setup your own domain and "burner" email addresses

Ever since I purchased krist0ph3r.com 7 years ago, I have been figuring what best to do with what seemed like a frivolous purchase.

Having a handy link for this blog is nice, but the biggest use has actually been quite unanticipated: using "burner" email addresses for sites i sign up to. this means I can sign up to every site with a unique email address, and nobody knows it's the same human. which makes my online experience much safer and more private than the average internet user.

If you think this is something you want/need to do, this is my handy guide - takes about 10 minutes if you know what you're doing, maybe a little more if you sign up with a user-unfriendly domain service. for reference, it took me a couple of days to get right the first time, but has worked absolutely perfectly ever since - so perfectly, that i completely forgot how I did it when a friend asked me to replicate the setup for him!

Anyway, here goes:

1. Buy your domain. It could be any domain (.com or the more interesting/quirky/local TLDs all will work). Just make sure you buy it from a provider that offers a basic control panel that allows you to setup custom DNS records. Nothing fancy, just custom MX and TXT records. Ask their sales team if you aren't sure. This is (at the time of writing) your only expense for the most basic setup. I've used namecheap.com (because it's cheap! but it's also probably the simplest interface to get the job done. Takes no more than 5 minutes here if you're a slow reader) but I have also used other providers that I can't remember any more, and all of them have worked well. Notably, godaddy.com works but is super user-unfriendly as I discovered while helping a friend do his setup yesterday. I haven't tried this with subdomains, so no idea if you can set that up - DNS does support subdomains but I haven't tried to even read up.
2. Setup an email address to receive your emails. Could be any address on any provider, a new one or an existing one (in which case no setup required - but I don't recommend this). I use gmail, because it allows some interesting things (and used to allow more things than it currently supports, unfortunately they've been trying to monetize the platform so things aren't as easy/free any more). For the basic stuff, any email will do.
3. Signup at improvmx.com - this is the site that makes the catch-all burner email setup possible. It's free at the time of writing, and has been free for at least 7 years now, with some premium features that you don't need to get this setup done. They need your domain, and the email you need to forward it to. Don't create aliases unless you need this - just one (*) will do the job.
4. Use the step-by-step view at improvmx.com for guidance regarding the DNS setup. In short, it's two things: setting up 2 MX records (to route mails from your domain to improvmx's servers) and a TXT record so improvmx knows it's you. I had my domain without the TXT record all these years and it worked, so I'm assuming the TXT record bit has been added in the last few years. For completeness, these are the two MX records I needed setup:
• Host: @  Value: mx1.improvmx.com Priority: 10
• Host: @  Value: mx2.improvmx.com Priority: 20
5. Wait a few minutes for DNS records to propagate (shouldn't take too long, but you never know - 30 minutes max). Send a test mail (send it from an unrelated email address to be sure it's working) and it should show up in your inbox! Improvmx is quick and reliable :)

All geeky happiness aside, this solution has one glaring deficiency: you can't easily send mail from your burner email addresses. Sending mail needs a SMTP server and while these used to be common a few years ago, they aren't any more (for a good reason - SMTP servers open to 3rd party domains are the easiest target to bounce spam mail off!). My own solution is to setup a SMTP server on my own machine, dynamic dns aka ddns (namecheap comes with ddns support and a "beta" client, not bad!), port forwarding on my router, and finally point my gmail to it. And only turn it on when I need to send a mail - because I don't want spammers to be taking advantage of my pc! This is definitely not for the faint-hearted/technologically challenged, and definitely not as easy as getting incoming mail setup. There are easier ways to do this, but these aren't free, so I haven't bothered trying them out.

Either way, that's it for now. I might write the SMTP/outgoing mail guide later, and I definitely need to write up the bit where you can point your domain and custom subdomains to your blog(s) - probably more for myself than anyone else.

