[BBLISA] sender-specific addresses
Steven M Jones
bblisa-in at crash.com
Tue May 21 19:10:55 EDT 2013
On 05/21/2013 03:19 PM, Tom Metro wrote:
> I used sender-specific addresses back in the 1990s, but migrated to the
> equivalent using address extensions in the 2000s. It works great, as you
> describe, and is a great way to spot when a vendor has had a breach and
> their customer database downloaded by hackers/spammers. (Also makes it
> trivial to spot phish emails, that get directed at publicly exposed
> address, and not the vendor-specific ones.)
I've done this as well, but in my opinion the most common cause of such
"leakage" is that the site/vendor has "monetized" your information by
selling profiles and addresses to third parties...
> The big problem with the user+extension at example.com format is that it
> appears some newb who didn't understand RFCs wrote an email validation
> library in the early 2000s which incorrectly believes the "+" character
> is invalid, and about 50% of web sites use it or a derivative. (I'm
> guessing a PHP library.)
Hallelujah! I've filed dozens of complaints with different websites and
vendors on this very point. So far as I'm aware none of corrected the
situation; worse, many companies who are happily sending me email via
"+" detail addresses, have changed their websites or validation routines
subsequently and reject such addresses.
This points up another advantage of running your own mail server -
unlimited aliasing. In fact I have one domain that will rewrite vast
categories of addresses to my actual address in another domain, so that
I can use almost anything on the fly when I'm interacting with an
application or website. (So far there's been no problem with spam to
random addresses being accepted.)
> (A secondary bug that is also common is when an address gets embedded in
> a URL, such as with an unsubscribe link, and the code generating the
> email fails to URL encode the address, resulting in the "+" character
> turning into a space. But if you spot this, its easy to work around by
> manually inserting the escape code.)
This reminds me of another problem -- websites that require you to use
your email address to login, but reject a "+" during validation prior to
looking anything up. This caused me to abandon my 8 year old Ofoto/Kodak
Gallery account when it was purchased by Shutterfly...
--Steve.
More information about the bblisa
mailing list