Add wildcard support for spamgourmet addresses
Spamgourmet.com allows a user to create disposable email addresses on the fly. That way a unique email address can be used for each web site you sign up for. The structure of an address is identifier[.##].email@example.com, where the identifier can change per site and [.##] is an optional max number of emails you want to receive. Because a different address is used for each site it is currently impossible to query HIBP for breaches of all sub-addresses, like *.firstname.lastname@example.org. Allowing wildcard search and notification for spamgourmet addresses (or its many alias domains) would enable users to check on any of their disposable addresses.
While I'd like this too, there is the complication that spamgourmet owns many domains. I don't use *.email@example.com, but rather *.me@<other-spamgourmet-domain>.net.
There was at one time the ability to use one's own domain as a spamgourmet domain (see their FAQ). I did contact the dev's to let me use one of my domains, but I didn't get any response.
While Troy has positioned this service as free, perhaps his "number crunching" could come out differently if this particular use-case were a paid feature. It probably shouldn't be THAT hard, although it's complicated by the fact that e-mail providers offering this capability are using different delimiter characters and it looks like some add the extension *before* the base e-mail name while others add it *after*.
But the people who make use of these aliasing features have demonstrated a higher-than-average personal priority on managing spam, privacy, and security, and would probably be willing to pay a modest amount. If Troy recommended this approach to his users, that might increase its use and increase the number of people wanting to use it as a paid premium service here.
I take a slightly more time-consuming approach, which DOES work with HIBP: I have a personal domain registered with a domain registrar that offers unlimited e-mail aliases on registered domains. So for any websites that are at all sensitive or that I plan to use frequently, I create a unique e-mail @ my personal domain. For one-offs I use generic temporary addresses that change periodically. (Example: To submit this comment, I will enter my unique e-mail for UserVoice in the e-mail box below the comment-entry box!)
IT should work now! commented
This was discussed at length in another thread requesting similar for gmail's use of + in their addresses. I'd love it too as I use a different <email>+<sitename>@gmail.com for every website I register on.
Troy's feedback was he's crunched the numbers and can't justify the commitment of time given the low % of addresses using the convention mentioned.
It's a shame because I have to consider re-naming all my accounts with the vanilla address so that I can find (and be notified of) the address in a breach.
JoeBloggs probably uses firstname.lastname@example.org for linked in and email@example.com for facbook. In fact, Joe probably doesn't even remember all the email addresses of this form he has given out.
Not quite sure what you are suggesting.