Friday, September 22, 2023

If you use a period in your email address, be warned...

 

... it may be a security risk.  By that, I mean an email address like "Firstname.Lastname@ISP.com", with a period in the prefix before the @ sign.  Friend and fellow author John Van Stry reports:


I have the gmail address for my last name. Just me. I have it.

Now there aren't a lot of people with my last name in the world (less than a hundred) and SOME OF THEM use: FirstName.LastName for their gmail address.

Guess who ALL of their emails go to? 

NOT JUST THEM.

I have access to ALL of their toll pass accounts, their APARTMENT COMPLEX CODES, their MEDICAL INFORMATION, you ****ing name it and sooner or later I end up with it. Because they put a ****ing dot in their name and MOST mail software is bought at the cut rate version of buymart and guess what? It can't handle that DOT.

So if YOU have a dot in YOUR email name, understand that there is someone else out there, who has the email that caused you to get the dot who is getting ALL OF YOUR PRIVATE ****.


There's more at the link.

This affects me, because I have several email accounts with a split prefix, that I use for different purposes.  I'm going to have to look into that, and probably change them - which is a lot of work, and a massive time sink, but I guess will have to be done for security reasons.

Technology.  Grrrrr!!!  (Also known as "Why won't the computer do what I want it to do, instead of what I tell it to do?")




Peter


22 comments:

  1. Even worse, a split second later you realize that it DID do what you told it to do, but you misspoke.

    ReplyDelete
  2. If it's only gmail addresses that are affected, how about that domain for your backup blog? Could you get email accounts using that domain name added to the web hosting?

    (BTW, it might still be prudent to get somebody to finish getting that backup blog setup. One never knows when Google might decide you might be an unperson for linking to 2A blogs and such.)

    ReplyDelete
  3. What controls which emails anyone receives is the server that appears after the "@".

    The server software at GMail has a bug that they turned into a feature. Before you get busy changing an email address, check if *that* domain's server has the bug^H^H^H feature.

    GMail's server won't even see first.last@myISP.net stuff because myISP.net traffic goes to myISP.net hardware, not GMail's.

    PS: Who uses a GMail addy anyway since they apparently analyze your text for ad leads?

    ReplyDelete
  4. I’d spend some time looking into this a little more deeply before you make any changes. First off – it’s never a good idea to make a kneejerk response because “someone” (unless their day job is cyber security and you KNOW that they’re very good at their job) claimed some kind of security risk. The internet has been littered with far more wrong information (which is very different from “mis-information”!) than good, accurate advice over the years. And it keeps getting worse rather than better.

    Consider that the domain name (the part of the email address following the “@” symbol) plays into the issue as well. Per Google – their Gmail servers do not differentiate between bobsmith@gmail.com and bob.smith@gmail.com but they claim that they will not allow the creation of either email address if the other one already exists. Trust but Verify.

    If you do have an email address with a “dot” in the RecipientName (the portion before the “@” symbol) have a chat with your email provider to find out how they handle account creation if you're truly concerned about this.

    Something definitely got Mr. Van Stry riled up, and I’m sure that he’s a very intelligent and knowledgeable individual, but there’s a marked lack of actual technical information in his complaint. I’d certainly want some more information about the actual problem (including the full email header data to see exactly what’s going on) before I put any effort into the arduous process of changing email addresses.

    ReplyDelete
  5. What steps are you using to remedy this? I have that same thing, only 2 dots are in mine.

    I found that there is a dotless version of my email address on the site I use. Hmmmmm......

    ReplyDelete
  6. You simply need to get a keyboard with a DWIM key. Do what I mean. Old dad joke, sorry.

    ReplyDelete
  7. This is a gmail specific thing and not a common problem with other providers. Google will allow the creation of email accounts with the dot even if they say they don't too.

    On the flip side this is a great tool to fight spam crap and still use your regular gmail account. Sign up for things with the dot in different places in your address and then you can see which a-holes spam you and block accordingly.

    ReplyDelete
  8. One more thought:
    Nevermind the "dot issue", unless you're managing to use encrypted email, consider your emails like postcards with the entire text visible enroute ...because it is.

    PII, credit card numbers, etc. simply don't belong in email.

    ReplyDelete
  9. This is the old MatchGECOS thing again, isn't it?

    That was thought a beneficial feature way back when, and was even on by default in some cases when you bought and installed a new server... as in, 30 years ago or so...


    Then again a whole bunch of client-side applications also don't understand email addresses at all and try to conform them to some silly restriction that has no relation whatsoever with actual technical limitations. I wouldn't be at all surprised if one of those does something silly when given an unquoted . left of the @ ...

    ReplyDelete
  10. Sigh... This is why gmail is NOT a primary, and yes, anything I put in email I figure multiple people are reading...

    ReplyDelete
  11. It is an expense but consider owning your own domain and using that for e-mail. All your mail would then go to and come from your domain.

    That adds the opportunity to add SPF authentication, and possibly more, to prevent bad actors from spoofing e-mails that look like you sent them.

    What I particularly like is the "catch all" account in addition to several with dedicated names. All mail not sent to a named account ends up there. Once you have that happening you can have your mail program sort and file based on the incoming account name. I have a few dozen different ones, used for each company I deal with.

    ReplyDelete
  12. As others have noted this is a gmail thing - https://support.google.com/mail/answer/7436150?hl=en. Other providers don't do this.

