Semi-Wildcarded Mail Addressing
From time to time I think about tricks for managing e-mail, and the other day I came up with an idea I hadn’t seen in practice before. I doubt it’s an original idea, but it seemed interesting to try and implement.
Most people end up using the same e-mail address everywhere, like chip@2bithacker.net. This is easy, it works, and it’s how e-mail was intended to be used in the first place. But you give it to some bad eggs and they sell it to some spammers and now you start getting junk to that address. So what do you do?
In the past, I’ve tried to use local-part extensions to identify who I gave the address to. These are usually things like chip+facebook@2bithacker.net, which many mail servers will treat just like mail sent to chip@2bithacker.net, but you can then filter on the +facebook part. Unfortunately, this is well understood by the spammers as well, so they can easily strip off the +facebook part and go about their business as usual. Also, there are websites out there that don’t think a + can be in an e-mail address, so they won’t accept it. There are various ways around this, of course. One could reconfigure their mail server to use a different characters, such as a dash or period, or even some letter if you wanted to be weird.
I’ve also seen people use virtual domain wildcarding to send any local-part at their domain to a default mailbox. In this case, you could just tell Facebook that your e-mail is facebook@2bithacker.net and it would still wind up in your inbox, and you’d know if Facebook gave your e-mail out to others if you start seeing non-Facebook e-mail coming in to facebook@2bithacker.net. This isn’t great though, as spammers regularly probe addresses trying to find common names to spam at, and with wildcarding, anything @2bithacker.net becomes a valid e-mail address to you.
So I had an idea, mostly building on the second use-case, but with some smarts added in. When signing up for a site, say Facebook, give them an e-mail address of facebook@2bithacker.net as above, but with your mail server configured such that mail to facebook@2bithacker.net is only accepted if facebook appears in the sender’s domain name. So mail to facebook@2bithacker.net is allowed from update@facebookmail.com, but mail from spammer@buystuffnow.com isn’t. In the latter case, the server will send back a 5xx error code just as if the address isn’t valid.
I’ve been trying to come up with a catchy name for this technique, something better than “semi-whitelisting” and I think Sender Domain Local-Part, or SDLP for short, might make sense.
It should be pretty trivial to implement as a Postfix policy server, and I’m working on a reference implementation there to try it out. I suspect it’d be pretty easy to do in Exim as well. I’ll try to remember to post again once I get it working.
