[Cryptography] what application creates single-use coded email addresses?

Ray Dillinger bear at sonic.net
Sun Aug 5 12:46:55 EDT 2018 

I've encountered some email addresses that are apparently base64 encoded
usernames prefixed with a four-character nonce.

For an example with a fictitious username, email addresses AX2bY2xhcmti,
gg68Y2xhcmti, cUn4Y2xhcmti, etc, all have the form

{four alphanumeric characters}{'clarkb' encoded in base64}

I was going to write 'encrypted' email addresses in the subject line,
but prefixing a 24-bit 'magic cookie' to base64 of the plaintext is not
encryption. These are encoded, not encrypted.

I am interested to know what application creates these addresses.  They
look to me like a good idea, but I can't find any information about it.

I can think of a dozen uses for such email mangling, first on the list
being the ability to selectively reject mail sent to versions of the
address that have made their way into the hands of spammers without
rejecting versions of the address that are still in the hands of actual
people you give a crap about communicating with.

I was thinking about how it would be done...

It's easy to imagine a filter in a firewall that discards four
characters and then base64 decodes the local part of the 'to' field in
email coming from outside the organization, then reverts the operation
if that results in an invalid email address containing a backspace or
something, and then appends the "as received" form of the address as a
username string.

Somebody can do that in one afternoon, leaving local email service
working normally.  So according to that theory, clarkb would get his
email at some local address like

clarkb at domain.org <'gg68Y2xhcmti at domain.org'>

if somebody mailed him using an 'encoded' email address, or at some
local address like

clarkb at domain.org <'clarkb at domain.org'>

if somebody mailed him using his unencoded address.

Tho I haven't seen any evidence for the second form in these logfiles I
assume it must exist.... people worship at the altar of backward
compatibility, which leaves all email everywhere permanently backward.

The local mail user agents would be correspondingly configured to use
the username string form of the message they're replying to in the
'from' address, and the outgoing firewall configured to strip the local
email address and then the quoting brackets and apostrophes, leaving the
mangle as the 'from' address.  So now we're up to three days or so of IT
effort to set this all up.

But it's hard to imagine asking clarkb to actually manage the nonces or
create new mangles to use for new outside correspondents, unless his MUA
is aware of this mangle and does it automatically. And that gets into
the same issues as key management, which is  non-trivial.

That last part is also necessary for a complete working system, so on
consideration of that, I don't think this is some local config hack done
by a local IT department anymore.

Somebody somewhere has created an MUA that manages these mangles for
people.  And I'm interested to know what it is.

Does anybody know what MUA creates these addresses?


				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180805/6ffe846e/attachment.sig>

More information about the cryptography mailing list