I’ve not blogged about it because, frankly, the code I’ve hacked together is embarrassing, hacky, and probably insecure, so I don’t want it published on the open Internet until I get a chance to improve it. And if you’ve seen some of the code I HAVE published on my blog, you’ll know that it must be especially bad for me to talk so ill of it! But here’s the skinny:

1. Set up a domain for “catch all” email. If your domain was example.com, that means that anything@example.com gets delivered to one mailbox. I’m using my domain registrar for this, but you could happily run Postfix and dump everything to an mbox or something.
2. Set up a script to filter your mail based on recipient address, and spam everything that fails the test. This is the clever bit. I require that the bit before the @ sign either matches (a) a specific address in an allowlist, for legacy reasons, or (b) an address that matches a very specific format, detailed below. It also must NOT match (c) a blockist of addresses I don’t want to receive mail to any more. I do (c) in code but I should move it to my MTA.
3. Write a userscript/browser plugin and/or other tool to help you generate addresses that match the format in (b), above, so you can come up with them on-the-fly.
4. Make free output available to your mail client via SMTP/IMAP or whatever, so you can carry on using your usual tools (I love ProtonMail, maybe you like Gmail or whatever).

So, the magic format! I have a secret key (strictly speaking, it’s a salt). My protected email address are always of the form [string][hash]@example.com, such that [string] is any string (but I tend to use the name of the company in giving the address to our some variant of it, eg including the current date if I might sign up multiple), and [hash] is the first 8 characters of the result of concatenating [string] with my secret key (salt) and then running it through a hashing function (for this purpose, basically any will do: it doesn’t need to be collision-resistant: I’m using SHA1). Tada!

So when I sign up somewhere, I type eg “amazon” into a box, click a button in my browser, and it becomes eg “amazona1b2c3d4@example.com”, where “a1b2c3d4” is the irreversible result of running SHA1(“amazon” + my secret key). That email address works, but if you change even a single character you get marked as a spammer. And to any machine it looks like a perfectly reasonable if unusual email address.

Some day I’ll publish some code. But for now that’s enough for an enterprising nerd to have a go!