

Social referral hacking - pfista
http://michaelpfister.com/2015/05/10/social-referral-hacking.html

======
privong
> That way, if you make an account on somesellout.com with
> youremail+somesellout@mail.com, when you start getting loads of unwanted
> messages at that address you know who sold your information to spammers.

I have seen this claim multiple places, but it seems like it really isn't a
robust argument. It is an obvious enough tactic that I have to imagine anyone
selling or buying email lists does a simple regex to remove everything between
'+' and '@'. Maybe the buyers don't care, but if the sellers are trying to
also operate a legitimate business, they'll probably sanitize the subaddresses
from their lists before passing the list along.

So it seems like an easy way to guard against this type of referral hacking is
to strip the subaddress from an email and compare that email with existing
emails. Store the email with subaddress for actual communication but have the
subaddress-stripped email be a 'unique' database column as a comparison.

Edit: grammar

~~~
phowat
You just gave me a good idea. I have my own domain and my main email address
is mail@mydomain.com . Whenever I register to any websites now I'll start
using registration+websitename@mydomain.com and I'll configure my mail server
to forward me anything that arrives to registration+anystring@mydomain.com and
drop all mail to registration@mydomain.com .

~~~
dannyperson
Many sign up forms disallow the use of '+' in email addresses, either to
prevent this, or more likely because the programmer wasn't aware it was a
valid character for an email address in the first place.

~~~
thaumasiotes
If you're not going to verify that the email address they're giving you is
real, why restrict them to your idea of what goes in an address? I often fill
in my email address as fake@fake.fake . It's pretty easy to see that that's
invalid -- to the best of my knowledge, there is no .fake TLD, and there
certainly wasn't when I started doing it. But, I've never seen a form reject
it.

You validate email addresses by sending confirmation emails. What's the
thinking behind pretending you're doing it in the form?

