Re: [Gmail-Users] The ultimate anti-spam solution (Google doesn't want)

[Zack (Doc)]

Um... GMail's had that since day 1.  It's called plus-addressing.

http://goo.gl/tgRi4

On Sat, Dec 1, 2012 at 5:41 AM, Chromwell <rax...@gmail.com> wrote:

I have found something called "disposable email address" (aka email sub-addressing). The idea is simple yet powerful: every time you give your email address, you add a tag to it that identifies the person or web that will use it. For example, suppose your email is jo...@gmail.com. You sign up for eBay, and you give them this email: ebay...@gmail.com If the web sells your email to spammers, you will always know who is to blame.

This service is currently available, but, surprisingly, it's not mainstream.

----------

Back in 2008, just two weeks after Chrome's initial release, I made some suggestions.

https://groups.google.com/d/msg/google-chrome-help-suggestions/Dnxl28ZLVvI/wQQbUs00xKwJ

First was, in order to increase market share, to add special features to Google Search available exclusively to Chrome users. Of course, nobody listened to me.

Years later, I found that Google started to add those exclusive features.

http://www.pcworld.com/article/230305/google_adds_voice_search_to_chrome_browser.html

Other suggestion was to speed up search result links by prefetching.

And Google did it again:

http://www.pcworld.com/article/230291/Google_Instant_Pages_Pre_Renders_Websites_Saving_Seconds.html

Last suggestion was a function to search in the current page, highlighting any of the words (i.e. a multi-word search, the way search engines work).

This year came out a new add-on called MultiHighlighter. The disappointment is that it's not created by Google, though it is exclusive for Chrome.

My new prediction for the next years it that some major email provider will start using email sub-addressing to tackle spam.

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/gmail-users/-/mtFmdIpL8qUJ.
To post to this group, send email to gmail...@googlegroups.com.
To unsubscribe from this group, send email to gmail-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/gmail-users?hl=en.

[Kenneth Ayers]

Plus-addressing isn't quite the same as disposable email addresses.  For one thing, your real Gmail userid is revealed, i.e., the part before the plus, and there isn't a way to disable delivery of emails to a plus-address other than to filter them into the trash or spam.

Yahoo! is actually superior to Gmail in their implementation of this.  With Yahoo! you select a base name for the disposable email adresses that is different than your userid and then specifically allocate each disposable email address you want to use by pre-identifying it in your options.  So if my Yahoo! ID is yahooname but I don't want to have to reveal my real email address to everyone, I can create a basename such as aliasname and then identify a sender account such as ebay and that will create the disposable email address aliasna...@yahoo.com.  If I then give that address to Ebay and eventually start receiving spam there, not only do I know who to blame but I can also disable delivery of emails to that address by removing the sender ebay in my options.  Emails sent to that address will then be returned as undeliverable and the spammer will have no clue what other address to use to spam me.

Yahoo!'s disposable email address implementation isn't in the free version though.  It comes with a Yahoo! Mail Plus account which costs $19.99 a year.  That's a good deal though since that also includes elimination of ads from your Yahoo! Mail page.

Kenneth

[Nick Chirchirillo]

I think what Zack is saying is that Gmail has had the feature that Chromwell described since the start.

Chromwell suggested something like username...@gmail.com

While Gmail has always allowed for username...@gmail.com

--
Nick Chirchirillo
nickchich.com

[Don Fadden]

Brillent stuff!

Don

Sent from my iPhone

[Randy Harmelink]

One of the things I don't like about plus-addressing is that it still reveals your email address. They could easily strip off any "+" suffixes. Plus, I haven't found a way to reply to messages sent to them -- they go out with your normal GMail address (unless I'm missing something?).

I prefer the Yahoo method -- you create a prefix of your own choosing, then add suffixes as needed. But all the emails go to your main Yahoo address. So I might have:

xxx123...@yahoo.com
xxx123-...@yahoo.com
xxx12...@yahoo.com

The "xxx123" is the consistent prefix. But there's no way from those to know my Yahoo email address.

[Zack (Doc)]

ok... so they can still strip off with the Yahoo version, and you don't get it for free.  You could do the same in GMail by setting up another free account (aliasname) and using the plus addressing with it, and having it auto-forward to your "real" gmail account.  Then to turn off the sender, you go to the aliasname account and set a filter on that name to trash/spam.  You could set up sending for the other name in your real account because you'd get a copy of the confirmation e-mail used when turning on "send mail as".

