It\'s pretty common among security-minded folks to fill in addresses using e.g.

Question

It's pretty common among security-minded folks to fill in addresses using e.g. foo+company@gmail.com when disclosing their email address to company so that they can tell if company has sold their address if they start getting spam.

But is it just me, or is this pointless? It literally takes only one regex substitution to strip out the +company portion, and once that's done, the email address is bare. And from the point of view of a spammer, I don't see why this wouldn't be done.

Am I missing something? Is this actually effective? Why/why not?

Explanation / Answer

You're correct, the 'protection' is pointless against an adversary who's motivated enough to clean up their lists of email addresses. As pointed out by the OP, getting rid of +'s is trivial.

I've seen some security researchers (and others) create actual addresses instead, e.g. name.topic@... and setup aliases to their main address. The advantage is that you can use another primary address (not just name@...) and so you don't risk your actual address being found out and it's easier to revoke a spammy adress.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.