The dots in Gmail addresses
-
The dots do matter: how to scam a Gmail user
Gmail's "dots don't matter" feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails.
Why was this feature originally implemented at all?
Should all websites with account functionality implement the Gmail dot-insensitive email identification?
no one wants this infinite set of email addresses. Gmail already provides this in the better form of “plus labelling”, so I also own jameshfisher+spam@gmail.com and jameshfisher+work@gmail.com.
Why is that better? The scam could still work.
-
Ah, yes. I remember that mis-feature...
-
Wait, so this guy finds a way a feature can be exploited...
Calls them out on it on his blog...
Explains why it can be exploited and can be considered bad practice...
Then provides a perfectly serviceable solution to this problem that isn't "stop allowing dot-insensitivity"?
Well done.
-
Don't you have to confirm your email address before you can actually use a Netflix account? If not, that seems like a major
.
-
@deadfast FTA looks like netflix doesn't require email confirmation. perhaps confirmation should be mandatory if you're registering for any site that involves paying for stuff
-
Wow, it totally works...
Well, unless you have multiple sequential full-stops in the address.
-
@tsaukpaetra said in The dots in Gmail addresses:
Well, unless you have multiple sequential full-stops in the address.
Standards require quoting in that case.
-
@deadfast said in The dots in Gmail addresses:
Don't you have to confirm your email address before you can actually use a Netflix account? If not, that seems like a major
.This. Also, it's a WTF that Netflix apparently doesn't require you to fucking log in!!! before adding a credit card to your Netflix account. Because apparently, logging in as a user whose email address he obviously wouldn't enter and whose password he naturally wouldn't know was never a step in the whole "get email, click link, add credit card" process.
-
@greybeard said in The dots in Gmail addresses:
@tsaukpaetra said in The dots in Gmail addresses:
Well, unless you have multiple sequential full-stops in the address.
Standards require quoting in that case.
It was the only thing different from the one that went through versus the one that didn't.
-
@bb36e @anotherusername this is done because requiring email confirmation is a
I shit you not.
-
@tsaukpaetra Heh. I did my own test with a properly quoted address. Google's server rejected it with a complaint the address "is not a valid RFC-5321".
It lies.
-
@marczellm said in The dots in Gmail addresses:
The dots do matter: how to scam a Gmail user
Gmail's "dots don't matter" feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails.
an obscure feature of Gmail
At the risk of invoking xkcd://TenThousand... Where has this guy been all his internet life?
And it seems Netflix is the one to blame here. Not only because of the aforementioned "not confirming email," but because they don't normalise email addresses where this sort of address merging happens (Yahoo does the tag thing too.)
Externally, jameshfisher@gmail.com and james.hfisher@gmail.com are different identities, and should have their own Netflix accounts
No, they shouldn't.
Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign up.
Indeed.
But using someone else’s address on signup only cedes control of the account to that person.
Er, no. Not if the email address were verified.
Others would say that Netflix should disallow the registration of james.hfisher@gmail.com, but this would force Netflix and every other website to have insider knowledge of Gmail’s canonicalization algorithm.
Email registration would render this
.Those who really want infinite addresses already have the “plus labelling” feature: I also own jameshfisher+spam@gmail.com, jameshfisher+work@gmail.com et cetera.
Which is little different from the dots problem he's complaining about.
Not only do Gmail users not want these extra addresses
"I see no reason for them, therefore everyone should be denied access to their use."
-
@pjh said in The dots in Gmail addresses:
Externally, jameshfisher@gmail.com and james.hfisher@gmail.com are different identities, and should have their own Netflix accounts
No, they shouldn't.
I don't know much about email, but are you trying to say that ALL email servers treat addresses with periods like this, or that Netflix should treat Gmail addresses specially and normalize them?
-
@bb36e said in The dots in Gmail addresses:
@pjh said in The dots in Gmail addresses:
Externally, jameshfisher@gmail.com and james.hfisher@gmail.com are different identities, and should have their own Netflix accounts
No, they shouldn't.
I don't know much about email, but are you trying to say that ALL email servers treat addresses with periods like this, or that Netflix should treat Gmail addresses specially and normalize them?
I'm saying that verifying email addresses would negate this whole issue about whether or not the local part of the email address is an alias of another address or not.
Regarding assuming aliases in general, the exact opposite was true a few years ago where the local part of the email address was case sensitive for one provider, and nearly every other major ESP treated it as case insensitive, breaking the services by that provider (specifically it was Yahoo group moderation via email - replying to the
Reply To:address in the email they sent could perform whatever moderation duty was required without having to go to their website. Thing is Yahoo treated the local part as case sensitive (as they were allowed to,) but other ESP's tended to simply lower-case the whole email address, breaking it.)
-
@pjh said in The dots in Gmail addresses:
And it seems Netflix is the one to blame here. Not only because of the aforementioned "not confirming email," but because they don't normalise email addresses where this sort of address merging happens (Yahoo does the tag thing too.)
