setup your own domain and "burner" email addresses

Ever since I purchased krist0ph3r.com 7 years ago, I have been figuring what best to do with what seemed like a frivolous purchase.

Having a handy link for this blog is nice, but the biggest use has actually been quite unanticipated: using "burner" email addresses for sites i sign up to. this means I can sign up to every site with a unique email address, and nobody knows it's the same human. which makes my online experience much safer and more private than the average internet user.

If you think this is something you want/need to do, this is my handy guide - takes about 10 minutes if you know what you're doing, maybe a little more if you sign up with a user-unfriendly domain service. for reference, it took me a couple of days to get right the first time, but has worked absolutely perfectly ever since - so perfectly, that i completely forgot how I did it when a friend asked me to replicate the setup for him!

Anyway, here goes:

1. Buy your domain. It could be any domain (.com or the more interesting/quirky/local TLDs all will work). Just make sure you buy it from a provider that offers a basic control panel that allows you to setup custom DNS records. Nothing fancy, just custom MX and TXT records. Ask their sales team if you aren't sure. This is (at the time of writing) your only expense for the most basic setup. I've used namecheap.com (because it's cheap! but it's also probably the simplest interface to get the job done. Takes no more than 5 minutes here if you're a slow reader) but I have also used other providers that I can't remember any more, and all of them have worked well. Notably, godaddy.com works but is super user-unfriendly as I discovered while helping a friend do his setup yesterday. I haven't tried this with subdomains, so no idea if you can set that up - DNS does support subdomains but I haven't tried to even read up.
2. Setup an email address to receive your emails. Could be any address on any provider, a new one or an existing one (in which case no setup required - but I don't recommend this). I use gmail, because it allows some interesting things (and used to allow more things than it currently supports, unfortunately they've been trying to monetize the platform so things aren't as easy/free any more). For the basic stuff, any email will do.
3. Signup at improvmx.com - this is the site that makes the catch-all burner email setup possible. It's free at the time of writing, and has been free for at least 7 years now, with some premium features that you don't need to get this setup done. They need your domain, and the email you need to forward it to. Don't create aliases unless you need this - just one (*) will do the job.
4. Use the step-by-step view at improvmx.com for guidance regarding the DNS setup. In short, it's two things: setting up 2 MX records (to route mails from your domain to improvmx's servers) and a TXT record so improvmx knows it's you. I had my domain without the TXT record all these years and it worked, so I'm assuming the TXT record bit has been added in the last few years. For completeness, these are the two MX records I needed setup:
• Host: @  Value: mx1.improvmx.com Priority: 10
• Host: @  Value: mx2.improvmx.com Priority: 20
5. Wait a few minutes for DNS records to propagate (shouldn't take too long, but you never know - 30 minutes max). Send a test mail (send it from an unrelated email address to be sure it's working) and it should show up in your inbox! Improvmx is quick and reliable :)

All geeky happiness aside, this solution has one glaring deficiency: you can't easily send mail from your burner email addresses. Sending mail needs a SMTP server and while these used to be common a few years ago, they aren't any more (for a good reason - SMTP servers open to 3rd party domains are the easiest target to bounce spam mail off!). My own solution is to setup a SMTP server on my own machine, dynamic dns aka ddns (namecheap comes with ddns support and a "beta" client, not bad!), port forwarding on my router, and finally point my gmail to it. And only turn it on when I need to send a mail - because I don't want spammers to be taking advantage of my pc! This is definitely not for the faint-hearted/technologically challenged, and definitely not as easy as getting incoming mail setup. There are easier ways to do this, but these aren't free, so I haven't bothered trying them out.

Either way, that's it for now. I might write the SMTP/outgoing mail guide later, and I definitely need to write up the bit where you can point your domain and custom subdomains to your blog(s) - probably more for myself than anyone else.

Have fun and stay safe!

paypal scam/security issue: you could be billed by merchants you've terminated your agreement with!

Paypal users:

Turns out some sellers add themselves as pre-approved billers and don't/can't remove themselves when you cancel your membership/billing agreement. You have to remove it yourself, or they could charge your paypal in the future without any advance warning. Your only clue would be a notification that the money has already been deducted from your paypal, and at that point you cannot decline/reverse the transaction by yourself.

To prevent that, remove unwanted billers from the following link:

https://www.paypal.com/myaccount/autopay/

When I checked today, I had a couple of merchants on the list who I have not used in years, and am personally aware of merchants who have fraudulently charged people I know in the last couple of days. 

Paypal refuses to entertain any complaints regarding merchants if they're on the list - their argument is that you have agreed to be billed by the merchant, so any problems are now between you and the merchant. Paypal has also said that the agreement can only be ended if agreed by the user AND the merchant, which leaves the feature wide open for abuse.

