I have access to a ‘catch all’ email mailbox.
This enables me to run a system in which, when a company or other organization asks me for my email address, I give them one that is unique to them. I keep track of which email address I have given out to which organization in a list, and I try quite hard to avoid giving the same address to more than one organization. This means that if an email address receives anything it shouldn’t (such as phishing attempts or spam), I can tell which organization is probably responsible (either directly responsible, or indirectly responsible by allowing the address to be leaked to the people who were directly responsible).
So how have I used this knowledge? Well, I haven’t much, to be honest. I think ever since I started doing this I have believed there should be a website where all the people who do the same thing as me can record instances of abuse. If enough reports were received from different people for a particular organization then it would be good evidence that the organization had leaked their list of people’s email addresses. If anyone knows of such a website, please comment below.
For now, I’ll simply record my own such reports in this blogpost – just in case anyone in my situation ever uses a search engine to look for any other ‘victims’ of the same particular instance of leaking of personal data.
- Organization that was given the email address : Subsequent use of that address
- banksafeonline.org.uk : Invitation from airbnb.com on 2016-09-28
- ft.com : “investment” spam
- chemistdirect.co.uk : spam
- torchdirect.co.uk : spam
- moneybookers.com : spam
- And they seem to have leaked at least part of my postal address as well
- oracle.com : “IT jobs” spam
- hotchilli.net : spam
 – ‘catch all’ mailbox
To explain what I mean by this I’ll use “abc.example.com” as an example. If I had access to the ‘catch all’ email mailbox for “abc.example.com” then I would receive all email sent to firstname.lastname@example.org – almost regardless of what the ‘something’ was replaced by. So I would receive email sent to email@example.com and firstname.lastname@example.org and email@example.com and firstname.lastname@example.org and … you get the idea.
 – “probably responsible”
I use the term “probably responsible” because there are some other possibilities: the leak could have come from me, or from an eavesdropper (since email is not intrinsically a secure medium), or it could even be that the unique email address was actually guessed by someone. But all theses are far less likely than the possibility that the relevant organization is responsible (either directly or indirectly).