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      8 months ago

      Ok but you can do this with aliases with any decent email service.

      I guess an aliasing service like yours can be useful if you’re stuck with a bad email provider, but since OP is looking to set things up they can just pick a decent one to begin with.

      • hperrin@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        Ok but you can do this with aliases with any decent email service.

        As far as I know, there’s no email provider that lets you choose to enable sender screening on individual aliases. I also don’t know of any that explicitly do not use the bare address.

        You can kind of achieve the same thing with Sieve scripts and a catch-all address (which is how I developed the prototype), but there is a lot that Port87 does automatically that you’d have to do manually in that system.

        For example, you don’t need to set up a label before you use it with Port87. You can just give out a yourname-whatever@port87.com address and it will create the whatever label for you. These labels show up in your “Pending Labels” section. You can then approve them to move them into your regular labels, block them, or just let them expire.

        I wrote this service around this concept, so it’s not like you’re using a regular email system a special way. The system is designed and built to be used this way.

  • grilledcheesecowboy@kbin.social
    link
    fedilink
    arrow-up
    17
    ·
    8 months ago

    The paid proton accounts let you use several custom domains, although I’m not sure if you can combine custom domains with email aliases. For random sites the email alias with the stand @proton.me would probably suit your needs.

    After about 3 years of use I’ve been very happy with proton’s spam filtering.

    • Flying_Hellfish@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      8 months ago

      I use proton coupled with my own domain and SimpleLogin (which is now merged with Proton) to create infinite custom email addresses in my domain. I then use filters to move the recipient address to folders and I can turn off one of my SL addresses if it’s compromised or sold and create a new one.

  • angelsomething@lemmy.one
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    8 months ago

    I self-host my own mail server but for anything else I use my anonymous @duck.com email address.

  • cooopsspace@infosec.pub
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    8 months ago

    Anonaddy

    Use unique bullshit addresses for every site, that way WHEN they sell your data out or get hacked you know who is responsible.

    Anonaddy forwards everything to your one true email address knowing that only anonaddy really knows your address.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      Agreed with the unique addresses but why not use aliases directly at your email provider? Why use a 3rd party service?

  • hiajen@feddit.de
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    8 months ago

    every provider who supports aliases. like foo+baa@bzz.tld where everything after the + is exchangeable. so you can use a ‘different’ mail for every service you use and just block where spam comes from via the alias.

    • ccunning@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      Isn’t it pretty widely known that many email providers support this?

      I just assume spammers would know enough to remove everything from the ‘+’ until the ‘@‘. It’s not like they’re trying to be sparing with recipients. Why not just send to both?

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        8 months ago

        Isn’t it pretty widely known that many email providers support this?

        Personally I’m not a fan of “plus aliasing” because it gives away your base address, and it’s trivial for spammers to strip the alias. I prefer aliases that completely hide the base address.

        • AtmaJnana@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          Its also VERY poorly and haphazardly handled in websites. Often they won’t let me create an account with it. Or I will be able to create an account using the alias, but then I am left unable to login.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            8 months ago

            That’s why we need formal rules. Once regulations are in place (with big penalties) websites magically start to function properly.

      • kevincox@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Yes. It is pretty easy to work around, but if that is the only tool you have it still can be used to junk a majority of the crap.

        If you want a robust solution you can use disposable aliases (which are basically randomly generated) or signed addresses.

        I do the latter. So I would generate an email like lemmy-example-59273625@kevincox.ca. If you strip or change the string at the end (which is a small HMAC) your message will go straight to junk. It isn’t perfect because there is only 4 bytes of entropy in the signature but a dedicated attacker will find a better way to spam me anyways.

        • AtmaJnana@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          8 months ago

          They strip the part after and including the plus. And yea, that’s exactly what is done. People need to stop assuming malicious actors are dumb and incapable of reading an RFC.

    • syd@lemy.lolOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      8 months ago

      Not best solution I guess. How about generic sites? Like Git commit mail, my website, Mastodon etc. where I can’t add that postfix.

      • madsen@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        8 months ago

        Why can’t you use ±aliases in Git, Mastodon, etc.?

        Edit: git config --local user.email "something+someotherstuff@example.com" shouldn’t cause any issues.

      • kevincox@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        What I do is have some general mailboxes then signed addresses on top of that.

        So if you email blog@ or kevincox@ you will get a fairly high level of spam filtering. I also have a few other “memorable” addresses that get reduced spam filtering. If you use the unique signed address that I use for signing up to services, newsletters or whatever where the address is private to a specific service then you basically skip spam filtering. Of course if you abuse that privilege then I will outright block the signed address.

        Basically by allowing friends and “trusted” services through the spam filter I can crank up the difficulty for unknown senders.

  • BoofStroke@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    ·
    8 months ago

    You can look for a service that provides a mail security gateway, or host your own. My personal solution is mimedefang milter on sendmail which will blow away any canned solution you will find. But you have to know what you are doing with it.

    There is barracuda, but they are $$. Another option is proxmox mail gateway. Not as fast as mimedefang, but it has a nice gui.

    https://www.proxmox.com/en/proxmox-mail-gateway/overview

    • centof@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      8 months ago

      What is a pubnix?

      Edit: Short for Public access UNIX apparently.

    • five82@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      8 months ago

      That’s not a good idea anymore. Especially if you want any assurances that your email will actually be delivered. You’ll be spending a lot of time dealing with non-delivery, blacklists, and spam filters.

      • pHr34kY@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        8 months ago

        I’ve found that you’re fine as long as you pass all the SPF/DKIM steps, have an SSL cert and use your ISP’s mail relay.

        The biggest issue I face is that occasionally a legit mail server refuses to support SSL/TLS and my server drops the connection. The other 99% of unencrypted mail is spam.