Have fun and stay safe!

security #fail

warning: long post ahead. summary at the end.

recently, I received a call from HDFC bank, from someone who claimed to be my "personal banker". I was wondering why, because I used to have a personal banker long ago, but he suddenly disappeared off the scene, and I honestly didn't miss him one bit, because there's nothing I need a personal banker for.

in fact, that guy prompted me to once tweet that "a personal banker is a salesman you're forced (or was it obliged? I don't remember) to be nice to 😁"

so this well spoken lady claiming to be my personal banker introduced herself and asked me to save her number and whatnot. and then she said that she could see I was eligible for a credit limit enhancement on my credit card. I have no idea why anyone would offer me that, as I don't even use that card. but apparently your credit limit contributes to your credit score, and it's always good to have a good credit score. or maybe I was simply in a good mood and wasn't too occupied with work that day. either way, I agreed. she said that I would receive a OTP on my mobile, which I would have to key into the IVR. sounded legit.

the IVR switched on, it asked me to enter my card number. when done, it asked me to enter my OTP. since the OTP was on my phone, and I was on the call, it took a few seconds to switch apps and read the number, memorize it, switch back and dial it. and HDFC somehow expected me to be super quick, so the IVR exited before I could dial it in. the lady was back on the line. she said I took too long, so I would have to try again. she launched the IVR again. I entered my card number. it then asked me to enter my OTP. and then I heard my "personal banker"'s voice, asking me to hurry.

WHAT?!!

I was too shocked to respond.

she was on the line with the IVR, had already heard my card number, and was about to hear my OTP!

I was literally shell shocked. I thought I was this close to being scammed. if she hadn't spoken, I'd have been a goner (metaphorically speaking).

the IVR exited, I regained my composure, and asked her why she was on the line. I told her that I was extremely uncomfortable with this and did not want to go ahead with it. she was polite, but it was clear that she didn't understand my concern. I tried explaining as well, but she was like "I can only hear beeps, not the actual number"

she obviously didn't know how tone dialing (or indeed, IVR systems) work.

I gave up and made an excuse and hung up.

I didn't really need the limit upgrade, but she had set my mind working. is there any way to verify that this is or is not some sort of scam? I thought hard, and the only thing I could come up with was the HDFC official call center. so I dialed in, and of course I had to enter my authentication details on the IVR, something I have done scores of times before, but which got me thinking this time. anyway, I guess the number listed on my card and the website had to be trusted, I hoped.

I finally got someone on the line. I asked her if I was eligible for a credit limit upgrade. she affirmed. I asked her to confirm my current and new limit. it matched what I was told earlier. she told me I would be sent an OTP and would then be put on the IVR. so far, the story matched. I had just one last point to confirm. I asked her if she would be on the line while I entered my details.

she said she would.

this time, I didn't bother arguing. I had called HDFC on their listed number, so unless an extremely well engineered scam was in place, I should be safe.

the transaction went through, I got a message from HDFC confirming that my request was accepted to etc.

I called my "personal banker" to let her know that I had done the upgrade by calling phone banking, as I was not comfortable entering my OTP on an inbound call. she still didn't understand, but I didn't care.

I haven't heard from her ever since. but I did get a call the other day from a guy who also claimed to be my personal banker. I told him I already have one, and he insisted that he was my real personal banker from the head office, while the other person must have called from some branch.

I'm pretty sure he's not from the head office, because he wants to meet me in person now. I'm just bracing myself for more insecure bullshit and another attempt to sell me something I don't need.

anyway, TL;DR:

do not enter personal details on IVR. especially on an inbound call. if it's an inbound call, selling you something you want, find a way to get to the same offer from an outbound call to a verified number. do all due diligence to verify the outbound number. and never accept an outbound number that's given to you by the caller. they are bound to make excuses to avoid this, but be firm.

do not assume any IVR is secure. those "beeps" are the keys of your keypad being transmitted across. anyone listening will know what you have entered. so be wary.

and whenever you come across a bank legitimately forcing or inducing you to do these things, give them feedback that this is not acceptable.

(ps: have you come across any other such suspicious things? let me know in the comments, I'll be happy to vet and write up about them!)

hi

found in my inbox. too epic to not do anything before trashing it. so here it is:

From: shobith mascarenhas <masky4you@gmail.com>
To: kristopher@*******.com
Subject: hi

Hi Ranjeeth, trust u guys hv settled in by now. All r well here. Had been to the bank yesterday. I have yr password and login name.
Login name: MERLYN , signon password: V%965666 , transaction password: M%557085. Before your a/c is activated, you will have to send a confirmation email to : mangal@bankofbaroda.com If you have any problems logging in, do let me know. I have the login instructions here, will scan and send it to you.
Regarding yr driving licence, I havent recieved the scanned copy. When you get the time you can resend it. Will be going to Delhi in a day or two regarding a proposal. To begin with, I was in Chennai when this proposal came up. The girl and her family are from Mangalore, but presently based in Delhi. They had come to Mangalore for a wedding. Mama, A. Loretta and Mrinal have met her and were quite positive in their feedback. Her name is Richa Pinto and works as a school teacher. ( B.Ed).
She is open to settling down in Mangalore. Ive spoken to her a couple of times. Nothing confirmed yet, will know in a week from now. Will keep you posted.
Convey our love and regards to Merlyn n Myra.

love
Shobith
(Master Mariner!!!!!!! :)

Keep up with me

You know a site is spamming you when it sends invitations from a friend who *died* a few months ago. Yesh, I'm talking about this one!