Does the email address spec say that email addresses can be normalized according to some set of rules guaranteed to result in an address that goes to the correct mailbox? No? Then you fucking don't. Leave the fucking email address as the user entered it.
Externally, jameshfisher@gmail.com and james.hfisher@gmail.com are different identities, and should have their own Netflix accounts
No, they shouldn't.
Yes they should. To literally anyone except Gmail, they are different addresses. More importantly, to anyone who's following spec, they're different addresses. Nobody external to a specific mail server should make assumptions as to how that mail server maps aliases to mailboxes, and they certainly shouldn't try to cleverly (or stupidly) "normalize" addresses on outgoing messages.
Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign up.
Indeed.
Yes. Requiring email verification would totally solve this problem. Yes, @julianlam, at the cost of creating other problems, but those can be handled adequately well... just treat an unverified email address as that, unverified and untrusted. And for godssake send a "you're receiving this message because you, or someone, signed up for a new Netflix account with this email address" email to it with a "didn't create a new Netflix account? click here to permanently unlink your email address from this account" link.
Those who really want infinite addresses already have the “plus labelling” feature: I also own jameshfisher+spam@gmail.com, jameshfisher+work@gmail.com et cetera.
Which is little different from the dots problem he's complaining about.
No, 'tisn't. You have a Netflix account under "johndoe@gmail.com". Someone registers on Netflix and sees that "johndoe@gmail.com" is taken, so registers "john.doe@gmail.com" or "johndoe+netflix@gmail.com". Then their credit card doesn't work so Netflix sends you the email asking you to add a working credit card to it.
Email isn't even secure by default (it's sent across the public web unencrypted in most cases) so sending a link that gives someone an automatic login to some account elsewhere is really a huge
.
-
@pjh ok, this I agree with. Nobody should ever try to modify the email address that a user enters (except perhaps by nulling it out and asking them for a different one). Just verify it. And I'm not saying you have to accept every valid email address, either. If you want to require email addresses to match some regex, as long as you are okay with potentially telling some users that they can't register using the email address they prefer, that's fine. That's between you and those users. Just don't fucking change the email address they enter and expect it to still work, and don't trust the owner of that address until they verify it.
-
@anotherusername said in The dots in Gmail addresses:
Does the email address spec say that email addresses can be normalized according to some set of rules guaranteed to result in an address that goes to the correct mailbox? No?
In fact, it does. And that rule is - essentially "the receiving host is permitted to treat the local part in any way it sees fit."
Including ignoring periods in it. Your point is probably "no-one outside the receiver can make generalised assumptions about the local part" which I agree with, but in this instance this isn't a generalised assumption. It's a documented feature of one ESP.
Then you fucking don't. Leave the fucking email address as the user entered it.
False dilemma. If you know an ESP treats the local part in a specific way (ignores case, ignores periods, ignores anything after a plus or a minus) then you can attempt to mitigate against it, but I agree, you don't simply throw away what the user has given you...
CREATE TABLE IF NOT EXISTS `addresses` ( `address_id` BIGINT(20) NOT NULL AUTO_INCREMENT, `address` VARCHAR(1024) NOT NULL COMMENT 'The email address as entered by the user, without display name', `canonical` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'Maximum email address length /should/ be 254.', ...But we're getting back to email address verification (or the lack thereof on Netflix's part,) which is the root cause of this particular gripe.
-
@pjh said in The dots in Gmail addresses:
In fact, it does. And that rule is - essentially "the receiving host is permitted to treat the local part in any way it sees fit."
I was speaking from the sender's perspective. And there, it says the opposite. The sender can't assume that the receiving host treats two different local parts as aliases of the same mailbox, because the receiving host isn't following any set of rules from the spec as to how it treats them. It can handle them any way it likes.
in this instance this isn't a generalised assumption. It's a documented feature of one ESP.
Sending hosts should not be required to keep an exhaustive list of every receiving host which has documented features allowing multiple addresses to match predictably to the same mailbox. Nor should sending hosts be using such a list. They should not be changing the email address the user enters, at all (including by changing its case).
-
I disagree with the blog's conclusion, this is mostly Netflix's fault, not gmail's.
Personally, I like the feature. And allowing to sign up for john.doe@gmail when johndoe is already taken might mitigate this particular scam, but I wouldn't be surprised if it helped some other one.
-
@anotherusername said in The dots in Gmail addresses:
They should not be changing the email address the user enters, at all (including by changing its case).
You appear to have missed the second part of my post, where I say much the same thing.
-
@marczellm said in The dots in Gmail addresses:
Why was this feature originally implemented at all?
Because it's one of the most common typos done when writing emails down over the phone. I'm absolutely sure many more people have been saved by this feature than abused by scammers because of it.
-
@pjh I think we're in violent disagreement. But I'm right of course.
We're ending up at the same conclusion, but I think the argument you were using to get there was flawed.
-
Some Gmail power users might claim: “The dots-don’t-matter feature is great. I get ownership of an infinite set of email addresses!” But firstly, no one wants this infinite set of email addresses. Those who really want infinite addresses already have the “plus labelling” feature:
