[BBLISA] sender-specific addresses

Steven M Jones bblisa-in at crash.com
Tue May 21 19:10:55 EDT 2013 

On 05/21/2013 03:19 PM, Tom Metro wrote:
> I used sender-specific addresses back in the 1990s, but migrated to the
> equivalent using address extensions in the 2000s. It works great, as you
> describe, and is a great way to spot when a vendor has had a breach and
> their customer database downloaded by hackers/spammers. (Also makes it
> trivial to spot phish emails, that get directed at publicly exposed
> address, and not the vendor-specific ones.)

I've done this as well, but in my opinion the most common cause of such 
"leakage" is that the site/vendor has "monetized" your information by 
selling profiles and addresses to third parties...


> The big problem with the user+extension at example.com format is that it
> appears some newb who didn't understand RFCs wrote an email validation
> library in the early 2000s which incorrectly believes the "+" character
> is invalid, and about 50% of web sites use it or a derivative. (I'm
> guessing a PHP library.)

Hallelujah! I've filed dozens of complaints with different websites and 
vendors on this very point. So far as I'm aware none of corrected the 
situation; worse, many companies who are happily sending me email via 
"+" detail addresses, have changed their websites or validation routines 
subsequently and reject such addresses.

This points up another advantage of running your own mail server - 
unlimited aliasing. In fact I have one domain that will rewrite vast 
categories of addresses to my actual address in another domain, so that 
I can use almost anything on the fly when I'm interacting with an 
application or website. (So far there's been no problem with spam to 
random addresses being accepted.)


> (A secondary bug that is also common is when an address gets embedded in
> a URL, such as with an unsubscribe link, and the code generating the
> email fails to URL encode the address, resulting in the "+" character
> turning into a space. But if you spot this, its easy to work around by
> manually inserting the escape code.)

This reminds me of another problem -- websites that require you to use 
your email address to login, but reject a "+" during validation prior to 
looking anything up. This caused me to abandon my 8 year old Ofoto/Kodak 
Gallery account when it was purchased by Shutterfly...

--Steve.

More information about the bblisa mailing list