Hello all,
I was just going thru "krebs on security" and found an article about "The Security Pros and Cons of Using Email Aliases" ( https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-email-aliases/#more-60800 )
.
I remember having read something similar somewhere, and never understood it. Assuming that I use the email alias myname+somecompany@myhost.com what stops anyone / a bad actor from removing the "+somecompany" part (to get to the main email address) ?
Regards,
Rudy Wieser
if there really is such an E-mail address as <myname@myhost.com> but
not such as <hisname@myhost.com>, then a good alias would be <hisname+somecompany@myhost.com>.
| In other words, the hisname+*@myhost.com addres becomes the
| users equivalent of a domains "catch all" address. With
|the same problems.
It reads to me as just ninny advice for people who
don't deal with details.
But what's with +? He seems to be saying that POP3
or IMAP won't count what comes after, so rudy+amazon@gmail
will automatically go to rudy@gmail?
Since when? Is that an official SMTP rule?
And if you're going to want to receive that email anyway,
why do it?
On 8/23/2022 11:18 PM, R.Wieser wrote:
David (others),
After some pondering I think the below is how such an "+" email address is >> used :
1) The email adress hisname+somecompany@myhost.com is used and send to the >> domain.
2) The domain applies the filter hisname+*@myhost.com and finds a match,
resulting in the message being put into the myname@myhost.com email box.
3) Depending on the user his email reader applies its own filter(s) so that >> hisname+somecompany@myhost.com and hisname+someothercompany@myhost.com get >> sorted into their own, local folders.
In other words, the hisname+*@myhost.com addres becomes the users equivalent >> of a domains "catch all" address. With the same problems.
Regards,
Rudy Wieser
Neither RFC 5322 nor RFC 6854 provide what you decribe. Therefore, what
you describe is not conventional; and E-mail servers do not necessarily
do that.
Instead, it is possible that some servers allow filters to do what you describe. I believe that cPanel (used by my E-mail host) would allow me
to setup such a filter on the host's server. However, that filter would apply only to my domain and not to the entire server.
David (others),
After some pondering I think the below is how such an "+" email address is used :
1) The email adress hisname+somecompany@myhost.com is used and send to the domain.
2) The domain applies the filter hisname+*@myhost.com and finds a match, resulting in the message being put into the myname@myhost.com email box.
3) Depending on the user his email reader applies its own filter(s) so that hisname+somecompany@myhost.com and hisname+someothercompany@myhost.com get sorted into their own, local folders.
In other words, the hisname+*@myhost.com addres becomes the users equivalent of a domains "catch all" address. With the same problems.
Regards,
Rudy Wieser
Hello all,
I was just going thru "krebs on security" and found an article about "The Security Pros and Cons of Using Email Aliases" ( https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-email-aliases/#more-60800 )
.
I remember having read something similar somewhere, and never understood it. Assuming that I use the email alias myname+somecompany@myhost.com what stops anyone / a bad actor from removing the "+somecompany" part (to get to the main email address) ?
Gmail will ignore anything written between the + and @ sign in the email address and still deliver the message to the same mailbox.
Plus addressing is not meant to protect the main email address.
It's meant to be used for filtering incoming mail. They are not
email aliases, but alternatives for email aliases.
Neither RFC 5322 nor RFC 6854 provide what you decribe.
Therefore, what you describe is not conventional; and E-mail servers do
not necessarily do that.
Instead, it is possible that some servers allow filters to do what
you describe.
Yes, I'm talking about the article.
It assumes that people can't be bothered to come up with
email names.
| > Since when? Is that an official SMTP rule?
|
| I have no idea. I can't even remember having ever come across
| anything | talking about it.
|
Odd. If you don't know.... :)
The article seems to make no sense otherwise, because
there would be no way email for rudy+amazon would ever
be sent to rudy.
"Zaidy036" <Eric@Bloch.com> wrote
| Gmail Plus Address
|
| So what is a Gmail Plus address? Say you have an email address like
| billgates@gmail.com. If you append a ???plus??? sign to your email username,
| Gmail will ignore anything written between the + and @ sign in the email
| address and still deliver the message to the same mailbox.
So this whole thing is about gmail nonsense? Yet
Kreps never mentioned that it was only relevant for gmail.
And this guy is a security expert? He sounds like a hen
living in a foxhouse.
It's not a "problem" and it *is* "a good thing",
it's just not meant to provide protection against spam.
Nope. For MSPs who handle plus-addressing - i.e. in this case
Fastmail - the mail will *not* be delivered to username@domain.tld's
*Inbox*, but to the *folder* 'hiking'. That's the whole point of plus-addressing.
Frank,
Plus addressing is not meant to protect the main email address.
It's meant to be used for filtering incoming mail. They are not
email aliases, but alternatives for email aliases.
Thats the problem : The idea is to create an identifiable email address. But a bad player could just cut the "+" phrase outof it and start to spam the resulting email address. No way to figure out who the company was which
"+" phrase was removed.
IOW, it /sounds/ like a good thing, but, in the situation you describe, the user has to be rather carefull with it. Probably not use the base email address for anything, and throw anything addressed to it away.
