By Steve Bass | Friday, April 8, 2011 at 3:54 pm
Another hack attack: The bad guys gained access to the database that stores customers’ names and e-mail addresses for Capital One, JPMorgan, Brookstone, BestBuy, TiVo, Walgreens, Kroger, and a long list of others.
The breach occurred through Epsilon, the firm each of the companies used to manage their e-mail communication with customers.
Chances are good that if you’ve corresponded with any of the companies, you’ll see phishing e-mails in your inbox. They’ll likely be messages for you to confirm a recent order, or reconfirm or update a credit card.
By this time in your computing career, I feel safe saying you’re sophisticated enough not to be suckered in by phishing e-mails. But I’ll play it safe: If the e-mail looks authentic and asks you to click a link to go to the company’s site, don’t do it. Instead, type the company’s URL into your browser’s navigation field to go to the site.
There’s nothing you can do to prevent a third party from exposing your e-mail address. But there’s a handy trick to monitor if a company you’ve given an e-mail address to is using it to spam you. And then block it so you’ll never see it again.
Start using e-mail addresses that are specially — and easily — coded. Create a new one for everything you sign up for, things like newsletters, banking, coupon sites — whatever. If you receive an e-mail from that address with anything other than what you asked for, you’ll know the company’s been breached — or is selling your e-mail address to spammers.
The technique is called plus addressing and the trick is to create an e-mail with an extra character between the real e-mail address and the @ sign and domain. Don’t fret, it’s easy to understand.
Many ISPs let you do plus addressing, but I’ll use Gmail to describe how it works.
Let’s say your Gmail address is computeruser@gmail.com (and for the reasons I’ll explain in a minute, you ought to use Gmail). When you sign up for a newsletter, say, SuperUser, use computeruser+superuser@gmail.com. Banking with Chase? computeruser+chase@gmail.com. Got the idea?
Gmail understands what you’re doing and the e-mail still lands in your inbox.
However, if you get something other than the newsletter at that address, you can stop it in its tracks. Just create a filter in Gmail (yep, I’ll get to that, too) that automatically deletes anything from computeruser+superuser@gmail.com and you’ll never see it again.
Of course, once you filter that specific address into the trash, you won’t see either the spam or the newsletter. If you still want the newsletter delivered, create a new plus address and resubscribe.
Besides Gmail, I’ve tested plus addressing with EarthLink and Yahoo (they use a hyphen — computeruser-superuser@yahoo.com instead of the plus sign). Neither MSN nor AOL is smart enough to use it; experiment with your ISP to see if it works.
Why You Need a Free Gmail Account
I use Gmail to sign up for newsletters and other sites using plus addressing because I don’t to use my real, permanent EarthLink or TechBite address. In my tests, Gmail does a remarkable job capturing and eliminating spam, with few false positives.
I have Gmail forward the mail to my EarthLink account (From Mail Settings, Forwarding and POP/IMAP). I think of it as washing my e-mail through Gmail. (Yes, I know, there’s MailWasher and dozens of other apps; my focus is to reduce spam without cluttering up the system tray.)
I encourage you to open a Gmail account and play around with it, if for nothing more than having one spot to manage all your newsletter and non-critical e-mail subscriptions.
If you’re using Gmail — or thinking about it — you’ll need to know the bare minimum about filtering.
The first time you receive a spam by way of a plus-addressed message in Gmail, open it and click on the down arrow next to Reply and then click Filter messages like this. (One annoyance: Gmail doesn’t show the entire coded e-mail unless you open the e-mail and click on show details.)
When the Filter settings appear, enter the plus address into the To: field (make sure all the other fields are empty) and click Test Search to try it out. Click Next Step and check the Delete it box.
We’re never going to get rid of spam, that’s clear. But this is a clever way of tracking — and removing it.
[This post is excerpted from Steve’s TechBite newsletter. If you liked it, head here to sign up–it’s delivered on Wednesdays to your inbox, and it’s free.]
April 8th, 2011 at 4:06 pm
Can you do the same with Hotmail? Yahoo Mail?
If so, why didn't you mention them?
April 8th, 2011 at 4:46 pm
If I were a spammer who just got a giant list of e-mail addresses, the first thing I would do is take all of the gmail accounts and remove anything between the "plus sign" and "at sign". You're better off using a service like spamgourmet.com that really protects your email address.
April 9th, 2011 at 6:27 am
I've seen a couple that do that. Most don't but, it is just a matter of time.
November 25th, 2011 at 11:39 am
I do not disagree with this blog post.