Suddenly I started receiving a bunch of scam mails (phishing). I suspect some bot or bot-net is involved, because I’ve received maybe a couple hundred e-mails at the time of writing, all from different (likely auto-generated) senders. With anything from 2-10 emails per day.

The scam is essentially just some phishing, all related to the same topic. I’ve mostly been able to mitigate it by filtering out mails containing certain keywords or phrases that show up in the scam mails. However, the mails change relatively often (about once a day) so every now and then something gets through, and I’ll update my filter.

My question is really if there’s any way I can figure out

  1. Where this is coming from,
  2. How they got hold of my email

So that I can try to go after the root cause / prevent other scammers from getting hold of it.

  • subtext@lemmy.world
    link
    fedilink
    arrow-up
    24
    ·
    2 months ago

    There’s really nothing to be done about the compromised email address, but I would really recommend using a service that creates unique email addresses per service that you sign up for to mitigate the blast radius when one service gets pwned. It takes a long while, but thankfully privacy laws are stronger now and it’s easier to force a company to either delete your information or change the email they have for you.

    Some potential services to consider include:

    https://addy.io/

    https://proton.me/pass/aliases

    https://www.fastmail.com/features/masked-email/

    https://support.apple.com/guide/icloud/what-you-can-do-with-icloud-and-hide-my-email-mme38e1602db/icloud

    • thebestaquaman@lemmy.worldOP
      link
      fedilink
      arrow-up
      5
      ·
      2 months ago

      Thanks! I’ll definitely look into that, though the only issue I can imagine is keeping track of which email that goes to which service (I’m one of those kinds of people that uses “Forgot my password” effectively as a password manager, don’t hate me for it, I have reasons).

        • thebestaquaman@lemmy.worldOP
          link
          fedilink
          arrow-up
          3
          arrow-down
          2
          ·
          2 months ago

          Since you chose to point it out: My reason is that I regularly need to be able to log into things on a non-personal machine, sometimes without access to my phone. So no, a password manager for all my accounts is out of the picture. I either write stuff down, remember it, or - sometimes - forget it and need to reset my password.

          • whitecold@lemmy.world
            link
            fedilink
            arrow-up
            8
            ·
            2 months ago

            Not having access to your phone and having to log in on other computers doesn’t rule out using password managers at all. You can use bitwarden’s web vault (or self-host vaultwarden). As long as you can log in to bitwarden web vault, you can access your passwords anytime, anywhere.

      • nocturne@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        2 months ago

        the only issue I can imagine is keeping track of which email that goes to which service

        Using a password locker will take care of that.

      • subtext@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        They all have a system for keeping track of that, I know iCloud automatically assigns a URL to each based on where you created it, or Fastmail (which I use) has a comment field and automatically tags each email as it comes to your inbox.

        It takes more than zero effort to create it, so it’s too much effort for my wife, but I absolutely love it.

  • StrawberryPigtails@lemmy.sdf.org
    link
    fedilink
    arrow-up
    12
    ·
    2 months ago

    Spam email has always been a problem, and there is really no way to find out how they got your email address and no way to prevent it either. Email lists are bought, sold and traded all the time.

    What I do is keep the email client Thunderbird running on my desktop. It has a really good smart spam filter that learns from the email you receive and what you mark as spam/not spam. With IMAP, even your mobile devices benefit from the filtering.

    Every few days I’ll check the junk folder and mark “not spam” anything that it incorrectly flagged as spam and go through my inbox and mark spam on anything it missed. I think it miss-flags maybe 3 or 4 emails per week right now. Doesn’t happen often.

      • This site only shows if your email address is floating around on some illicit data set.

        There are plenty of ways to scrape email addresses without stealing them.

        You probably signed up for something using your email address, clicked agree to share it with the company’s trusted partners, all 3,000 of them, and one of them proved not to be so trustworthy.

  • MilitantAtheist@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    2 months ago

    This is what I did years ago. It works great for me.

    Got my own domain.

    When I’m forced to register somewhere I use <their site+how much I hate them><year>@mydomain.com

    So, when EA forced me to register an account on origin, it was fuckea2011@mydomain.com.

    If I see an email address start to get phishing and spam, I disable it.

    • Kekzkrieger@feddit.org
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      You don’t even need a custom domain to do this. Google, Ms and many others support aliases with a plus (+) sign in the recipient adress.

      so if you got john@gmail.com you can freely create new aliases like john+ea@gmail.com, john+amazon@gmail.com and they will all land at john@gmail.com

      If your address gets leaked, you can just block emails to that recipient.

      I’ve done this for most of my accounts and it works great.

      • stom@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        5
        ·
        2 months ago

        Gmail labels are great but they’re not universal, and are easy to strip out.

        A lot of sites:

        • Don’t allow +'s in email addresses
        • May let your register but then not login
        • Are aware of labels and simply strip them out

        I have an email address I have only ever used with labels but still get spam to the non-labeled address. Spammers and email harvesters are very much aware of this trick, so it only works on legitimate sites.

  • UnrepentantAlgebra@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    2 months ago

    Did you get a huge flood of emails at the start? That happened to me one time and it was because one of my old passwords got leaked. Buried within the flood of emails was a legit “your password has been changed” email for an account.

  • bluGill@fedia.io
    link
    fedilink
    arrow-up
    4
    ·
    2 months ago

    A good email provider is your best bet. I’ve been on fastmail for years and they rarely let spam through despite me not protecing my address

    • Boozilla@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Fastmail is pretty great, and it lets you create masked email addresses for throwaway purposes if you need one.

  • MrGabr@ttrpg.network
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    2 months ago

    I’ve found that 99.99% of my spam comes from emails with weird extensions - .xyz, .world, .shop, .best, etc. - so I’ve gotten a significant amount of relief in getting a mail client that lets me block entire domain extensions (BlueMail mobile).

  • amanneedsamaid@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Make a new email, and use email aliasing (AnonAddy, Simplelogin) from now on. They can’t get a hold of an email that no one has.

  • JohnWorks@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    I’ve been dealing with my e-mail having been involved in multiple beaches and have been spending a couple years trying to migrate my accounts to aliases that go to a new e-mail address. It’s a long process to say the least. 🫠