Adding Plus Sign and Tag to Email Address May Help Identify Source of (Spam/Junk) Emails

I’ve noticed several commenters using email formatted as email+cnx@mail.com or email+spam@mail.com while posting comments on CNX Software blog, but I just thought they were using some specific emails account or some forwarding techniques to receive emails, but I did not investigate further, and by chance I came across the reason on reddit this morning:

It’s just another character that can be in an email address. For example, user@example.com, user+@example.com, user+spam@example.com, and user+login@example.com are all completely different email addresses.

However, Gmail will ignore a + and everything after it in the username portion of an email address, so user+netflix@gmail.com, user+spam@gmail.com, and user+reddit@gmail.com will all go to user@gmail.com‘s inbox. This is acceptable because Google does not allow + in its login names. Many people use this property to identify the source of an email.

So I could not resist trying by sending myself an email by adding +source1 to my username, and I did receive the email to my inbox as if I had not added the plus sign and “source1” tag/string.

email-address-plus-sign

I’m using gmail for cnx-software.com emails, but I also tried with hotmail, and it worked too. Another reddit commenter mentioned that it’s actually part of RFC5233 standard, but not all email providers support it.

This can be used to trace the source of email. For example, if you’ve commented on this blog only with “email+cnx@mail.com”, and some day you receive a email entitled “Nose Enlargement Program”  with that exact email address, that will either mean that the whole purpose of CNX Software blog was always to gather email addresses for nefarious purposes, or that the blog was somehow hacked and others took the opportunity. It’s not exactly 100% reliable as spammers who want to hide their source could easily remove any “+tag” string from their email database(s).

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard

Radxa ROCK 5C (Lite) SBC with Rockchip RK3588 / RK3582 SoC

15 Replies to “Adding Plus Sign and Tag to Email Address May Help Identify Source of (Spam/Junk) Emails”

  1. @KR

    I believe it’s triggering a bug on Android’s gmail client, the name suggestion field is filled with u.s.e.r…na…. user….na… I sense some too quick procedural generation function that didn’t account to gmail lax syntax.

  2. I have been using this method (random dots, plus something after the plus) for years. It works, but with two problems:
    – some sites do not accept a mail address with plus: “not a valid mail address” 🙁
    – other sites do accept the mail address with a plus, but then you never receive a mail. My electricity had that problem. Probably a website that accepts the mail address, but some back-end system that can’t handle it.

  3. the + or dots might cause problems as indicated in messages above.
    a better solution, if you have you own domain, is to have a “catch all” subdomain, those always work.
    basically you set up the mail server to forward anything subdomain.yourdomain.com to a specific mailbox.

  4. Another method is to use different tag names to call yourself per site.

    Theguyuk

    TheguyGB

    TheUKguy

    And many other changes

    Any personalised spam stands out as a sore thumb.

  5. I first encountered this about 15 years ago, when some MTA/MDA software I setup had default support for a minus as a separator. That was really great, every site in the world supports addresses of the form ‘user-extension@domain.tld’. When Gmail came out and I moved to them, their decision to go with a ‘+’ was actually one of the most annoying differences. It really is hit or miss whether a site will accept an address in that form.

    I’ve now switched to a commercial provider (fastmail), and one nice thing is they let you set it up so you can use user@anyextension.domain.tld as an email address (which gets rewritten to user+anyextension@domain.tld and then user@domain.tld as its delivered), which is much easier to get sites to accept.

    @JotaMG: I don’t know if it accepts any form of the username for logging in, but it certainly ignores any and all periods for mail delivery. username@gmail.com, user.name@gmail.com, and user…..n..am…e…….@gmail.com will all be delivered to the same account. I don’t know if gmail applies the same rules to their other domain aliases or hosted domains, though. I sometimes use the ‘.’ trick for my gmail address too, but there’s only so many variations you can do on that and it’s hard to remember what service ‘user…name’ was given to vs. ‘user..name’ if you’re trying to identify spam.

  6. Speaking of spam and comment threads/forums, here’s a gotcha: The gravatar URLs for everybody’s avatars are just md5 hashes of their email addresses. So if you use a unique email address form for every site, you would have to upload a gravatar for every email address form (if you wanted one).

    And while a blog/forum having a gravatar link is not *quite* the same as publishing everyone’s email address, it sort of is. It provides an oracle for guessing a person’s email address, which is already a fairly constrained space (e.g. 50% of correct answers probably end with @gmail.com).

  7. @JotaMG, nope, they’re correct. Periods in the username portion of the email address are ignored by gmail. I’ve used them for broken sites that don’t accept +.

    @cnxsoft, Using the + sign to detect spam or at least the source of spam addresses isn’t the only use! gmail lets you use it for filtering emails into folders. Ever had a mailing list that had poorly formatted headers and you couldn’t find a way to filter it into its own folder? Subscribe with a +brokenlist email address and use that to filter.

  8. @JotaMG

    It’s specific to gmail’s email server. I think I remember seeing similar optional settings for postfix and possibly exim4 though I can’t be sure.

    Anyhow, plus is often disallowed by default either by some regex, javascript or even the PHP\C\C++ side of the servers since it’s used in SQL injections. Dot, however, can’t be defaulted off since it’s necessary as decimal point so it’s not uncommon to see only the client side regex typically prohibits it.

  9. I really love my own server for this. I have 2 domains and can use every email adres on them.
    Added bonus that the POP3/IMAP client is only accessible trough a VPN adding a nice security barrier. This VPN connection also works as a proxy for mobile devices. Using UDP on port 53 even helps to bypass some bandwidth restrictions.

    Bit of a headache to set up tough, I felt a bit like Alice going down the rabbit hole.

Leave a Reply

Your email address will not be published. Required fields are marked *

Boardcon Rockchip and Allwinner SoM and SBC products
Boardcon Rockchip and Allwinner SoM and SBC products