Image from Wikipedia
Lifehacker Book Contest Winner: How To Avoid Catch-All Domain Spam
How To Avoid Catch-All Domain Spam
If you own a domain name with an active catch-all email address, you know how spammers can pummel you with junk mail to every firstname.lastname@example.org email address they can automatically generate. When you have your own domain, you can to use site-specific addresses when you register for web services to track down spam sources (like email@example.com), but once you do that, you've got to keep your catch-all address open to junk mail as well. But Google Apps user Ray has a clever system that filters out catch-all junk but still lets him track exactly who's selling out his address. Here's how to set it up.
Editor's note: this method involves a few steps that take one or two
reads to get your head around, but it is pretty ingenious. Ray explains:In Google Apps, set up a new user account. This is NOT
going to be your actual email address. Set the username to something
that will stand out among your other user-names (if any). In this case,
I'm using "spam-trap".
Go back to the Google Apps Dashboard, and click on E-mail under
Service Settings. Select "Forward The Email To... and enter your newly
created account in the Catch-All address field, as shown.
Go to your email login page, which is usually: https://www.google.com/a/yourdomain.com, and login to your newly created account.
Click Settings > Filters > Create New Filter. In the To:
Field, enter "." followed by a short sequence of numbers or letters.
Make it something short, and easy to remember. This will be your secret
email suffix, and is the key to this whole system working.
Click Next Step, and enter your real address in the "Forward It To"
field. You also might want to add a label to make checking how your
filter is working easier later. Click "Create Filter."
Now, whenever you need a trackable email address, give it in the
form of anything.SecretSuffix@mydomain.com. If you want to be able to
track spam, give a custom address to each site that requires an email
address. Using the name of the company or web site works great for
this. (Ed: Like amazon.com.SecretSuffix@yourdomain.com.)
The filter you've set up will forward any incoming mail in the
correct format to your real address, while stopping all of the garbage
emails that spammers send out in the hopes of finding domains with
active catch-all addresses.
This system works better than Gmail's plus addressing, because
sometimes poorly-designed web forms will not allow + characters, and
since you're using your own secret suffix, it's unlikely that a spammer
would take the time to reverse-engineer your naming system. If you do
start getting spam, you can block it easily via another filter, and if
you're using custom addresses, you'll also know who sold you out to the
Periodically you might need to login to your catch-all address, and
create special filters to let certain legitimate mail through. In
particular, check mailing lists you subscribe to, which often use a
special address in the To: field, and thus will get caught by your
This system can even be adapted to non-Gmail/Google Apps users who
use desktop clients. The key is a catch-all address, the secret suffix,
and a filter to block out everything else.