Catch-all Email Addresses

The Situation

Catch-all email are designed to "catch" any and all email sent to a particular website, and to do something smart with it once it arrives, such as forward it to a real email address for further processing. This was once a great idea, but that was before the Web was commercialized and became the playground of spammers (advertisers).

Due to their very usefulness, catch-all email addresses have become a favorite target of spam attacks. Spammers can and do send a blizzard of email messages to any potential email address on the Internet. Because sending email is almost without cost, they freely invent addresses to attack in the hopes that something will stick. They often use sophisticated scripts to generate thousands of possible email addresses for each domain they target.

You do not need to see the spam for the spammer to gain important information about your site. When spammers receive a bounced email message from a target address, they know that address exists. It then becomes the target of further attacks. The result for you is more spam. Meanwhile your server's spam filter must work overtime to process the increased junk mail. Depending on the load, this can impact the performance of your website.

The Solution

At this time the best defense is to not use a catch-all email address. On higher-end services, catch-all email features are typically disabled by default. This is both for security and performance reasons.