Blog

Consumer Security Tip: Use Multiple Email Accounts To Reduce Fraud And Spam

By Rich

I spend a fair bit of time helping friends and family keep their computers up and running. At the local coffee shop I’m known as “the security guy”, which usually means answering questions about which antivirus software to buy. But some of the best ways to protect yourself don’t involve spending any money, or buying any software.

One of my favorites is to use different email accounts for different contexts. A lot of security pros know this, but it’s not something we have our less technical friends try. Thanks to the ease of webmail, and most mail applications’ support for multiple email accounts, this isn’t all that hard. Keeping things simple, I usually suggest 4-5 different email accounts:

  1. Your permanent address: I have one email account that’s been in active use since 1995. It’s the one I give friends and family, and I don’t use it for anything else. No online purchases, no newsletter subscriptions, nothing but those I know and care about. For a long time I got essentially NO SPAM on this account. Ever. I did make the mistake once of letting a local political party get their hands on it, and they screwed up a mailing and the address leaked to a spam list. Learn from my mistake- have one address you give out for your personal email that you never have to change- e.g. Hotmail, Yahoo, or Gmail, and never use it for anything else.
  2. Your work address: We all have these, and we all use them for personal email. That’s fine, but don’t use it for subscriptions or online purchases.
  3. An address for buying online when you don’t trust the store: Another Gmail/Yahoo/Hotmail address you use for risky online purchases, and nothing else. That way, if a site you use is compromised you can easily change addresses without too much difficulty. These are the smaller online retailers you don’t really know or trust as much as Amazon and Ebay.
  4. An address for trusted retailers: This is your Amazon, Ebay, and Apple address- one you use to buy things from major retailers. This can be the same as your permanent address. Let’s be realistic, I use a few major retail sites and have never had any problems with spam or fraud by letting them use my main address. Yes, it’s a risk if they get breached, but it’s one I’m willing to take for a small group of stores I use more frequently. If you do this, make sure you opt out of any of their marketing emails. This is in your account preferences when you log in.
  5. An address for email subscriptions: This is for newsletters, fora, and other sites where your email might not be private.

I also often use throwaway addresses. These are temporary accounts I set up for high-risk things like certain forum subscriptions and email lists that I know will end up in the hands of spammers.

There’s one kind of address you should never use- the one your ISP (Internet Service Provider) gives you. Not only do these seem to end up on spam lists more often than not, but you may to change your ISP more than you anticipate. If I have to update my address book for someone moving/changing addresses, it’s almost always because they’ve used the email from their ISP. These other services are free and easier to use, so there’s no reason to use an ISP account.

This might seem complicated, but it’s really easy. Just go to one of those services and set up some free accounts. For each one, write down the username and password twice- once on a piece of paper you keep near your computer, the other you keep with your important papers (except your work password). I know most security experts tell you to never write your passwords down, but as long as it’s on paper (not in a file on your computer) and reasonably safe in your home the risk is low (however, don’t do this with bank account passwords!).

Then launch Outlook Express, Mail.app, Eudora, Thunderbird, or whatever email program you use and add these accounts using the instructions from whoever you set up the account with. It usually takes less than a minute, and gives you one place where you can read all your mail.

Personally I have over a dozen accounts, but I’m both paranoid, and like having all my different email lists go to different accounts to make reading them easier. For the rest of you, somewhere between 4-6 accounts can reduce the spam you get, especially on your personal email, and even reduce the chances of fraud.

No Related Posts
Comments

Great overview!

By Rich


I personally use a ton of accounts, but since I targeted this for less technical users I kept it a little simpler.

As for the . or + trick I don’‘t worry too much about getting caught with those. First, I never use a high value username as the root (so they’‘d have to guess all of my + accounts), and second, most spammers are lazy and don’‘t manually look for those patterns or even write scripts to pull the root account out.

But if you don’‘t use the root address in the first place, odds are you won’‘t get nailed.

By rmogull


@rmogull:
you should really consider using unique disposable forwarding email addresses for each company/site you give an email address to (both trusted and untrusted)... this gives you the same benefit as the throw-away addresses, of course, and eliminates the problem where you put your trust in the wrong company, but as an additional benefit it makes it MUCH easier to identify phishing (that ebay email wasn’‘t sent to my ebay address, it must not be legit)...

@pepper:
"You can also use plus addressing to track individual companies for bad behavior."

sure, if you want to give away what your real address is… the plus trick and the dot trick that people use with gmail is not appropriate for anti-spam because all the information one needs to find the base email address is present in the ‘‘decorated’’ address you give to company X…

By kurt wismer


You can also use plus addressing to track individual companies for bad behavior. For example, if your registered richmogullvendor@google.com, you could register with overstock.com as richmogullvendor+overstock.com@google.com. Then if you have trouble getting off their marketing list, it’s easy to drop all mail to richmogullvendor+overstock.com@google.com. Even better, if richmogullvendor+overstock.com@google.com gets email from rnc.org, you know that Overstock sold you and who the RNC bought you from.

Also, since vendors almost mostly send but do not receive mail, you can save some time on checking multiple accounts by forwarding low-security accounts (vendor email) to additional accounts. This can make the process of actually checking mail significantly faster, since it’s much faster to log into 1 account and get 30 messages than to log into 3 different accounts for 10 messages each.

By reppep


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.