---

---------- Forwarded message ----------
From: shyam haridas <...@gmail.com>
Date: Tue, Jan 19, 2010 at 6:44 PM
Subject: Keep up with me


Note: This is a reminder email sent by Indyarocks.com on behalf of its member.


Hi
I want to keep up with you on Indyarocks.com.

Indyarocks is a unique approach to communication and Entertainment based on the simple concept of One to many. If you want to reach out to all your friends and relatives with a single click, Indyarocks is the place to be.

You can send group SMS, explore movies, play multi-player games, watch cricket and listen to music with your online friends in real time.

Try the below link to keep up with me.
http://www.indyarocks.com/register_step1.php?...

Thanks
shyam haridas

Please note: This message was sent to you by a user at Indyarocks.com. Click here in case you do not wish to receive any invite from this user. Click here if you do not wish to get any invitations from any Indyarocks user. If you have any queries please contact us at directsupport@indyarocks.com

Reminder: Kristopher invited you to join Facebook...

facebook has been sending these mails out on my behalf. i know because i'm on my own address book.

and my address book was accessed by facebook exactly once, when i first signed up two years ago.

i somehow don't remember agreeing to let them use my contact list, much less invite *all* my contacts. and definitely not two years later.

facebook Hi Kris, The following person recently invited you to be their friend on Facebook: Kristopher Noronha 569 friends 415 photos Other people you may know on Facebook: Aditi Mallya India Bokul Bhowmick Priyadarshini Goswami Jadavpur University Aarti Naik India Shakti Salgaokar India Martin Fernandes Facebook is a great place to keep in touch with friends, post photos, videos and create events. But first you need to join! Sign up today to create a profile and connect with the people you know. Thanks, The Facebook Team Facebook is free and anyone can join. Sign Up To sign up for Facebook, follow the link below: http://www.facebook.com/r.php?re=450917da68d42e1d0e052434f25b11a2&mid=aa752fG218ed3edG1f26b64G46 This message was intended for ________________. If you do not wish to receive this type of email from Facebook in the future, please click here to unsubscribe. Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.

ask eraser - tada??? nada!!!

i was pleasantly surprised today to find that two people who's blogs i subscribe to posted about the same thing, just 25 minutes apart. ladies and gentlemen, i now present: seth godin and rahul batra.

the topic in question: askEraser. it's apparently ask.com's response to internet users' demand for a good search engine that doesn't search and mine their search history. wonder how well it'll work.

rahul's post is (quite typical of his style) short and sweet, while seth's post offers some interesting insights as to why privacy isn't all that important to the average internet user too.

anyway, as far as i'm concerned, i'm sticking with google. if data mining my personal communication was that big a deal, i'd have never used google products. looking at the way i use the internet, it seems to me that i've been trying to feed google as much data as i can about myself, so that one fine day they know exactly what i want before i can think of it. and yes, it wouldn't surprise me either :D

the opposite of privacy

today, in an after-lunch walk with a colleague of mine, he told me that he used to be totally into online privacy and all, and used to promote/develop software that helps keep your identity secure online, till one day he realised that he wasn't using his own software. so he decided to pretend he didn't know anything about himself, and try and dig up as much info about himself as he could.

apparently he pinpointed himself within 10 feet of his actual location, found his full name, and found a way to get his telephone number (but didnt actually get it because of the potential side effects of hacking into his ISP's database - especially since his location could be tracked down to the last 10 feet :D )

then i told him that he could google my name and get my phone number, or vice versa. i forgot to tell him that he could google my name and get my home address and a pinpoint over it's location in a map too, but i guess i made my point.

so all this got me thinking - what does privacy mean to me today? do i really care if someone knows where i live and what's my phone number? (obviously not, cos i'd not have put it up then). what about my birth date, my parents'/relatives'/friends' names, my email addresses, my middle name, my school, my colleges, my employment history?

could a person possibly pretend to be me and get away with it? i think it's very possible. all these pages will also be cached in google for a long time. scary. i'm the only "kristopher noronha" on google. even scarier.