undefined | Better HN

0 pointssmusamashah3y ago0 comments

I use mozmail and on the fly emails are great but so easy to exploit and spam.

For example, my custom domain is foo.mozmail.com. I enter my on the fly email address bar@foo.mozmail.com on attackers website. Voila. Now they know my custom domain name "foo" and can use it to send email to all possible on the fly addresses. e.g. 1@foo.mozmail.com 2@foo.mozmail.com so on and so forth.

Now my custom domain name as a whole is compromised but I can not change it anymore and lost all benefits of Firefox relay.

0 comments

aorth3y ago

You don't have to use the custom @domain.mozmail.com address with Firefox Relay—you can use @mozmail.com with one of the auto-generated random aliases.

Your complaint is similar to using RFC 822 "me+site.com@domain.com" style emails and then worrying that sites are going to learn that your real email is "me@domain.com" by stripping off the part after the plus sign. Call me optimistic or naive, but I don't think that sites are doing that...

https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-a...

Vinnl3y ago

Yes, it is recommended to use a completely random email by default, and only use your custom domain as a fallback when you can't use the random one (e.g. when you have to give up your email somewhere in-person). We're looking into ways to make that clearer, because people's intuition tells them to use their custom subdomains by default.

smusamashahOP3y ago

That's right. Thanks for correction. I have been doing exactly that. Using custom domain email everywhere I needed. Will use generated emails from now.

j / k navigate · click thread line to collapse