    Avoiding gmail is a good thing for many many reasons including the fact that google reads all your emails and regularly sends stuff to spam that isn't. Also google is very bad at receiving mail from sources they don't get lots of mail from (i.e. anyone that isn't also a major email provider (like microsoft or apple) or spammer or similar)

    Pay some $$$ and get a paid account with someone - I like proton mail but there are plenty of other choices. Adding my custom domain (dns by cloudflare) to a paid proton mail plan was pretty simple and not that costly. If you like, cloudflare can also do some email tricks too but I haven't checked them and people like Van Stry have semi-legitimate grievences with cloudflare over the way they protect ebook pirates

    ReplyDelete
    Replies
    1. It is not a Gmail thing.

      Read the article at the link that was posted in the comment. You have it backwards. Gmail has many issues but this is not one of them.

      Delete
  13. GMAIL HAS NOTHING TO DO WITH THIS!!!!! WHY DOES EVERYONE KEEP BRINGING UP GMAIL?

    I'm not talking about gmail at all, other to say that the email account that get these mails is a gmail account because so many people USE GMAIL.

    It's the SENDER'S EMAIL SYSTEM WHICH IS NOT GMAIL!!!!

    If everyone was using YAHOO or some other email provider the SAME EXACT THING would be happening!

    *sigh*

    ReplyDelete
  14. Curious, I manage an Exchange environment and I know it does not ignore the "." in the e-mail addresses in the same manner as Gmail does, so it does not seem to be an issue in that environment. Google took a bug and made it seem a feature so my gmail account could be expressed with or without the "." and I'd still get the mail. Known issue, and not sure what the issue is? Are you claiming that someone with a portion of my e-mail address would somehow have access to my mail?

    ReplyDelete
  15. Francis lists the Google support article in reference above. However, it is the opposite. It is a non-issue. Read the article.

    It is not a Gmail thing. It is potentially an issue on other platforms. Google is not ideal for a primary email account.

    Google developed an independent email server system in the early 2000's that acts differently in many ways to the standard email server systems.

    ReplyDelete
  16. So what you're saying is that, much like transgendered people, e-mail addresses cannot have periods.

    ReplyDelete
  17. @Aesop: Consider it menstrual mail. ;-)

    ReplyDelete
  18. for proper email servers, a . - or _ is just another character and has no special treatment (+ does have a special meaning, but few email servers honor it)

    If the sender types the wrong address, the wrong person will get the email, it doesn't matter what the characters involved with are. If that is a security problem for you, then you need to think about your security again. you are never going to be able to prevent other people from mis-typing an address.

    If google is treating . as a special character that is optional and has no meaning, they are not following the specs of email, and therefor it would be up to them to address the problems it causes.

    I've run my own mail server for decades and run mail servers for pretty good sized businesses, they have all treated a . as just another character (like any letter or number) and it has caused no problems.

    I have a gmail address that has . in it, but my primary address is david @ lang . hm and I have a hard time convincing people that the address is really that simple, that there is no .com at the end of it (and some people's systems are stupid enough to not accept it because it doesn't have .com/.net/.org on it, which is why I maintain the gmail account to forward to my real email)

    David Lang

    ReplyDelete
  19. I think many here are misinterpreting the problem as described.

    My email-address is local.part@provider.com

    J Van Stry is saying that there are some email systems (notably not Gmail, Outlook, Yahoo, but maybe the system used by your bank or doctor) where the sender's email system is going to interpret email addresses such as "local.part@provider.com" to mean "part@provider.com", stripping that period and all that comes before it from the distribution as it makes the way to my email service "provider.com", who will make it show up in the inbox of the fellow holding the "part@" address rather than mine.

    J Van Stry is seeing misdirected email showing up to his "surname@gmail.com" account that is addressed to email addresses such as a.surname@; Andrea.surname@; etc.; –– by all standards these should be distinct addresses yet the message gets directed to him. And he says that this is not something that gmail is doing or controls.

    I'm kind of surprised that such an delivery-system bug could be common without seeing other evidence of it being mentioned in security forums, so I'm not 100% sure that this isn't just user-error at a lower-level. I had a poor fellow who's email address was the same as mine but at Yahoo instead of Gmail, and he could not, on the midst of a trip, convince his airline to change their records so that he got all of the many delay and change notices himself. I'm convinced it was a telephone sales agent at the airline that entered it wrong in the first place, but I do have about half a dozen people with my first initial and last name who inexplicably routinely give my email address to any business that asks them for their email address.

    ReplyDelete
  20. Relying solely on regular expressions always breaks the system. Years ago, while working in Oregun, I got an email from Dominoes in Floriduh informing me my pizza will be there within 30 minutes. I replied, of course. Challenge accepted!

    ReplyDelete
  21. @local.part

    if a sending mail server is changing the email address it's sending to, that is a VERY broken mail system

    gmail does not change david.eugene.lang@gmail.com go lang@gmail.com, it makes it effectively davideugenelang@gmail.com which still violates the standards, but does it transparently (as long as they prevent all other permutations like they claim they are)

    (and before people fuss at me for posting my email address, it's already out in the spammers hands and has been for a couple of decades, that's the price of using public mailing lists)

    the only thing that the mail spec specifies should be changed in email as it's handled is that if you send a message to david+foo@lang.hm the receiving system can deliver it to the folder foo in the david@lang.hm account. Most mail servers don't implement this, so it becomes a bad address instead.

    (servers can re-write or forward messages, but that's a different topic from what is being claimed here)

    ReplyDelete

ALL COMMENTS ARE MODERATED. THEY WILL APPEAR AFTER OWNER APPROVAL, WHICH MAY BE DELAYED.