When I try subaddressing as I try to sign up for new online services, more often than not that address format is rejected as invalid. Most online services don't have very good email validation.
Use a whole domain name, e.g. signup for dropbox with dropbox@tokenadult.com. You could do this with Google Apps Gmail by setting a catch-all forwarding address for the domain.
I use a sub-domain (e.g. @m.mydomain.com) for my catch-all and this hasn't happened to me. There are various easy ways for spammers to find out about domains, but sub-domains can remain relatively obscure.
Or worse, using <randomchars>@somesubdomain.example.com as the SENDER address on spam to others. I once had spammers find a subdomain that accepted wildcard emails, and the backscatter was just insane. Had to spend a whole day trying to make a list of valid <usernames>@ on that subdomain to whitelist to put an end to it. (Not easy if you haven't already been keeping track of which addresses you've handed out throughout the years)
I have a setup like that, I get more spam because of that of course but Google is really good at filtering it. And especially in conjunction with priority inbox, it's a breeze (and very convenient).
Yeah, I've got postfix setup so I just need to add a line to a textfile with "servicename.somerandomchars[1]@mydomain" and it's starting to route to my inbox.
When an address is "compromised" and starts to receive spam, I move the line to a "banned_recipients" file with an SMTP reject header listing the new email. That way, a human using an old address would get a bounce back with the new email.
[1] so that the argument about bruteforcing "common-service@domainname" can be avoided
That's a nice technique; thanks for sharing it. This kind of flexibility is one of the many benefits of running your own mail server (I'm always happy to see that at least some people here are still doing that).
If you run postfix you can have that even easier; look for smtpd_recipient_restrictions and check_recipient_access in 'man 5 postconf'.
I'm running with this rule in the access map:
/^from-.*@foobar.com$/ OK
That accepts all mail to an address prefixed with "from-" and (by default) rejects everything else. This way you can just make up the dummy-addresses on the fly.
I remember being slightly worried about using such a simple prefix when setting it up initially. However I have never received mail to a from-* address that I didn't "create". Not once in over 6 years.
And disabling an address that has turned spammy is as easy as:
/^from-stuffit-expander@foobar.com$/ 554 No thanks.
It's actually _not_ because their validation sucks, but because salespeople decided that it means you won't read their newsletter or other spam. They understand the situation as - hi, this is my email please use that subaddress so I can mark it as spam (yes, I know that spam filters don't need subadresses - but try to explain it to an average salesdude - I've tried).
I have anything sent to any address at my vanity domain forwarded to gmail. I use the name of the website and add e.g. ".shop@mydomain.tld" or ".bank@mydomain.tld" so I can apply different labels to them in gmail. It works great except I chose a .info domain which some sites don't recognise as valid.
I should also have said that this system means that for forums I feel safe enough using the same password on all sites as it will never be linked with the same address. (I still use a different (predictable for me) password for banking/ecommerce websites)
These (the dot and underscore separators) are a great solution, because when the spam-happy-marketroids try to get the webdevs to intentionally implement broken email address validation, they can point out all the corporate email addresses which are by-policy of the form "firstname.lastname@domain.tld"…
Yeah, so much for RFC2822. Oh well, apparently, some spammers are clever enough to grep the emails with "+" and throw away the obvious additional portion.
