[Cryptography] what application creates single-use coded email addresses?
Alfie John
alfie at alfie.wtf
Tue Aug 7 19:40:18 EDT 2018
On Mon, Aug 06, 2018 at 12:36:42PM -0700, Tom Mitchell wrote:
> On Sun, Aug 5, 2018 at 9:46 AM, Ray Dillinger <bear at sonic.net> wrote:
> > I've encountered some email addresses that are apparently base64 encoded
> > usernames prefixed with a four-character nonce.
> >
> > For an example with a fictitious username, email addresses AX2bY2xhcmti,
> > gg68Y2xhcmti, cUn4Y2xhcmti, etc, all have the form
> >
> > {four alphanumeric characters}{'clarkb' encoded in base64}
>
> ....
>
> >
> > I was thinking about how it would be done...
> >
> If you own the domain much is almost easy even with a Gmail served domain.
> Gmail already allows a slightly less obfuscated version using +
> me+bear at some.gmail.served.domain
> IMAP and POP allow the messages to be pulled and processed.
People keep bringing "+" up as a spam preventative... to be honest, if I was a
spammer the first thing I would do is parse the address and drop "+[^@]+".
...
I've been doing the following for a number of years and it works great:
- generate thousands of random base64 email addresses
- stuff them into virtual_alias.maps
- have them all forward to real accounts defined in virtual_mailbox.maps
Each time I sign up to a service online, I'll burn one from the list and record
where it was used. If spam comes my way, it's then know who either sold my address
or got their database leaked, and to simply drop it from virtual_alias.maps.
Alfie
--
Alfie John
https://www.alfie.wtf
More information about the cryptography
mailing list