A simple tool to track and control spammers
You’ve probably experienced the scenario: you want to access a web page or download a file on a site that requires “free registration”. The site promises to never use the e-mail address you provide for spam, or to sell it to spammers.
You trustingly sign up using your valuable main e-mail address, get what you need then forget about it.
Weeks later, spam starts arriving with details you provided in that registration. The web site lied! They did sell your registration info to some scumbag or are spamming you themselves.
With the damage done, your main e-mail address that once got very little spam is suddenly inundated with wonderful opportunities for mortgage refinancing, genital enhancement and vacation specials. Once your personal e-mail address starts circulating, it’s impossible to put the genie back in the bottle.
Some people in this situation abandon their once private e-mail address for a new one, then a year later ditch that one when it winds up on spam lists. Others never reveal their “real” e-mail address in favor of using throw-away addresses such as free web mail accounts like Yahoo or disposable mail services like Mailinator.
It’s impossible to tell which web sites can be trusted to keep your information private. Some will never abuse your e-mail address, but for many the demands from the marketing division or temptation to make a quick buck selling the data to “opt-in marketers” is overwhelming.
Further, in some jurisdictions including the U.S., customer lists including e-mail addresses are considered corporate assets. Shareholders can demand selling the lists if a profit can be made. Insolvent companies have also been forced to sell their lists despite privacy policies and their own wishes to protect customers, such as during the infamous eToys debacle of 2001.
Also, it’s often impossible to conclusively prove a specific organization has violated your trust. Anyone you’ve given your one e-mail address to could be guilty.
There is a feature supported by almost all mail servers that lets you give out a unique e-mail address to anyone who asks, yet have messages all wind up in your regular e-mail box. No more checking web mail accounts! Further, if your mail administrator allows blocking, if the address is abused you can forever reject mail to that address before it gets in.
The feature is called “address extensions” and has been available in Sendmail, Postfix and almost every other mail server for years.
A typical address extension looks like this:
A symbol, usually a plus sign, separates your regular e-mail name from a throwaway portion. The throwaway portion is ignored by the mailer when delivering the message… all mail is delivered as if the extension was not there. However, with most mailers the full address with extension still shows up in your mail client, and can be rejected at the mail server.
You can test your own mail server now to see if it accepts this form of addressing. Send an extended address message to yourself using a web mail service or other external mail system and see if it shows up in your inbox.
We’ve been using mail extensions for years to provide unique e-mail addresses to questionable organizations, web site registration forms and the like. For example, when registering on the New York Times to be able to read an article, we might provide the address “jsmith+nytimes@advosys.ca”. If that venerable institution starts spamming the address, we can block it at the mail server. We also have proof who it was who abused our trust and can take action.
Blocking at the mail server is best. If the mail server rejects the message during the SMTP “envelope” phase (i.e. the “RCPT TO:” command), the spam is rejected before the message body is even sent. The sender gets a delivery failure error, even if they’ve forged the sender address (like almost all spammers do).
If you can’t block at the mail server, most mail clients allow creation of rules to automatically delete messages containing specific headers. This prevents you from seeing the spam, but your mail server and network resources are still abused. Also, the spammer will not see a rejection message and will keep sending.
Note that hardcore spam operations get paid per message accepted by the destination, so deleting spam in your mail client may result in rewarding the spammer with money. Blocking at the mail server is preferable.
Spammers are unethical scum, but they are very devoted to circumventing spam blocks. Some spammers are aware of the “plus sign” form of address extension and strip that portion from addresses they collect.
You can reduce the chance of that by using a less common character. For example, many organizations use periods, dashes or underscores in e-mail addresses (“john.smith@example.com”, “smith_j@example.org”). If possible, change your mail server to use one of those characters for address extensions instead of the plus sign. Since so many legitimate e-mail addresses use those characters, spammers are far less likely to filter them from their spam lists.
In the Postfix MTA, the extension character can be specified using the recipient_delimiter setting in the main.cf file. Similar settings are available in Qmail and other popular SMTP servers, though apparently in Sendmail the plus character is hard coded.
Downside
One potential downside to address extensions is it could open your mailer to certain forms of abuse. If a spammer determines you are using extensions they may abuse the feature to send you huge volumes of mail. Some spam reduction filters block senders automatically when they exceed a threshold of messages to the same address. Unless such a filter is also aware of the extensions, it may allow allow the spammer to use random extension addresses to flood recipients.
However, most mail filters block senders that exceed a threshold regardless of recipient address. Also, spammers rarely craft exploits targeted at specific organizations, except for obvious huge targets such as Hotmail and AOL. Unless your organization has millions of e-mail users or a spammer has a vendetta specifically against you, a targeted attack is unlikely.
Regardless, it’s wise to test the behaviour of your specific mailer’s filtering functions before implementing address extensions, just in case.
Summary
Using addresses extensions to provide unique e-mail addresses can help identify who abused the address provided and block the address once it starts to be spammed.
Almost all mailers support address extensions, usually using the form “username+extension@domain.com”
Blocking an abused address is best done at the server by rejecting the message during the SMTP conversation. If that’s not possible, most email client software have filters that can delete mail containing specific headers on arrival.
Since spammers know about address extensions using the plus sign, your mailer should be configured to use something common in other organization’s e-mail addresses, such as a dash, underscore or period.
Conclusion
This technique is a simple and widely available way to give out unique aliases for your regular email address that you can track and block if abused. It’s more convenient than setting up disposable web mail accounts, and more permanent that using disposable e-mail services such as Mailinator.
Used in conjunction with other spam reduction techniques, address extensions can significantly reduce the spam you receive. It gives you the recipient more control over your inbox and an ability to determine for certain who has abused your private information.
Related posts: