Adding Plus Sign and Tag to Email Address May Help Identify Source of (Spam/Junk) Emails

I’ve noticed several commenters using email formatted as [email protected] or [email protected] while posting comments on CNX Software blog, but I just thought they were using some specific emails account or some forwarding techniques to receive emails, but I did not investigate further, and by chance I came across the reason on reddit this morning:

It’s just another character that can be in an email address. For example, [email protected], [email protected], [email protected], and [email protected] are all completely different email addresses.

However, Gmail will ignore a + and everything after it in the username portion of an email address, so [email protected], [email protected], and [email protected] will all go to [email protected]‘s inbox. This is acceptable because Google does not allow + in its login names. Many people use this property to identify the source of an email.

So I could not resist trying by sending myself an email by adding +source1 to my username, and I did receive the email to my inbox as if I had not added the plus sign and “source1” tag/string.

email-address-plus-sign

I’m using gmail for cnx-software.com emails, but I also tried with hotmail, and it worked too. Another reddit commenter mentioned that it’s actually part of RFC5233 standard, but not all email providers support it.

This can be used to trace the source of email. For example, if you’ve commented on this blog only with “[email protected]”, and some day you receive a email entitled “Nose Enlargement Program”  with that exact email address, that will either mean that the whole purpose of CNX Software blog was always to gather email addresses for nefarious purposes, or that the blog was somehow hacked and others took the opportunity. It’s not exactly 100% reliable as spammers who want to hide their source could easily remove any “+tag” string from their email database(s).

Support CNX Software - Donate via PayPal or become a Patron on Patreon
Advertisements
Subscribe
Notify of
guest
15 Comments
oldest
newest most voted
KR
KR
3 years ago

Periods (dots) are also ignored. Like, [email protected] = [email protected]. Handy for opening a mule account for Path of Exile since GGG allows multiple accounts per user but not per email address.

agumonkey
3 years ago

@KR

I believe it’s triggering a bug on Android’s gmail client, the name suggestion field is filled with u.s.e.r…na…. user….na… I sense some too quick procedural generation function that didn’t account to gmail lax syntax.

Sander
Sander
3 years ago

I have been using this method (random dots, plus something after the plus) for years. It works, but with two problems:
– some sites do not accept a mail address with plus: “not a valid mail address” 🙁
– other sites do accept the mail address with a plus, but then you never receive a mail. My electricity had that problem. Probably a website that accepts the mail address, but some back-end system that can’t handle it.

chrisq
chrisq
3 years ago

the + or dots might cause problems as indicated in messages above.
a better solution, if you have you own domain, is to have a “catch all” subdomain, those always work.
basically you set up the mail server to forward anything subdomain.yourdomain.com to a specific mailbox.

Theguyuk
Theguyuk
3 years ago

Another method is to use different tag names to call yourself per site.

Theguyuk

TheguyGB

TheUKguy

And many other changes

Any personalised spam stands out as a sore thumb.

JotaMG
JotaMG
3 years ago

KR :
Periods (dots) are also ignored. Like, [email protected] = [email protected]. Handy for opening a mule account for Path of Exile since GGG allows multiple accounts per user but not per email address.

Sorry, but you’re wrong on that.
They are different accounts.

Paul Mansfield
Paul Mansfield
3 years ago

I’ve been doing that for years

Slackstick
Slackstick
3 years ago

How long until spammers catch up and just remove + and following?

Cyprien
Cyprien
3 years ago

As owner of my domain.com and admin of my MX mail server, I added – as separator too. That way [email protected] arrives in user’s mailbox. I did that after many sites refusing the + sign…

John S.
John S.
3 years ago

I first encountered this about 15 years ago, when some MTA/MDA software I setup had default support for a minus as a separator. That was really great, every site in the world supports addresses of the form ‘[email protected]’. When Gmail came out and I moved to them, their decision to go with a ‘+’ was actually one of the most annoying differences. It really is hit or miss whether a site will accept an address in that form. I’ve now switched to a commercial provider (fastmail), and one nice thing is they let you set it up so you can… Read more »

John S.
John S.
3 years ago

Speaking of spam and comment threads/forums, here’s a gotcha: The gravatar URLs for everybody’s avatars are just md5 hashes of their email addresses. So if you use a unique email address form for every site, you would have to upload a gravatar for every email address form (if you wanted one).

And while a blog/forum having a gravatar link is not *quite* the same as publishing everyone’s email address, it sort of is. It provides an oracle for guessing a person’s email address, which is already a fairly constrained space (e.g. 50% of correct answers probably end with @gmail.com).

willmore
willmore
3 years ago

@JotaMG, nope, they’re correct. Periods in the username portion of the email address are ignored by gmail. I’ve used them for broken sites that don’t accept +.

, Using the + sign to detect spam or at least the source of spam addresses isn’t the only use! gmail lets you use it for filtering emails into folders. Ever had a mailing list that had poorly formatted headers and you couldn’t find a way to filter it into its own folder? Subscribe with a +brokenlist email address and use that to filter.

KR
KR
3 years ago

@JotaMG

It’s specific to gmail’s email server. I think I remember seeing similar optional settings for postfix and possibly exim4 though I can’t be sure.

Anyhow, plus is often disallowed by default either by some regex, javascript or even the PHP\C\C++ side of the servers since it’s used in SQL injections. Dot, however, can’t be defaulted off since it’s necessary as decimal point so it’s not uncommon to see only the client side regex typically prohibits it.

JotaMG
JotaMG
3 years ago

KR, willmore
Yes, you are right, I didn’t know that, thanks!

iamfrankenstein
iamfrankenstein
3 years ago

I really love my own server for this. I have 2 domains and can use every email adres on them.
Added bonus that the POP3/IMAP client is only accessible trough a VPN adding a nice security barrier. This VPN connection also works as a proxy for mobile devices. Using UDP on port 53 even helps to bypass some bandwidth restrictions.

Bit of a headache to set up tough, I felt a bit like Alice going down the rabbit hole.

Advertisements