I’ve noticed several commenters using email formatted as [email protected] or [email protected] while posting comments on CNX Software blog, but I just thought they were using some specific emails account or some forwarding techniques to receive emails, but I did not investigate further, and by chance I came across the reason on reddit this morning:
It’s just another character that can be in an email address. For example,
[email protected]
,[email protected]
,[email protected]
, and[email protected]
are all completely different email addresses.However, Gmail will ignore a
+
and everything after it in the username portion of an email address, so[email protected]
,[email protected]
, and[email protected]
will all go to[email protected]
‘s inbox. This is acceptable because Google does not allow+
in its login names. Many people use this property to identify the source of an email.
So I could not resist trying by sending myself an email by adding +source1 to my username, and I did receive the email to my inbox as if I had not added the plus sign and “source1” tag/string.
I’m using gmail for cnx-software.com emails, but I also tried with hotmail, and it worked too. Another reddit commenter mentioned that it’s actually part of RFC5233 standard, but not all email providers support it.
This can be used to trace the source of email. For example, if you’ve commented on this blog only with “[email protected]”, and some day you receive a email entitled “Nose Enlargement Program” with that exact email address, that will either mean that the whole purpose of CNX Software blog was always to gather email addresses for nefarious purposes, or that the blog was somehow hacked and others took the opportunity. It’s not exactly 100% reliable as spammers who want to hide their source could easily remove any “+tag” string from their email database(s).
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
Periods (dots) are also ignored. Like, [email protected] = [email protected]. Handy for opening a mule account for Path of Exile since GGG allows multiple accounts per user but not per email address.
@KR
I believe it’s triggering a bug on Android’s gmail client, the name suggestion field is filled with u.s.e.r…na…. user….na… I sense some too quick procedural generation function that didn’t account to gmail lax syntax.
I have been using this method (random dots, plus something after the plus) for years. It works, but with two problems:
– some sites do not accept a mail address with plus: “not a valid mail address” 🙁
– other sites do accept the mail address with a plus, but then you never receive a mail. My electricity had that problem. Probably a website that accepts the mail address, but some back-end system that can’t handle it.
the + or dots might cause problems as indicated in messages above.
a better solution, if you have you own domain, is to have a “catch all” subdomain, those always work.
basically you set up the mail server to forward anything subdomain.yourdomain.com to a specific mailbox.
Another method is to use different tag names to call yourself per site.
Theguyuk
TheguyGB
TheUKguy
And many other changes
Any personalised spam stands out as a sore thumb.
Sorry, but you’re wrong on that.
They are different accounts.
I’ve been doing that for years
How long until spammers catch up and just remove + and following?
As owner of my domain.com and admin of my MX mail server, I added – as separator too. That way [email protected] arrives in user’s mailbox. I did that after many sites refusing the + sign…
I first encountered this about 15 years ago, when some MTA/MDA software I setup had default support for a minus as a separator. That was really great, every site in the world supports addresses of the form ‘[email protected]’. When Gmail came out and I moved to them, their decision to go with a ‘+’ was actually one of the most annoying differences. It really is hit or miss whether a site will accept an address in that form. I’ve now switched to a commercial provider (fastmail), and one nice thing is they let you set it up so you can… Read more »
Speaking of spam and comment threads/forums, here’s a gotcha: The gravatar URLs for everybody’s avatars are just md5 hashes of their email addresses. So if you use a unique email address form for every site, you would have to upload a gravatar for every email address form (if you wanted one).
And while a blog/forum having a gravatar link is not *quite* the same as publishing everyone’s email address, it sort of is. It provides an oracle for guessing a person’s email address, which is already a fairly constrained space (e.g. 50% of correct answers probably end with @gmail.com).
@JotaMG, nope, they’re correct. Periods in the username portion of the email address are ignored by gmail. I’ve used them for broken sites that don’t accept +.
@Jean-Luc Aufranc (CNXSoft), Using the + sign to detect spam or at least the source of spam addresses isn’t the only use! gmail lets you use it for filtering emails into folders. Ever had a mailing list that had poorly formatted headers and you couldn’t find a way to filter it into its own folder? Subscribe with a +brokenlist email address and use that to filter.
@JotaMG
It’s specific to gmail’s email server. I think I remember seeing similar optional settings for postfix and possibly exim4 though I can’t be sure.
Anyhow, plus is often disallowed by default either by some regex, javascript or even the PHP\C\C++ side of the servers since it’s used in SQL injections. Dot, however, can’t be defaulted off since it’s necessary as decimal point so it’s not uncommon to see only the client side regex typically prohibits it.
KR, willmore
Yes, you are right, I didn’t know that, thanks!
I really love my own server for this. I have 2 domains and can use every email adres on them.
Added bonus that the POP3/IMAP client is only accessible trough a VPN adding a nice security barrier. This VPN connection also works as a proxy for mobile devices. Using UDP on port 53 even helps to bypass some bandwidth restrictions.
Bit of a headache to set up tough, I felt a bit like Alice going down the rabbit hole.