Rob Sears bio photo

Rob Sears

       

Rocket scientist. Computer hacker. Geek before it was cool.

BTC Donations:
1AU9qGkSubhR24r8Y4WEoV8bccZjeT2dKg

A while back while playing ‘RegEx Golf’ for email extraction, I found out that the ‘+’ sign is a valid email address character. Not only that, but many mail systems (including Gmail) treat it as the start of a tag. So sending an email to [email protected] is treated as though the message was sent to [email protected]. Once I learned that, I had a brainstorm.

I’ve had my email address for so long that I get tons of spam and phishing attempts. It’s ended up on HaveIBeenPwned.com a few times, and I’m sure that some random services have sold my data to a broker.

Hackers have long had tools that can automate the infiltration of multiple services belonging to the same email address. I use a password manager and MFA, so it’s not a huge security risk and mostly what I deal with is a deluge of spam with the occasional failed login report or password reset attempt.

It’s annoying I don’t really have any recourse, other than to migrate mailboxes. Even then I wouldn’t really be solving the problem, because the same shit would eventually happen to the new mailbox.

When I read that the + sign in an email address allows for automatically applying filters or other actions based on some tag, I started thinking about other ways I could use it.

I started updating contact information and using a new format whenever I needed to sign up for something online:

<username>+<service>-<salt>@gmail.com

So for example, instead of using my Gmail account for my Twitter login, I would use something like this:

I’ve been doing this for a while now, and it’s cut down on the junk dramatically. Sometimes I have to tell someone my email address though, and they get confused as hell. Like, the cable company will ask me where they should email a work order, and I’ll say:

Just send it to rob plus time warner dash six one echo beta four delta at gmail dot com

There will be a long pause, and then something like:

Uh… no, I need your email address. What is your email address?

So there’s kind of a disconnect when telling a person about it. It works fine from a technical standpoint though. And it turns out to be really useful for leak detection and bulkheading.

Leak detection?

The more places you sign up with your email, the more likely that email address is to be leaked or stolen or sold off to spammers. When someone starts spamming your email address, you don’t know how the spammer got it. This is one reason why temporary inboxes are a thing, although they’re not practical for every situation.

But let’s say you had to sign up somewhere with your personal email address. If you sign up with an email address tagged with the name of the place, and then later spam starts arriving at that address, then you know exactly where the leak is. You can then:

  • Alert the place where the email address leaked from
  • Update your email address with a new tag
  • Update your inbox filters to automatically delete any messages sent to the old tag

Boom! Automatic inbox organization and easy spam filtering! Once someone starts spamming a tagged email address, you just need a filter to send all mail with said tag to the trash. Lovely!

Bulkheading?

Bulkheading is the principal of mitigating against failure by way of partitioning. In shipbuilding for example, bulkheads are used inside the ship so that if the hull is breached, water only floods the damaged partition instead of taking down the whole boat.

The same principal applies here: you don’t want one compromised login to threaten any others.

A really common thing that happens when a site is breached is that hackers get access to database tables containing usernames and passwords (hopefully hashed and salted).

They can use a ton of tools to try and decrypt your password or look for hash collisions. But they can also figure out where else your email address is registered – social media, financial institutions, your work, whatever. The results can be used for phishing or even spearphishing against you.

In short: if you reuse the same email address across many services, then one service poses a security risk. Multiple breaches involving your email gives hackers more vectors with which to target you.

But if you consistently register with a tagged email, and that tag is unique to the site, you’ve created a bulkhead. The compromised address is only used on one site. Automated tools for identifying and taking control of other services based on your tagged email and password won’t work.

What Did You Say About Salting?

Tags alone offer a small hurdle against automated attacks, but if your pattern is easily-guessed and reproducible by a hacker, then your bulkhead is weak.

Suppose a hacker is looking through a database dump of user records (or the logs of her automated account takeover tools) and sees your email: [email protected].

This hacker is clever, and she realizes that you’re using tags to bulkhead your emails, and assumes those tags follow a predictable format. So she launches attacks against all kinds of variations: [email protected], [email protected], etc, to try and recon those services. Most will fail, but some will probably succeed.

This is where salting comes in. The salt in this case is just a secret phrase hashed with the tag, and truncated to a sane length. This means that you can use a simple pattern that can be easily remembered by you, but not easily reproduced by an adversary. Bulkheading with a salt means that an adversary couldn’t guess your login email for any other service.

Example

It’s not really that difficult. I use a really simple Ruby script to generate the email address I should use when signing up for a service I want to bulkhead:

#!/usr/bin/env ruby

require 'digest'

puts 'Enter your email:'
email = gets.chomp

puts 'What label do you want for this site?'
label = gets.chomp

puts 'Enter a secret key:'
secret = gets.chomp

salt = Digest::MD5.hexdigest("#{label}#{secret}")

mailbox, domain = email.split('@', 2)

puts "Use this for your email: #{mailbox}+#{label}-#{salt[0..5]}@#{domain}"

So from a terminal, it might look like this:

Enter your email:
[email protected]
What label do you want for this site?
facebook
Enter a secret key:
something i remember               
Use this for your email: [email protected]

Now an adversary who discovers that my facebook login is [email protected], can’t infer anything else useful. If he tries [email protected] it will fail because the salt is wrong.

The only path forward would be brute force, and in this context that means guessing BOTH the tag for a service, and the salt. Even if he somehow succeeded in finding an active one, he wouldn’t necessarily have the right password. And he would have to repeat the process for any other service he wanted to attack.

So it doesn’t make hacking or reconnaissance impossible, but it makes the process orders of magnitude more difficult, to the point that it’s just not worth it.

Does That Mean You Have Hundreds of Email Addresses to Memorize??

No, of course not. I use a password manager like a normal person.

But even if I didn’t, or lost access to it, there’s no problem. I don’t need to remember lots of addresses. Just one pattern: my actual email address and a secret key. If I lost all of my logins, I could just regenerate them all with my little Ruby script.

In fact, as long as I have access to my email, I can just look up a message I received from the service, and get the login email from the header.

So… Great Idea, or Greatest Idea?

It sounds a little cumbersome at first, but it’s honestly not that much effort. And the benefits are measurable, if for no other reason than the productivity of having everything automatically sorted, labeled processed when it arrives in the inbox. There’s peace of mind in knowing that a breach on one site won’t let an adversary discover any other sites I’m registered to.

But I don’t know anyone else who does this. So maybe I’m just a weirdo.