4

It's pretty common among security-minded folks to fill in addresses using e.g. foo+company@gmail.com when disclosing their email address to company so that they can tell if company has sold their address if they start getting spam.

But is it just me, or is this pointless? It literally takes only one regex substitution to strip out the +company portion, and once that's done, the email address is bare. And from the point of view of a spammer, I don't see why this wouldn't be done.

Am I missing something? Is this actually effective? Why/why not?

user541686
  • 2,502
  • 2
  • 21
  • 28
  • Anecdotal, but I used to use `company.name@example.com` for all my purchases and found a few reputable companies had actually leaked my address to spammers (either intentionally or otherwise). However, as spam filters are now very effective I simply give each one the same general address. I use other addresses for important accounts to add a layer of protection against lax security habits of some merchants that may lead to [situations like this](http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/). – SilverlightFox Aug 16 '14 at 09:32
  • @SilverlightFox: That's good to know -- it's exactly what I've been trying to figure out, because I'm almost certain that the spam I've recently started receiving in my personal emails must have been leaked by some company somehow (and I have a guess what company this might be, but I have no proof). Kind of a tangent, but did you try to follow up with them and ask them how your email was disclosed by any chance? I'd be interested in knowing how they respond to these kinds of incidents. – user541686 Aug 16 '14 at 10:28
  • I did follow up, but they often denied all knowledge stating that they didn't sell addresses. – SilverlightFox Aug 16 '14 at 10:31
  • @SilverlightFox: That's unfortunate... though I guess I can't say I'm surprised. Good to know though, thanks. – user541686 Aug 16 '14 at 10:38
  • In most cases, any spammer would delete al `+` and `.` for gmail addresses, but in the event they don't, you may actually find who leaked your mail. As it doesn't cost you anything, it's worth the try. Also, it would help you order your inbox in case they change their `from` email or share it with some other companies. – NuTTyX Aug 16 '14 at 19:23
  • 1
    I don't use `username+foo@gmail.com` only for spam prevention. It is also very useful for building rules within my mailbox. **It is very effective for automatically sorting and filtering legitimate messages.** – Zoredache Aug 19 '14 at 00:00
  • SilverlightFox: Keep in mind that your email address could have been picked off and sold by any of the companies that operate any of the mail servers that the messages were relayed through. – mti2935 Jul 27 '15 at 10:50

3 Answers3

2

You're correct, the 'protection' is pointless against an adversary who's motivated enough to clean up their lists of email addresses. As pointed out by the OP, getting rid of +'s is trivial.

I've seen some security researchers (and others) create actual addresses instead, e.g. name.topic@... and setup aliases to their main address. The advantage is that you can use another primary address (not just name@...) and so you don't risk your actual address being found out and it's easier to revoke a spammy adress.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • +1, but mind you, "who's motivated enough" is a bit misleading because there isn't exactly a lot of motivation required for this. They've already spent the time required to scrape or otherwise acquire the emails, so the extra minute required to add a regex to the mix is peanuts. – user541686 Aug 16 '14 at 11:02
  • Oh indeed it is. :) – Steve Dodier-Lazaro Aug 16 '14 at 11:24
0

Apart from the fact that some sites don't allow email addresses that contain a + symbol (see this) it most certainly is not a perfect system and easily bypassed as you suggested. Luckily, given the fact that spammers tend to be a lazy bunch, in the majority of cases it should point you to the offending party.

Also, since "contactability" is quite important to them, they might not want to take the risk of modifying an address and I suspect the spammers care very little to protect the people they bought the addresses from (this is obviously assuming the spammers and email address farmers/sellers are two different parties).

What I find works much much better, since I host my own email on my domain, is to give out a unique address for every site/company I register at e.g. foobar@mydomain.com to FooBar Inc. and have a catch all account that catches all of these invalid addresses and forwards them on to my actual email address name@mydomian.com

Community
  • 1
ilikebeets
  • 2,646
  • 15
  • 21
  • 1
    I wish I had the time/energy to host my own domain. But anyway -- are spammers really that lazy? Spammers go through a whole ton of trouble to get people to read their emails (spoofing addresses, playing with the font sizes and colors, mixing punctuation in between letters to prevent filtering, etc.)... I can't see how taking an extra minute to automate the regex substitution would be an obstacle of any sort. The level of trouble necessary is basically zero... and not sure what the contactability risk is either, at least for well-known domains like Gmail. – user541686 Aug 16 '14 at 10:24
  • You make a good point. Maybe they aren't that lazy when it comes to subverting detection mechanisms. I suppose it's their spelling and grammar that makes me think they are lazy :P – ilikebeets Aug 16 '14 at 10:51
  • 2
    I remember reading (edit: [here's one of the many pages that explains this](http://spamspoiler.blogspot.com/2013/10/why-do-spammers-spell-so-badly.html)) that the spelling and grammar mistakes are intentional -- they want to make sure people who respond are unlikely to be the types of people who pay careful attention to thinks (and they want others to discard the emails). Pretty sure it's not a sign of laziness. – user541686 Aug 16 '14 at 10:58
  • Ah, I see what you did there ;) – ilikebeets Aug 16 '14 at 11:14
  • lol that was actually completely unintentional, but I'll happily take credit for it :P – user541686 Aug 16 '14 at 11:23
0

This is a good recipe but working only if you add another technical measure.

If you register foo+company@gmail.com as your E-mail, you have to protect yourself against stupid and advanced robots (the ones who don't know the use of +, and the ones who know how to try to lower this protection through strings rewriting).

You have to make foo@gmail.com a totally failing address.

This is a task you might achieve through Gmail filter rules.

This is also a task pretty easy to achieve if you are receiving your E-mail on a Unix machine running procmail as a delivery agent.

Thanks to this method I was able to diagnose which computer at Linkedin was corrupted and permitted the revocable E-mail I gave them to get stolen. I was able to report them this technical information (because their was only one account within their support team who had used it).

I then changed the uniq address I gave to them, and put in place a filter rule to block the stolen one.

dan
  • 3,033
  • 14
  • 34