23 02 | 2012

Who gave my address to spammers?

Written by Tanguy

Classified in : Homepage, Debian

For hurried readers: do not give your main email address to Moneybookers or to deviantART, since they may give it (unintentionally, I hope) to spammers.

Dedicated addresses

Since I have set up my own email server, when a company or an unknown individual asks for an address I give it a dedicated one. For instance, to make a payment I had to give an address to Moneybookers: instead of giving them my main address <tanguy@>, I used <tanguy+moneybookers@>.

Thanks to Postfix's address extension feature (look for “recipient_delimiter” in postconf(5) manpage), these <tanguy+whatever@> are all implicit aliases to my main address. This practice has several benefits, since it allows me to:

  • easily sort messages to dedicated mailboxes;
  • identify who sold or gave away my address to spammers when I start receiving tons of spam to <tanguy+moneybookers@>;
  • easily block that kind of spammers.

Working around lamers

Some systems are coded by lamers that think the “+” sign is forbidden for email addresses, so I have to work around that. My current solution it to use a static alias <tanguy-2012@>, which I simply drop after a year to replace it by a new one.

Two years report

After two years collecting spam, the first noticeable thing is that, among 5.5k spams I received, only 78 are the result of an information leak from an organization. I excluded from that count the addresses I use in public mailing-lists, for instance <tanguy+debian@>. So, after some fine exclusion and checking of messages, these are the only two organizations that somehow gave my address to spammers:

  1. Moneybookers: 43 spam messages received;
  2. deviantArt: 35 spam messages received.


friday 24 february 2012 à 08:20 claudex said : #1

You forgot to count the spammers who know the trick (which works with Gmail, so it is well known) and have remove the part between the + and the @.

I don't say it is easy to count those.

friday 24 february 2012 à 08:41 Tanguy said : #2

@claudex : I cannot count them indeed, but I do not think there are many, in fact I do not think that any spammer is applying this technique, since it requires processing for almost no benefit: only very few people do that, and these plussed addresses are usable for spammers, so why would they bother?

friday 24 february 2012 à 09:50 claudex said : #3

@Tanguy : I don't think the spammers do that but the web sites that give the addresses to them.

friday 24 february 2012 à 12:07 fifou said : #4

This is the reason why web form should use better regex to check email validity...

A lot of them declare that my fifou+tag@ adress is wrong after testing it with a bad JS 0_o If you must create a mask to check an email, please read RFC 3696 and http://en.wikipedia.org/wiki/Email_address#Local_part before to create the mask :)

saturday 25 february 2012 à 11:12 Jon said : #5

I use exim, and set the delimiter to be either + or ., the latter of which works more often. But + is rarely picked up by harvesters.

It's no substitute for a good spam filter, though (crm114)

Write a comment

What is the second letter of the word widgkm? :