Adding Plus Sign and Tag to Email Address May Help Identify Source of (Spam/Junk) Emails

Orange Pi Development Boards

I’ve noticed several commenters using email formatted as [email protected] or [email protected] while posting comments on CNX Software blog, but I just thought they were using some specific emails account or some forwarding techniques to receive emails, but I did not investigate further, and by chance I came across the reason on reddit this morning:

It’s just another character that can be in an email address. For example, [email protected], [email protected], [email protected], and [email protected] are all completely different email addresses.

However, Gmail will ignore a + and everything after it in the username portion of an email address, so [email protected], [email protected], and [email protected] will all go to [email protected]‘s inbox. This is acceptable because Google does not allow + in its login names. Many people use this property to identify the source of an email.

So I could not resist trying by sending myself an email by adding +source1 to my username, and I did receive the email to my inbox as if I had not added the plus sign and “source1” tag/string.

email-address-plus-sign

I’m using gmail for cnx-software.com emails, but I also tried with hotmail, and it worked too. Another reddit commenter mentioned that it’s actually part of RFC5233 standard, but not all email providers support it.

This can be used to trace the source of email. For example, if you’ve commented on this blog only with “[email protected]”, and some day you receive a email entitled “Nose Enlargement Program”  with that exact email address, that will either mean that the whole purpose of CNX Software blog was always to gather email addresses for nefarious purposes, or that the blog was somehow hacked and others took the opportunity. It’s not exactly 100% reliable as spammers who want to hide their source could easily remove any “+tag” string from their email database(s).

Support CNX Software - Donate via PayPal or become a Patron on Patreon

15
Leave a Reply

avatar
15 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
12 Comment authors
iamfrankensteinwillmoreJohn S.CyprienSlackstick Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
KR
Guest
KR

Periods (dots) are also ignored. Like, [email protected] = [email protected]. Handy for opening a mule account for Path of Exile since GGG allows multiple accounts per user but not per email address.

agumonkey
Guest

@KR

I believe it’s triggering a bug on Android’s gmail client, the name suggestion field is filled with u.s.e.r…na…. user….na… I sense some too quick procedural generation function that didn’t account to gmail lax syntax.

Sander
Guest
Sander

I have been using this method (random dots, plus something after the plus) for years. It works, but with two problems:
– some sites do not accept a mail address with plus: “not a valid mail address” 🙁
– other sites do accept the mail address with a plus, but then you never receive a mail. My electricity had that problem. Probably a website that accepts the mail address, but some back-end system that can’t handle it.

chrisq
Guest
chrisq

the + or dots might cause problems as indicated in messages above.
a better solution, if you have you own domain, is to have a “catch all” subdomain, those always work.
basically you set up the mail server to forward anything subdomain.yourdomain.com to a specific mailbox.

Theguyuk
Guest
Theguyuk

Another method is to use different tag names to call yourself per site.

Theguyuk

TheguyGB

TheUKguy

And many other changes

Any personalised spam stands out as a sore thumb.

JotaMG
Guest
JotaMG

KR :
Periods (dots) are also ignored. Like, [email protected] = [email protected]. Handy for opening a mule account for Path of Exile since GGG allows multiple accounts per user but not per email address.

Sorry, but you’re wrong on that.
They are different accounts.

Paul Mansfield
Guest
Paul Mansfield

I’ve been doing that for years

Slackstick
Guest
Slackstick

How long until spammers catch up and just remove + and following?

Cyprien
Guest
Cyprien

As owner of my domain.com and admin of my MX mail server, I added – as separator too. That way [email protected] arrives in user’s mailbox. I did that after many sites refusing the + sign…

John S.
Guest
John S.

I first encountered this about 15 years ago, when some MTA/MDA software I setup had default support for a minus as a separator. That was really great, every site in the world supports addresses of the form ‘[email protected]’. When Gmail came out and I moved to them, their decision to go with a ‘+’ was actually one of the most annoying differences. It really is hit or miss whether a site will accept an address in that form.

I’ve now switched to a commercial provider (fastmail), and one nice thing is they let you set it up so you can use [email protected] as an email address (which gets rewritten to [email protected] and then [email protected] as its delivered), which is much easier to get sites to accept.

@JotaMG: I don’t know if it accepts any form of the username for logging in, but it certainly ignores any and all periods for mail delivery. [email protected], [email protected], and user…..n..am…e……[email protected] will all be delivered to the same account. I don’t know if gmail applies the same rules to their other domain aliases or hosted domains, though. I sometimes use the ‘.’ trick for my gmail address too, but there’s only so many variations you can do on that and it’s hard to remember what service ‘user…name’ was given to vs. ‘user..name’ if you’re trying to identify spam.

John S.
Guest
John S.

Speaking of spam and comment threads/forums, here’s a gotcha: The gravatar URLs for everybody’s avatars are just md5 hashes of their email addresses. So if you use a unique email address form for every site, you would have to upload a gravatar for every email address form (if you wanted one).

And while a blog/forum having a gravatar link is not *quite* the same as publishing everyone’s email address, it sort of is. It provides an oracle for guessing a person’s email address, which is already a fairly constrained space (e.g. 50% of correct answers probably end with @gmail.com).

willmore
Guest
willmore

@JotaMG, nope, they’re correct. Periods in the username portion of the email address are ignored by gmail. I’ve used them for broken sites that don’t accept +.

@cnxsoft, Using the + sign to detect spam or at least the source of spam addresses isn’t the only use! gmail lets you use it for filtering emails into folders. Ever had a mailing list that had poorly formatted headers and you couldn’t find a way to filter it into its own folder? Subscribe with a +brokenlist email address and use that to filter.

KR
Guest
KR

@JotaMG

It’s specific to gmail’s email server. I think I remember seeing similar optional settings for postfix and possibly exim4 though I can’t be sure.

Anyhow, plus is often disallowed by default either by some regex, javascript or even the PHP\C\C++ side of the servers since it’s used in SQL injections. Dot, however, can’t be defaulted off since it’s necessary as decimal point so it’s not uncommon to see only the client side regex typically prohibits it.

JotaMG
Guest
JotaMG

KR, willmore
Yes, you are right, I didn’t know that, thanks!

iamfrankenstein
Guest
iamfrankenstein

I really love my own server for this. I have 2 domains and can use every email adres on them.
Added bonus that the POP3/IMAP client is only accessible trough a VPN adding a nice security barrier. This VPN connection also works as a proxy for mobile devices. Using UDP on port 53 even helps to bypass some bandwidth restrictions.

Bit of a headache to set up tough, I felt a bit like Alice going down the rabbit hole.