[k3n]

I have a domain with a catch-all address, and so I just makeup addresses to use on the spot, but I know people like me and you are in the vast minority; none of my non-tech friends and family would ever do this. Also, sites like mailinator are often banned from sign-ups.

[Amadou]

I actually have a domain like that too. I just like mailinator because I know I'm never going to want their email so I don't even have to put in a rule to block out.

On a related note, some spammers have really done a number on me. First they impersonated thousands of addresses at my domain in the form of xxxxxx@mydomain.com where x is a hex digit. This is despite me having DomainKeys and SPF enabled. So not only did I get a lot of bounced spam to my catch-all, the spam that went through ended up in places that other spammers picked it up as a valid address so now I am getting spam sent to those randomized addresses.

At first I figured I could put together a rule to block all hexadecimal address of six digits but it turns out that at least another round of spammers started using the full alphabet and variable lengths.

I've come to the conclusion that I'm going to need to include a cookie in the addresses I use - so instead of dropdox@mydomain.com and amazon@mydomain.com it will be something like DOQ.dropdox@mydomain.com and DOQ.amazon@mydomain.com - addresses without the cookie get binned. But that's not going to help with all the addresses I've used over the last 15 years, and haven't kept track of.

[yebyen]

I know this will not work everywhere (not everyone implements correctly the RFC's regarding e-mail) but if you have an address, you can make up addresses on the spot by using the + notation

eg messages to myrealemail+mytag@gmail.com will always be received by myrealemail@gmail.com

I too have a domain with catch-all, and I do that rather than using the + notation, but it's something you can teach your friends who would never do that.

[k3n]

Security through obfuscation is not security.

I'd never want to depend on that for anything, it's really just a novelty; a simple regex will nullify any effect you'd gain for using that.

[yebyen]

Huh?

Yeah, I'm counting on e-mailers to send mail to the address I give them. No, I don't expect folks to send me spam unsolicited, or sell my address when I give it to them. I don't consider my name or e-mail address to be secret, and I'm also counting on anyone who sells my contact info to be doing it in bulk, not paying enough attention to strip out +tags, and by passing the address to spammers unaltered (or losing control of their database), give themselves away when I start receiving spam at that address.

Honestly I don't use the feature very often and I had not considered it to be a security measure before. Maybe novelty is the right word.

If I give myaddress+dropbox@mydomain.com to Dropbox, and they mail me from different addresses, I would be able to catch them all and put the "Dropbox" tag on them all, rather than having to make a filter for *@dropbox.com or some other extraordinary measure for classifying their mail.

It's part of the RFC, and supported by every mailer that I know. What part of this technique seems like obfuscation?

[k3n]

I guess that's the disconnect, because I do consider my email address secret -- since it is 1/2 of the information required to access my Google account, I take great measures to make sure that outside parties never see it (as best I can). If I can prevent any site from ever knowing that address, then my chances of being targeted (phishing, brute-force, whatever) are drastically reduced.

So, if you only use +tag for your own personal organizational purposes, then have at it! But if your goal is to conceal your account ID with Google in the interest of personal security, then you really need a better angle.

[yebyen]

That's very well reasoned, I hadn't thought of it that way. Upvotes!

[k3n]

Cheers! Thanks for the discussion, I enjoyed it.