How Plus Addressing Can Prevent Spam

I'm Kev and I'm a Cyber Security professional from the UK. I started this blog so that I could share my thoughts on the things that interest me. That's usually technology, Linux, open source, and motorbikes.

Leave a Reply

Comment as a guest.

  1. Plus addressing seems very easy to circumvent. “kevquirk+spotify@fakemail.com” could be rather quickly checked for +spotify or any +string, so if a spammer wants to get your email they could. But in the millions in a database, you would be safe if the attackers don’t check the data for such things.

    I don’t know of a better solution other than using a lot of aliases against this, which also could be seen as overkill. Like “kevquirkspotify@fakemail.com” and would only really be feasible cheaply if you host your own mail server or find a service that gives out aliases like candy.

    1. Yeah, it would be simple to circumvent, but my rationale as you alluded to in your comment, is that most threat actors are unlikely to go through a cred dump and check for, or add, things like this.

      Alias are another way of doing yeah, but you would have to manually set one up every time, which would annoy me after a while.

  2. II use the same technique since a many years. I recommend using your own MTA and using – instead of +. Many times I find webforms refusing addresses with a + on it

    1. Fastmail’s solution seems to be the best (see link in article). I use Fastmail and have not had anything flagged yet. I assume that’s because it’s using a subdomain for the “plus” address, not and actual plus symbol.

  3. I’ve been using “plus addressing” for a while now and, for the most part, it Just Works. However, there are those odd occasions where it doesn’t — usually the result of faulty input validation logic (the service won’t allow you to create an account using a “plus address” or the service allowed you to create an account using a “plus address” but won’t recognize it after the fact when logging in). I also had a weird issue with Heroku where they (initially) wouldn’t recognize me as the account owner because I couldn’t send them an email using the “plus” variant of my email address associated with my account.

    1. I think the solution that my host has is probably a little better, where you don’t actually use a plus address, but rather a sub-domain. If you look at the Fastmail link in the article, you will see what I mean. I’m yet to have that flagged by any web form.

Read Next

Sliding Sidebar