10 comments

[ 3.9 ms ] story [ 34.3 ms ] thread
> That way, if you make an account on somesellout.com with youremail+somesellout@mail.com, when you start getting loads of unwanted messages at that address you know who sold your information to spammers.

I have seen this claim multiple places, but it seems like it really isn't a robust argument. It is an obvious enough tactic that I have to imagine anyone selling or buying email lists does a simple regex to remove everything between '+' and '@'. Maybe the buyers don't care, but if the sellers are trying to also operate a legitimate business, they'll probably sanitize the subaddresses from their lists before passing the list along.

So it seems like an easy way to guard against this type of referral hacking is to strip the subaddress from an email and compare that email with existing emails. Store the email with subaddress for actual communication but have the subaddress-stripped email be a 'unique' database column as a comparison.

Edit: grammar

I agree with you, it'd be the obvious thing to do if you're going to buy some emails from the black market. I'm not going to name any names, but you'd be surprised how much spam I've tracked down by using subaddressing.
I use subaddressing to keep track of my email subscriptions and who is selling them to 3rd parties
Clever. Proper email validation can be tricky at the edge cases, but parsing out sub-addresses shouldn't be too hard.

I'm curious as to why the OP disclosed this hack - given there are surely more contests to win. I wonder if the target companies have gotten savvy to this technique and it suddenly became ineffective.

OP probably revealed it to encourage others to replicate it, given the last paragraph. It might not be the best decision in the long term but in the long term there are other ways to have more than one email address.
Three ways to work around this if you actually suspect it:

1) Instead of using + (which some sites incorrectly reject as invalid), don't use a separator at all. For instance, mesitename@example.org . (This assumes you have a bit more control over email aliases.)

2) Don't use a modification of your standard email address; make the version without the site name still different than your standard email address. For instance, if your usual email is me@example.org, then instead of using mesitename@example.org, use sitessitename@example.org.

3) If you run your own domain, don't bother including a unique component before the @ at all. Just use sitename@yourdomain.example.

You just gave me a good idea. I have my own domain and my main email address is mail@mydomain.com . Whenever I register to any websites now I'll start using registration+websitename@mydomain.com and I'll configure my mail server to forward me anything that arrives to registration+anystring@mydomain.com and drop all mail to registration@mydomain.com .
Many sign up forms disallow the use of '+' in email addresses, either to prevent this, or more likely because the programmer wasn't aware it was a valid character for an email address in the first place.
If you're not going to verify that the email address they're giving you is real, why restrict them to your idea of what goes in an address? I often fill in my email address as fake@fake.fake . It's pretty easy to see that that's invalid -- to the best of my knowledge, there is no .fake TLD, and there certainly wasn't when I started doing it. But, I've never seen a form reject it.

You validate email addresses by sending confirmation emails. What's the thinking behind pretending you're doing it in the form?

Don't run my own domain, but I'm thinking of creating a second gmail address for this:

* myrealaddressregistration@gmail.com

* use myrealaddressregistration+websitename@gmail.com per site

* use a filter to forward to myrealaddress@gmail.com everything BUT messages to: myrealaddressregistration@gmail.com