Comment by jowea
1 year ago
I heard about the +, but don't some sites reject it? Or can't bad actors just strip it? You'd need your own domain with a large amount of unique identifiers for it to work if it became popular.
1 year ago
I heard about the +, but don't some sites reject it? Or can't bad actors just strip it? You'd need your own domain with a large amount of unique identifiers for it to work if it became popular.
I find it quite rare for systems to reject the + these days. One notable exception is my credit union, whose Web 1.0 system turned it into a space. The most annoying thing about this practice is if you're telling it to a human, they are very confused about your email address having their company's name in it. I occasionally get "do you work here or something?" Every once in a while I'm talking to someone (example: elementary school secretary) who gives me a vibe that they're going to be really thrown off by this and I just make up a three letter unique code for a suffix since I can still search for whoever sent me that first to see what the suffix means.
On the stripping of the + and suffix, yeah, bad actors who recognize your scheme can do that, but spamming is about quantity, not quality, so they just aren't going to put in the effort.
Spamming is about quantity but stripping a "+" is something a one line script can do, which is what will happen if this gets popular. A real solution should be more resilient. Like spam binning anything that does not use the "+" ?
Well, I've always thought it would be fairly easy to strip, but I've now been doing it for 25 years and it's obvious the spammers aren't going to go to even that small effort. I once heard the CEO of wordpress say that it would be easy for them to go after adblockers too, but they explicitly didn't because the userbase that went to the trouble of installing adblockers didn't tend to be a lucrative advertising demographic anyway. It's all about return on your investment.
unfortunately, i disagree; i stopped using plus sign addressing because so many sites i wanted to use it on (many of them for important things like medical stuff) wouldn't accept it
I still miss qmail's convention, which used a - instead. That worked flawlessly everywhere, circa early 2000s.
(I still have some email handling rules for my domain that understand the - aliases I created.)
I think that both conventions are flawed, as adversaries that know the convention can just remove the distinguishing part. If someone signs up with the email address real+spam@example.com, then they're just going to spam real@example.com. Apple's thing where it creates a987dfc429be@icloud.com is much better. Maybe that's the username I selected. Maybe it's an anti-spam forwarding address. There is no way of knowing. (Actually, I think it does something like relay.icloud.com? So yeah, they know it's not your real address. Apple just says "if you reject this, you can't have an iPhone app", which is what makes it work.)
Following my navel gazing idea, the trick is that mail to real@example.com just gets spam binned automatically. Anyone who has any business emailing your should have an real+randomuniqueid@example.com email address to send to you. It's almost like the randomuniqueid is a password to your inbox.
Unfortunately, this is only for email no such thing for phones or anything.
I like that!
A certain tongue-in-cheek email provider [0] uses . (a dot) for this purpose, i.e. username.anything@domain.tld. Spammers could remove the distinguishing part here too, but they can't be bothered to keep a list of all the conventions used by different providers, so I think it should work pretty well.
(Personally I use a dedicated catch-all domain now, and the username is the distinguishing part – try to remove that!)
[0]: https://cock.li/, they do have SFW domains though
Not all mail servers treat a+b@a.com and a@a.com as the same email.
By equal token, you can't be sure that the email address doesn't actually just contain a plus sign.
I was disappointed to find out at work recently that the plus convention was not configured. It made testing account signups more difficult. This is when I dug in a bit and found it that it depends in the mail server for whether those are unique addresses or not.
> Apple's thing where it creates a987dfc429be@icloud.com
Still trivial to detect. Random letter/number combinations, letter combinations that don't exist in the dictionary, no dictionary word? Pretty detectable.
Meh, some actual customer probably uses that as their email address. xXxreaperMainxXx69@gmail.com is probably a real address.