Sunday, July 15, 2007

how NOT to fight spam with gmail

there's a rather misguided piece of gmail-related anti-spam advice that crops up from time to time and has been seen most recently here, here, and here... i try to debunk this whenever i see it but gosh darn it the blog comments just don't seem to be getting through to people so . . .

the basic idea is to transform your gmail address (using the well known transformations of adding extraneous dots or the '+keyword' trick) when you give it out to sites so that when (not if) the address gets misused by spammers you can easily make a filter to delete mail sent to that address...

here's an example: the.president@gmail.com

here's another example: thepresident+nopoliticalmessagehere@gmail.com

now, these tricks are well known, they're easy to apply, but most importantly they're easy to reverse because all the information needed to determine what the true gmail address is must remain present for the tricks to work... if you know that google ignores any dots before the @ sign can you guess what address email to the.president@gmail.com gets delivered to? yeah, thepresident@gmail.com... futher, if you know that everything between the + and @ get ignored (+ inclusive) can you guess where email to thepresident+nopoliticalmessagehere@gmail.com gets delivered to? once again, thepresident@gmail.com...

doesn't seem like rocket science, in fact, it's so easy you can write a program to do it for you - and not to put too fine a point on it but it's almost a certainty that someone already has and put the functionality into an email address management program used by email harvesters and spammers...

that means this trick has next to no value in actually combating spam... i've written before about handing out special email addresses to web sites to help stop spam but the key aspect to that, the thing that makes it actually work, is that your true email address remains secret... not only does the gmail id aliasing trick not keep your true gmail address secret, it gives the spammers the opportunity to create arbitrarily many other aliases so that you can never filter by alias - if you filter out mail to the.president and thepresident, mail to t.h.e.p.r.e.s.i.d.e.n.t will still get through as will mail to thepresident+wants.v1agr4...

these tricks can be useful for organizing incoming mail, but if you want to combat spam by handing out special email addresses you have to use addresses that keep your true address secret...

4 comments:

cdman83 said...

I agree that this is very easy to detect and to circumvent. However, security is a game of probabilities / percentages. If this method can stop a significant percentage of the incoming spam, it is still useful.

I never used this technique (in fact I never really used my GMail account), however I think that the feature is (still) restricted to geek circles mostly, so that it doesn't present interest / challenge to the spammers yet.

In conclusion (IMHO):

Hack? yes.

Perfect? far from it.

Effective? temporarily.

kurt wismer said...

if each and every spammer were cleaning their mailing list by hand then maybe this method would have a chance of having a significant impact, however i very much doubt spammers go to that kind of effort as opposed to just using tools that someone else has built...

for those that do use such tools, the ones that give them the best reach (which they can measure) are going to be the ones that they prefer to use... and ones that automatically strip the extraneous data out of gmail addresses are going to give them better reach than those that don't...

zenjunkie said...

What if you start a new gmail account and give out the address with the "." in it only to those that you want to contact you, and without it to anyone who might pass it onto spammers...

kurt wismer said...

@zunjunkie:

that's actually a good point... if the base address is one that you don't accept any mail at then using the "." trick won't expose an address that you actually use...

or will it? a spammer could insert dots of their own, how exactly would you handle that? sure you can filter out all the mail to the base address but what about mail to y.o.u.r.n.a.m.e@gmail.com or y.our.name@gmail.com or you.rn.ame@gmail.com, etc... you might be able to manage all the filters but at the end of the day is it really easier than just using disposable email addresses?