Email dots, pluses, and burners

If you find your personal email account bombarded with unwanted marketing emails, there’s a good chance your account was compromised in a breach. That said, email these days is a minefield we all need to learn how to traverse safely. 

Your email address could present the greatest liability when it comes to cybersecurity and privacy. A recent report found that email was the delivery method for 94% of malware attacks in 2019; a more recent study in 2020 indicated that email-based phishing may be hitting a new high.

Email poses this security risk because it is so widely used; anyone with internet access can send an email to any other email address, and email addresses are often listed online, or easily guessable. 

Compounding the problem, lists of email addresses often linked to other personally identifiable information can be purchased legally and also on dark web where they are often bundled with breached passwords and other sensitive data, all of which can be used in the commission of data-related crime. 

The end result is an inbox stuffed with promotional emails, political campaign ads, pleas for money–some of it sent with your permission, and some of it spam. Much of it, even the spam, is addressed directly to you by name and may include other personal details. It’s increasingly difficult to distinguish between a legitimate message, a phishing scam designed to spread viruses and other computer malware, or your basic, everyday piece of unsolicited email.

Google’s Gmail service can help filter out or help identify unwanted email and suspect mail that may contain dangerous files. That said, there is a cost: namely privacy. 

To identify and categorize incoming email, services like Gmail (there are many) need access to your incoming and outgoing email–both the content of them and any associated data. Privacy-centric options exist, including Protonmail which features end-to-end encryption. The trade-off for more control is more work. The user has to personally filter the contents of their email–a time-consuming and often aggravating experience since the good sometimes gets thrown out with the bad when a user inevitably starts banning senders with reckless abandon. 

Convenience and privacy are always in a tug-of-war for market share, with the former usually winning by a considerable margin. There is no one-size-fits-all solution.

While it is not possible to take complete control over what shows up in your inbox, there are three relatively simple tricks that can help you protect your privacy, identify unwanted emails, and find out if your email address has been compromised in a data breach.  

#1 – Create a Burner Account

You can create a separate email account for websites or services that request yours in exchange for activation, etc. Maintaining at least two accounts, one for more sensitive information such as personal correspondence and the management of your finances, and one for online purchases, apps, and subscriptions helps create a cleaner divide between your personal life and what’s accessible to both hackers and marketers like.

Taking this method one step further, you may want to consider using a different name, or set of names, for your online activity. This will allow you to figure out who is selling your email address. If your favorite fitness app knows you as “John Fitnessapp,” and you get a bunch of email at your John Fitnessapp email, that service is sharing your information. When the information sold is limited to a burner account, the potential loss of privacy is minimized.

This also makes it easier to filter mail coming to your personal account. Though remember before you limit your inbox to messages from personal contacts that some first emails from new people in your life may get lost in the process. 

While maintaining a burner account is a simple solution and adds an effective buffer between your personal information and the world wide web, there are drawbacks. Maintaining and checking two separate email addresses is the main one, but it’s also important to bear in mind that you’re still at risk–the danger is simply quarantined in a less trusted silo. 

A Killer App?

If using a burner account seems cumbersome, there are ways to simplify the process. One is offered by a company called Nullafi. The service creates burner email accounts that point to your personal email for every account you have online. 

By creating aliases for your existing email account, you get the privacy and security protections of a separate email account without the hassle and administration headaches of adding another set of credentials to your personal and work devices. 

#2 Connect the Dots

Gmail users  represent 44% of email users worldwide, which alone makes it worthy of consideration as an email solution. That said, it offers a good trick to increase email security.  

When Google developed Gmail, they adopted a policy for email addresses called “dots don’t matter,” where the emails addressed to johnsmith@gmail.com, john.smith@gmail.com, j.o.h.n.s.m.i.t.h@gmail.com all go to the same address. This was actually created with security in mind since scammers commonly exploit predictable user error–namely typos–to trick and redirect their targets, and it would be relatively easy for someone with ill intent to register johns.mith@gmail.com if they know that john.smith@gmail.com was in active use. By disregarding dots in an email address, Google mitigated a potential risk for a client list that has ballooned to 1.8 billion users.

It also provides an effective means of knowing the source of an email. Rather than maintaining separate email accounts, a Gmail user can provide their email address as a dotted version for their various online accounts and activities. If you registered your banking account with the email j.ohnsmith@gmail.com and received one addressed to anything other than that specific variation, it could be a red flag indicating that it’s time to proceed with extreme caution.

Dotting your Gmail address can also help determine who’s sharing your data. If you sign up for a service online as jo.hn.sm.ith@gmail.com and start receiving unwanted emails to that address, it can indicate three things: 1.) that a specific service is selling your data  and 2.) a company with your email address has suffered data loss, or 3.) a company has violated their privacy policy or terms of service. 

The drawback is simple: It’s a lot to keep track of. The average American maintains 130 separate accounts per email address; if you were to really try to maintain a separate variant for each and every online service, app, and account you would need to either have an exceptional memory, or the time and inclination to consult a cheat sheet for each incoming email.

Using dots within an Gmail address isn’t a panacea for email protection, and it’s actually been exploited in scams in the past, but it can be useful for at least some aspects of email hygiene. 

#3:  Use Pluses in Your Emails

There’s another trick that email server administrators have been using for years, one that isn’t common knowledge. 

In much the same way that Gmail will disregard dots from email addresses, most email providers will disregard anything in an email address after a plus. To visualize this, johnsmith+something@gmail.com will go to johnsmith@gmail.com

This is called plus addressing, and presents a simple and user-friendly option for exercising greater control over how your email address is shared and managed.

When signing up for a service online, e.g. “John Doe’s Meal Deliveries,” provide your email address as youremail+johndoe@example.com. If you receive an email from the service that doesn’t include the “+johndoe,” delete it. It could very well contain something you don’t want on your computer. 

Additionally, if you start receiving unsolicited mail at youremail+johndoe@example.com, you know the service is sharing your email address with other companies and services and can ask them to stop. 

If your security software starts flagging emails your youremail+johndoe@example.com, it’s possible the service was hacked or their app or website contains malware, in which case you need to immediately change your password, delete any associated apps, and keep an eye out for suspicious activity.

Another benefit of plus addressing is that you can configure your email program or app to filter out incoming messages. If the aforementioned “+johndoe” email address starts to result in a deluge of spam, malware, etc., it’s possible in most modern email clients to create an inbox rule where anything addressed to “+johndoe” gets automatically deleted or moved into a spam folder. 

Most major email providers such as Gmail, Outlook, Hotmail, and Protonmail support plus addressing. 

A quick way to check to see if it works on your current email account is to simply send yourself an email with “+test” added to it. If it comes through to your inbox intact, you can use it. 

The fact that most people don’t use plus addressing means that it’s less likely to be filtered out by hackers and spammers, but it’s still an easy trick to maneuver around. 

While any of these email tricks will be effective to a point, they should be used in concert with updated anti-virus software and proper data hygiene. Continue to monitor all your accounts for suspicious activity, and assume that any email, regardless of how protected you are, has the potential to be a scam.