Catchall Accounts

Catchall accounts are a mechanism to allow all email to a domain that does not match an existing user to go to a specific named user.

Catchall accounts are dangerous – Why we don’t like them.

We would like to impress upon anyone that considers the use of catchall accounts that their use is dangerous and causes more harm than good both for the customer who uses them and also to the general health of the internet. There are a number of obvious reasons and some that are not so obvious unless you actually have to run larger mail servers.

The most obvious reason is that any time a spammer tries a dictionary attack against a domain, where they try either a list of generated names or some list of common names, then every single message will be accepted and clog up the catchall account. In the old days of spamming this sort of attack would have been done as a list of recipient users on a single message which would then have been delivered as a single message to the catchall account. In these more dangerous times of Bot-Nets (collections of machines that are being covertly controlled by spammers and criminals) every single recipient is a single message and the dictionary is split across many machines. In this case it is not possible to automatically spot this sort of attack with a consequence that the catchall mailbox fills up and then blocks the receipt of any genuine emails that happen to arrive later.

Why catchalls are used

Whilst we appreciate some people have been used to using catchall accounts as a way of avoiding having to decide which usernames they wish to use in advance, or as a way of allowing all non-specific names to filter to a control account there is a better way to do this within Tidymail.

The Alternative to Catchall Accounts

In Tidymail we have created the system of Aliases and Reject Aliases. These are specific names associated with an ordinary user that serve as aliases or automatic rejects. These aliases can be toggled between accepting and rejecting as whenever you need to.

Currently, only Domain Administrators can create aliases, but we will be enhancing the interface to allow authorised users to create their own aliases when required. A very useful way to use this mechanism would be for a private individual user (as opposed to a company user) to create an alias for every business they deal with. Then should the company abuse the relationship for whatever reason (selling the email address on, refusing to honour an unsubscribe) then the user can simply switch the alias over to reject without inconveniencing the rest of their email activity.