cross-posted from: https://infosec.pub/post/37292398
My personal domain has hundreds of aliases - one for each site I deal with. This is great for identifying the source of spam, and I retire any aliases that get spam.
haveibeenpwned.com lets me add a domain, but wants 3912 USD a year to actually tell me which addresses leaked. This is obviously an insane price for a nice-to-have.
Is there an alternative for free or very cheap? A self-hosted tool that would pull down lists would be great, but I suppose those lists aren’t public.
They want money? I have 2 domains registered and I’m currently at 10 breaches (9 on one and 1 on the other (my serious domain)).
The thing is, the stuff is bloated anyways. Aliases as “webmaster80@”, “webmaster13@”, “webmaster01@”, “2webmaster@” I never used. Even the “webmaster@” I only posted as contact mail but never used myself. There are 13 breaches across 6 aliases, that I never used. With Synthient Credential Stuffing 4 got added.
Spammers do roll a ton of addresses with that one domain. I even let AI wrote a ps script, so I can easily add an alias to my spam mailbox, which rejects any mail and deletes them instantly.
I was looking at this yesterday. If you actually go and look at the results for your domain, it’s likely that it will only show you the subscription free details and none of the recent ones
I don’t miss any breaches (I inform myself with other news portals) and the most recent one with 2 billion is included but no actual account. Of course some of the addresses the spammers guessed for my domain could be in a breach that I don’t know of but I don’t care. Just guessing email addresses is not hard for a catch all address.