The feature of being able to view pre-approved billers is new to paypal even though having pre-approved billers is an old thing. it could be that paypal added the feature in response to complaints, but their handling remains poor. Please take care of yourselves by removing billers from the list, or you might be faced with a lengthy fight to get your money back! If the balance was deducted from paypal itself you're out of luck. If it was deducted from your credit card you still have hope as you can raise a dispute there.

ps: special shout out to past users of Shaw academy (www.shawacademy.com), as they recently did this (deduct money from people who had canceled their memberships over a year ago)

security #fail

warning: long post ahead. summary at the end.

recently, I received a call from HDFC bank, from someone who claimed to be my "personal banker". I was wondering why, because I used to have a personal banker long ago, but he suddenly disappeared off the scene, and I honestly didn't miss him one bit, because there's nothing I need a personal banker for.

in fact, that guy prompted me to once tweet that "a personal banker is a salesman you're forced (or was it obliged? I don't remember) to be nice to 😁"

so this well spoken lady claiming to be my personal banker introduced herself and asked me to save her number and whatnot. and then she said that she could see I was eligible for a credit limit enhancement on my credit card. I have no idea why anyone would offer me that, as I don't even use that card. but apparently your credit limit contributes to your credit score, and it's always good to have a good credit score. or maybe I was simply in a good mood and wasn't too occupied with work that day. either way, I agreed. she said that I would receive a OTP on my mobile, which I would have to key into the IVR. sounded legit.

the IVR switched on, it asked me to enter my card number. when done, it asked me to enter my OTP. since the OTP was on my phone, and I was on the call, it took a few seconds to switch apps and read the number, memorize it, switch back and dial it. and HDFC somehow expected me to be super quick, so the IVR exited before I could dial it in. the lady was back on the line. she said I took too long, so I would have to try again. she launched the IVR again. I entered my card number. it then asked me to enter my OTP. and then I heard my "personal banker"'s voice, asking me to hurry.

WHAT?!!

I was too shocked to respond.

she was on the line with the IVR, had already heard my card number, and was about to hear my OTP!

I was literally shell shocked. I thought I was this close to being scammed. if she hadn't spoken, I'd have been a goner (metaphorically speaking).

the IVR exited, I regained my composure, and asked her why she was on the line. I told her that I was extremely uncomfortable with this and did not want to go ahead with it. she was polite, but it was clear that she didn't understand my concern. I tried explaining as well, but she was like "I can only hear beeps, not the actual number"

she obviously didn't know how tone dialing (or indeed, IVR systems) work.

I gave up and made an excuse and hung up.

I didn't really need the limit upgrade, but she had set my mind working. is there any way to verify that this is or is not some sort of scam? I thought hard, and the only thing I could come up with was the HDFC official call center. so I dialed in, and of course I had to enter my authentication details on the IVR, something I have done scores of times before, but which got me thinking this time. anyway, I guess the number listed on my card and the website had to be trusted, I hoped.

I finally got someone on the line. I asked her if I was eligible for a credit limit upgrade. she affirmed. I asked her to confirm my current and new limit. it matched what I was told earlier. she told me I would be sent an OTP and would then be put on the IVR. so far, the story matched. I had just one last point to confirm. I asked her if she would be on the line while I entered my details.

she said she would.

this time, I didn't bother arguing. I had called HDFC on their listed number, so unless an extremely well engineered scam was in place, I should be safe.

the transaction went through, I got a message from HDFC confirming that my request was accepted to etc.

I called my "personal banker" to let her know that I had done the upgrade by calling phone banking, as I was not comfortable entering my OTP on an inbound call. she still didn't understand, but I didn't care.

I haven't heard from her ever since. but I did get a call the other day from a guy who also claimed to be my personal banker. I told him I already have one, and he insisted that he was my real personal banker from the head office, while the other person must have called from some branch.

I'm pretty sure he's not from the head office, because he wants to meet me in person now. I'm just bracing myself for more insecure bullshit and another attempt to sell me something I don't need.

anyway, TL;DR:

do not enter personal details on IVR. especially on an inbound call. if it's an inbound call, selling you something you want, find a way to get to the same offer from an outbound call to a verified number. do all due diligence to verify the outbound number. and never accept an outbound number that's given to you by the caller. they are bound to make excuses to avoid this, but be firm.

do not assume any IVR is secure. those "beeps" are the keys of your keypad being transmitted across. anyone listening will know what you have entered. so be wary.

and whenever you come across a bank legitimately forcing or inducing you to do these things, give them feedback that this is not acceptable.

(ps: have you come across any other such suspicious things? let me know in the comments, I'll be happy to vet and write up about them!)