On 05/21/2013 03:19 PM, Tom Metro wrote: > I used sender-specific addresses back in the 1990s, but migrated to the > equivalent using address extensions in the 2000s. It works great, as you > describe, and is a great way to spot when a vendor has had a breach and > their customer database downloaded by hackers/spammers. (Also makes it > trivial to spot phish emails, that get directed at publicly exposed > address, and not the vendor-specific ones.)
I've done this as well, but in my opinion the most common cause of such "leakage" is that the site/vendor has "monetized" your information by selling profiles and addresses to third parties... > The big problem with the [email protected] format is that it > appears some newb who didn't understand RFCs wrote an email validation > library in the early 2000s which incorrectly believes the "+" character > is invalid, and about 50% of web sites use it or a derivative. (I'm > guessing a PHP library.) Hallelujah! I've filed dozens of complaints with different websites and vendors on this very point. So far as I'm aware none of corrected the situation; worse, many companies who are happily sending me email via "+" detail addresses, have changed their websites or validation routines subsequently and reject such addresses. This points up another advantage of running your own mail server - unlimited aliasing. In fact I have one domain that will rewrite vast categories of addresses to my actual address in another domain, so that I can use almost anything on the fly when I'm interacting with an application or website. (So far there's been no problem with spam to random addresses being accepted.) > (A secondary bug that is also common is when an address gets embedded in > a URL, such as with an unsubscribe link, and the code generating the > email fails to URL encode the address, resulting in the "+" character > turning into a space. But if you spot this, its easy to work around by > manually inserting the escape code.) This reminds me of another problem -- websites that require you to use your email address to login, but reject a "+" during validation prior to looking anything up. This caused me to abandon my 8 year old Ofoto/Kodak Gallery account when it was purchased by Shutterfly... --Steve. _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