"For example, suppose you gave someone the address username+hiking@domain.tld. Any messages sent to this address will be delivered to username@domain.tld,"
Thats the whole problem in a nutshell. Someone over at fastmail did not think about the nuissance implications of that. :-(
R.Wieser <address@not.available> wrote:
Frank,
Plus addressing is not meant to protect the main email address.
It's meant to be used for filtering incoming mail. They are not
email aliases, but alternatives for email aliases.
Thats the problem : The idea is to create an identifiable email address. But >> a bad player could just cut the "+" phrase outof it and start to spam the
resulting email address. No way to figure out who the company was which
"+" phrase was removed.
IOW, it /sounds/ like a good thing, but, in the situation you describe, the >> user has to be rather carefull with it. Probably not use the base email
address for anything, and throw anything addressed to it away.
It's not a "problem" and it *is* "a good thing", it's just not meant to provide protection against spam.
It also sucks at mowing your lawn. Sorry about that.
Moral: Use it or don't use it. Don't misuse/abuse it.
"For example, suppose you gave someone the address
username+hiking@domain.tld. Any messages sent to this address will be
delivered to username@domain.tld,"
Thats the whole problem in a nutshell. Someone over at fastmail did not
think about the nuissance implications of that. :-(
Nope. For MSPs who handle plus-addressing - i.e. in this case
Fastmail - the mail will *not* be delivered to username@domain.tld's
*Inbox*, but to the *folder* 'hiking'. That's the whole point of plus-addressing.
(Zaidy036 mentioned that Gmail apparently ignores the +<tag> part and
just delivers the message anyway, which AFAIK is the correct way to do
it. It doesn't say if the +<tag> part is preserved in the 'To/Cc' header
of the received message, so it's unknown if the tag can be used for filtering. Yes, I could test that, but I won't.)
yes the +.... is preserved for filtering by GMail
| Not quite. Sometimes I get caught by some percieved(?) problem with
| something, and want to know more about it. Just to know what I
| should decide if its ever offered to me.
My apologies, Rudy. I would never accuse you of not
making up problems. :)
Frank,
It's not a "problem" and it *is* "a good thing",
Nope, not by long shot.
it's just not meant to provide protection against spam.
It should also not be ment as an open invitation to a bad actor. Which, in the form you are describing it, it definitily is.
So thank you, but you've made clear that if its implemented that way its absolute garbage and I would not touch it with a 10 foot pole.
Nope. For MSPs who handle plus-addressing - i.e. in this case
Fastmail - the mail will *not* be delivered to username@domain.tld's *Inbox*, but to the *folder* 'hiking'. That's the whole point of plus-addressing.
So, you first need to set up the correct folders on the email hosts machine, and only than you can give out a "+ address that refers to it ? Thats bullshit. It would make the whole thing absolutily *zero* better than creating a standard email alias.
But, maybe I misunderstood what you said there. In that case, please do explain a bit more.
(Zaidy036 mentioned that Gmail apparently ignores the +<tag> part and just delivers the message anyway, which AFAIK is the correct way to do
it. It doesn't say if the +<tag> part is preserved in the 'To/Cc' header
of the received message, so it's unknown if the tag can be used for filtering. Yes, I could test that, but I won't.)
yes the +.... is preserved for filtering by GMail
"Frank Slootweg" <this@ddress.is.invalid> wrote
| FWIW, AFAIK plus-addressing is a de jure or de facto standard. (Can't
| be bothered to try to find it. Not my problem/question.) People use it
| and for good reasons. Get over it.
You seem to be getting awfully cranky these days, Frank.
You take offense and accuse others of bad behavior
regularly.
Maybe I misunderstood. Zaidy said it's a gmail thing.
Others seem to say it's not part of smtp.
According to
the RFC for SMTP that I found, anything from Chr 32 to 126
is usable, but \ is an escape character. On the other hand,
I've never seen spaces or any other non-alphanumeric used,
except for periods, underscores and dashes.
On one site I saw someone say that gmail does not allow
+ in an address because they use it for aliases!
And apparently
many sites will reject it when checking an email address entered.
Of course, if + were universally used for aliases then it couldn't
be an acceptable character as part of addresses. But there's
nothing I can see in the RFC saying that + denotes an alias.
So apparently it's gmail nonsense. nterestingly,
the author of the SMTP RFC uses + in his email address!
Everyone's a comedian. :)
So I think I'll stick with my original conclusion. This whole
thing is gmail nonsense. There's no sane reason for
anyone else to actually make up an email address with + in it.
And as you said yourself, mail servers may choke on it.
Sigh! Read the above sentence again.
For a bad actor, there's zero difference between an address with
or without a +<tag>.
That's what I suggested, but you also snipped.
Hmmm!? Did anyone say it was better? I don't think so. Someone said
it is an alternative,
but that someone's comments get snipped and ignored.
Yes, you misunderstood most if not all of what I said. I re-explained
some more above.
But I'm getting tired of it, especially because you're (silently)
snipping my comments (and apparently not understanding them).
Frank,...
Sigh! Read the above sentence again.
You are as daft
but anyone with just an average intelligence
That you clearly do not understand what is and is not the purpose,
Frank,
That you clearly do not understand what is and is not the purpose,
Lets put it this way : A gun is made to shoot. But for some odd reason we
do not put them into the hands of children.
But here you are, trying to "teach" me about stuff that, when not used carefully, can hurt the one using it.
As long as you think that that is acceptable/sane we really have nothing to talk about.
Besides the problem that you do not actually wish to /discuss/ anything that is.
And by the way, I see that you have no wish to quote what you are
complaining about and explain yourself. Which makes me wonder if there was anything to complain about to begin with ...
And oh yeah, your example where you first have to set up a receiving email box before you can use the "+<tag>" (as you where referring to it) ?
I
don't think that was/is how its supposed to be used, as that such a usage would just be an email alias with a "+" character in the username. IOW,
that "clearly do not understand" might well be in your own ballpark.
tl;dr:
I think I've made the cons of that "fastmail" implementation clear. If you want to offset it with some pros than be my guest.
If you want you may
also put some pros and/or cons forward to the implementation as I put
forward in my third post (to David) in this thread.
As I said, an e-mail address with a +<tag> is not any more - or
less - dangerous than one without such a tag.
Both can and will be abused.
Besides the problem that you do not actually wish to /discuss/ anything
that is.
Sorry, doesn't compute. Probably some word(s) is/are missing.
I've explained things (I do not have to explain myself, because this
is not about me) over and over again, and you keep silently snipping
and ignoring it over and over again. See for example the above lawn
mowing analogy. That's the *third* time.
And oh yeah, your example where you first have to set up a receiving
email box before you can use the "+<tag>" (as you where referring to
it) ?
No that's *not* what *I* said. That's what *you* *assumed*. And I
countered.
You've not made the cons "of that "fastmail" implementation" clear,
because Fastmail is doing what it's supposed to do for plus-addressing.
The pros are clear: Filtering of incoming e-mail tags. Again, yes
there are other ways to do similar things, but that doesn't mean
it's not useful functionality.
(BTW. Don't keep harping about Fastmail.
Fastmail is just *an example*.
An example I found when you asked for more information about the
use of '+' in e-mail addresses.)
We're running around in circles
- after just a single out-of-character response - you're back
to your usual silent-snipping, confrontational, abusive and
insulting MO.
You also seem to think that you can ignore and silently snip any comment/argument you want, and that when that pathetic/dishonest
behaviour is pointed out to you, it's your correspondent's duty to
repost the snipped material, so that you can snip it again.
So in closing, I'm repeating, for the umpteenth time, the very essence
which you've been ignoring and silently snipping from the get go:
[Rewind/Repeat:]
Moral: Use it or don't use it. Don't misuse/abuse it.
[End Rewind/Repeat.]
EOD.
As I said, an e-mail address with a +<tag> is not any more -
or less - dangerous than one without such a tag.
And I countered that with explaining how the implementation of it
makes quite a difference.
So, just "lie down and think of England" ? Its already there so even
talking about how it perhaps could be done better is useless ? Really ?
You're trying to make some (big) thing over that I didn't repond to your
"It also sucks at mowing your lawn" statement ? Thats it ?
[snipped for brevity]And you say you countered it ? You are aware that I can read
previous messages ?
Which of that do you consider being the countering ?
No that's *not* what *I* said. That's what *you* *assumed*. And I
countered.
The problem is that you *said* next to nothing, forcing me, for the sake
of a possible discussion, to fill in the blanks
EOD.
I've done my best to show and explain to you my side of the story, and all you can do is shoot stuff down. No, that is not even a conversation, let alone a discussion.
I've done my best to show and explain to you my side of the story, and
all
you can do is shoot stuff down. No, that is not even a conversation, let
alone a discussion.
Don't rewrite what happened.
You asked a question. I responded with some information and a
reference.
That's it. No discussion, just your question and my answer/
response.
Now even silently snipping mid-paragraph, are we!? :-()
[Again,] Until then, it's EOD.
Frank,
I've done my best to show and explain to you my side of the story, and
all
you can do is shoot stuff down. No, that is not even a conversation, let >> alone a discussion.
Don't rewrite what happened.
You asked a question. I responded with some information and a
reference.
No frank, that isn't what happened. I responded to that example of yours
and you responded back - with your "it is what it is" shooting down.
Frank,
Now even silently snipping mid-paragraph, are we!? :-()
Nope, I'm not "silently" snipping, I'm dropping.
And what is it with that "silently snipping" of yours ? Some kind of fetish ? Or just some accusation you can repeat every time you feel like it ?
Ofcourse, not explained why the "silently snipped" parts are important, and refusing, because of "reasons", to provide any when asked.
Frank, I've just gone thru a multi-week exchange with nospam. IOW, you're not my first rodeo.
[Again,] Until then, it's EOD.
Yeah, thats your third time now. :-)
Regards,
Nope, I'm not "silently" snipping, I'm dropping.
Yes, you're "dropping" your correspondent's comments/arguments,
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 507 |
Nodes: | 16 (2 / 14) |
Uptime: | 188:51:13 |
Calls: | 9,958 |
Files: | 13,826 |
Messages: | 6,356,096 |