Alternately, you can do what I do, which is to set up a free account on something like SpamGourmet, which did the "dot" addressing like Yahoo does, but started it years ago.  They have like 20+ domains you can use, and all you have to set up the aliasname and tell them where to forward it.  I have it forwarded to a plus address on my gmail, so I'm combining the best options of both, and doing it for free vs paying for Yahoo which does other things that I don't like anyway.

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

[Randy Harmelink]

No, they can't still strip off with the Yahoo version, because with these yahoo email addresses:

xxx123...@yahoo.com
xxx123-...@yahoo.com
xxx12...@yahoo.com

...there is no xxx...@yahoo.com email address. But, yes, it does cost.

But I like your idea of setting up a second GMail account for the same purpose. To tell the truth, I didn't know there was a "Send mail as" option on GMail.

[Randy Harmelink]

You shouldn't need to set up 10 accounts. Just one new one, and then use plus addressing on it. You can delete anything that doesn't go to a plus addressing on it.

On Sat, Dec 1, 2012 at 2:49 PM, Chromwell <rax...@gmail.com> wrote:

Zack's method is acceptable. Who doesn't have two emails, one for friends and other for web forms? But the concept we are talking is more complex. Using tags you can track lots of sources (that is the question, to track spam). I think nobody will take the effort to set up 10 accounts, each one for each web he signs up.

[Zack (Doc)]

As Randy said, don't set up 10, just one.  I offered a way to send, as does SpamGourmet.

To your point, "what's Google waiting for."  I say nothing.  I think they have a service that's as good or better than what Yahoo is offering, and for free.  There's no point in them duplicating a service that someone else already offers for free, especially when you can just combine it with your GMail account, as I have.

And to your point... in the hundreds of times I've seen it used, I've never really seen someone "figuring out the real address" and using it to create a significant increase in spam.  Anyone interested in selling your address just sells it outright.  Since plus signs, dots and hyphens are valid characters, there's no guarantee that the plus would be a clear sign that it could be removed.  The person would have to be specifically familiar with GMail's system, and then they're still going to get caught by the Bayesian Spam filter, so no great benefit to the work it would take them to get to you.  And if they do know your "system" and want to generate the messages, it's too easy...

alias...@yahoo.com

alias...@yahoo.com

alias...@yahoo.com

I could easily flood your box and you'd have NO protection against it.  As a security professional I understand the paranoia about abusing your e-mail; but there are times when you take the paranoia too far, and it's ridiculous.

On Sat, Dec 1, 2012 at 4:49 PM, Chromwell <rax...@gmail.com> wrote:

Ok, guys, thank you for sharing your opinions and wisdom, especially Kenneth.

First of all, the notation is just a question of taste, whether you use plus, hyphen, dot or whatever. You can check that email address standard supports most ASCII characters. http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses

As Kenneth has correctly pointed out, Gmail's plus-addressing is useless: not only the real email can be obtained subtracting the tag, but plus-addressing is just for receiving, not replying.

I got to admit my ignorance about Yahoo's service (I can't know everything).

The pity is that it's a paid service, so I don't know what's Google waiting for.

Zack's method is acceptable. Who doesn't have two emails, one for friends and other for web forms? But the concept we are talking is more complex. Using tags you can track lots of sources (that is the question, to track spam). I think nobody will take the effort to set up 10 accounts, each one for each web he signs up.

There are companies like SpamGourmet offering the service, but in some cases they are just forwarders, not a full email provider.

http://email.about.com/od/disposableemailservices/tp/disposable.htm

What is for sure is that these technics are unknown to the majority of email users like me.

Chromwell.

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/gmail-users/-/4eytpvEdWZcJ.

[Kenneth Ayers]

On Sat, Dec 1, 2012 at 1:49 PM, Chromwell <rax...@gmail.com> wrote:

Ok, guys, thank you for sharing your opinions and wisdom, especially Kenneth.

First of all, the notation is just a question of taste, whether you use plus, hyphen, dot or whatever. You can check that email address standard supports most ASCII characters. http://en.wikipedia.org/wiki/Email_address#Valid_email_addresses

As Kenneth has correctly pointed out, Gmail's plus-addressing is useless: not only the real email can be obtained subtracting the tag, but plus-addressing is just for receiving, not replying.

I didn't say it was useless.  I actually prefer Gmail to Yahoo! Mail for many reasons.  But since you brought up disposable email addresses, which is the exact phrase that Yahoo! uses to describe their Mail Plus alias system, I thought I'd point out the advantages that Yahoo!'s service has over Gmail in that one area.  Plus-addressing can certainly be useful though I haven't used it much. 

Kenneth

[Kenneth Ayers]

On Sat, Dec 1, 2012 at 4:50 PM, Zack (Doc) <za...@tnan.net> wrote:

 

alias...@yahoo.com

alias...@yahoo.com

alias...@yahoo.com

I could easily flood your box and you'd have NO protection against it.  As a security professional I understand the paranoia about abusing your e-mail; but there are times when you take the paranoia too far, and it's ridiculous.

To be fair to Yahoo!, that's not how the DEA addressing works.  You wouldn't be able to flood my inbox and I do have protection against it.  The aliasnam...@yahoo.com disposable address only exists if I have selected suffix1 in my options.  If I were to suddenly get lots of spam at that address, I can "dispose" of it and use some other suffix instead.  Emails that continue to be sent to suffix1 would be returned as undeliverable.  

When I was using Yahoo! Mail more actively, I'd create a different DEA for each company I dealt with, e.g., aliasname-jcpenney, aliasname-latimes, etc.  If I were to suddenly begin getting spam at one of those addresses, I at least knew the source that had perhaps carelessly shared my email address.  If it were JC Penney, I could just delete the aliasname-jcpenney DEA and create an aliasname-jcpenneykeepthisoneprivateplease DEA and change my JC Penney account info to the new address.  Spam being directed to the old address would no longer get delivered because the DEA was deleted.

I guess you could just try guessing what other suffixes I might be using with my aliasname, which isn't the same as my userid, but you'd have to guess right for it to be delivered.  That's a bit different than plus addressing where they all get delivered thus requiring me to filter the spam.

Kenneth

[Randy Harmelink]

Actually, you can set the plus-addressing up for the "Send Mail As" option on your main GMail account.

I just set up an alias for my plus-addressing, to prevent my main address from being found. You can then set up a filter to auto forward to the main address. And you can set up the alias plus address as a "Send Mail As" option so that you can reply using it from your main address.

As far as I'm concerned, that more than covers all the abilities of Yahoo's disposable addresses. It just calls for a little setup work for each new alias plus address.

[Randy Harmelink]

I've run into at least one site that wouldn't accept the plus sign in the email name, but they were years ago when I was just starting to try out the plus addressing.

And, BTW, I found out you can log in to both accounts (main and alias), and easily switch between them.

[Zack (Doc)]

So you have to set up the suffixes in advance?  That's an awful lot of work for a disposable address.

--

You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

[Andy]

As Kenneth has correctly pointed out, Gmail's plus-addressing is useless: not only the real email can be obtained subtracting the tag, but plus-addressing is just for receiving, not replying.

I beg to differ.  I use Gmail plus-addressing, and I can send with it as well as receive.  Go to Settings > Accounts and tell it you want to "Add another email address you own."  Enter the plus-address, go through the process, enable it, and voila, you can send emails with that plus-address.

As for spammers getting your real base address, yes that's possible, but remember they don't have humans looking at our addresses and figuring that out.  They just take the address and sell it around to other spammers.  Yes, it's only a matter of time until they program their computers to look for Gmail plus-address, though.

The big problem I have with plus-addressing, is that about 50% of the time I go to use it, the service (where I am trying to use a plus-address) rejects it because it thinks a plus-sign is not a valid character in an email address.  Arrgh!  So then I am left using just my base address.  Or opening a new Gmail account just for that one use.

Andy

[Andy]

Why do you say "Google doesn't want"?

I'm wondering how you came to that conclusion.

[Randy Harmelink]

Not that much. It's just an extra step or two when subscribing to a new website that wants an email address.

But it also means if I delete the disposable address, no more emails will be received.

With GMail, I still have a front-end step to take -- creating a filter to forward the plus addressed aliases to go to my main email address. And then change the filter on the back end to delete the same emails if I want to deactivate it.

[Zack (Doc)]

Not necessarily.  With Plus addressing (and the way spamgourmet works), I don't have to pre-create anything.  I can make one up on the fly and it will work.  Using the two account forwarding method I mentioned, I would set the aliasname account to auto-forward all.  Then I don't have to pre-create the filter.  Spam is never forwarded, and if I find one I gave out is used only for spam, I then create the filter for it at that account.  With Spamgourmet, I login to their site and expire the autocreated address.  It also has options to format the address I give out to make it exclusive to a single sender, and set a specific number of valid messages before it is auto-expired.  All without visiting the site in advance.

[Zack (Doc)]

Agreed Andy that this was a problem, but I see the number of sites incorrectly calling it invalid are decreasing.  However, that's one of the reasons I went to SpamGourmet cause they use the dot notation.  GMail painted themselves into a corner out of the gate by ignoring dots in addressing, but allowing them in usernames.  This confuses a bunch of people who think they can delete a.n.other account and recreate an.other account, or that they are getting someone else's e-mail.  But this also makes it difficult (if not impossible) for them to use the dots for the disposables.

[Zack (Doc)]

Actually... for your pre-authorized statement... I tell them it's ebay.*.jo...@spamgourmet.com and whomever sends to it first is the only authorized sender.  From their interface I can specify a domain as the authorized sender, so I can get ab...@ebay.com and sa...@ebay.com all allowed to use it.

And trust me, it's not worth it to them to get that complicated.  There are already MILLIONS of GMail (and yahoo, hotmail, aol, etc) users that they have a treasure trove for their generating addresses with just a...@gmail.com b...@gmail.com c...@gmail.com... more than enough to keep their generators busy, and even THAT isn't worth it to them.  They are far better served by buying addresses (they know they're getting a real person) scamming sites, bot surfing, etc.  It's not really that big of a game for them.  $100 for 1 million verified addresses is a HIGH cost right now, so randomly generated, or figured out addresses are worth even less to them.

BTW, when you think about the volume of spam, remember this simple "fact" I got from a spam fighting organization a few years back... 80% of all Internet spam is generated by 4 people, 3 of them Russian....

Their business is far too lucrative as it is for them to seek innovation in determining a valid address.  Right now, they just keep fighting with how to get it past our spam filters.

On Sun, Dec 2, 2012 at 6:53 AM, Chromwell <rax...@gmail.com> wrote:

First, I stand corrected, we can send email using Gmail plus-addressing.

I see that Zack's method of using two layers is convenient (you use a first email as firewall for the real one). Ok, but things could be easier, and with less user intervention creating crafty filters, labels, forwarders, and so on. Besides that method only works by preauthorizing. That way, your "firewall email" only will forward to your real email the authorized senders. Otherwise, you'll receive messages to zack...@gmail.com.

Yes, I can tell you the only way to efficiently go is by setting up the authorized senders in advance. But, this could be as easy as typing a little in the address bar:

server.com/userid:PIN:someword   For example: ma.il/jondoe:1234:ebay

The server will receive the data and create automatically a new email: jondo...@server.com

The PIN could be a 4-digit number the user knows (not his email password) for this purpose.

(Maybe someone is listening to this suggestion).

During this time, I've tried SpamGourmet and I've found a flaw in their concept. The disposable addresses are created on the fly, not in advance. That means that you need to receive first an email and then authorize it. That is, someone could flood your inbox with asdf1...@spamgourmet.com, asdf2.user@... asdf3 ... etc. They propose the use of "watchwords", when creating tags, but I find it tricky and not foolproof. All of you say "spammers don't get complicated" but someone could give you a couple of simple lines of code to search specific domains and patterns. I assure you that if something is worth, they will go for it. What happens is that all these technics are not mainstream (only 10% of email users?, maybe just 1%? I don't know), so spammers even don't bother. The paradox with their system is that you don't authorize your disposable address, but the sender's email. For instance, I tell eBay my email is ebay...@spamgourmet.com. I need to wait for their first email, and then create a "trusted sender" with a concrete email address. WTF? What a pain to create at the end a simple email whitelist!

I've never used plus-addressing, but if you guys are saying that it's been rejected, webs should know that an email address supports a big deal of ASCII characters.

I said "Google doesn't want" before I knew they have plus-addressing (though it is a labeling service, not actually a DEA).

Thank you for your ideas.

Chromwell.

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/gmail-users/-/9AufbpmiDlAJ.