There's a common design flaw on many many websites that require an email address to register; most recently I came across this bug on CNet's download.com site: for some reason they don't accept me when I try to register an email address containing a "+", and they then send me back saying my address is invalid. It isn't!
"+" is a completely valid character in an email address; as defined by the internet messaging standard published in 1982(!) RFC 822 (page 8 & 9)... Any website claiming anything else is wrong by definition, plus they are prohibiting me and many fellow anti-spam activists from tracking where inbound spam comes from:
I usually register at websites with an email address of the form username+sitename+yyyy-mm-dd@domain.com and if I ever receive unsolicited email to this address (see my previous rants on dialpad.com) it's easy not only to track where the spammer got my address from, but also to block this address for future emails.
More information:
Additional site that doesn't consider "+" a valid character in email addresses: Yahoo.com...
Posted by: andersja on August 24, 2002 08:15 PMMore problems with the "+": Microsoft NetMeeting :-(
Posted by: andersja on August 27, 2002 02:43 PMI've used something similar without the pluses, but apparently the spam didn't come to those addresses, but rather to my default one which I later had to abandon completely.
Isn't this ironic?
As the owner of davidj.org, I do something similar when filling in forms at a domain. at mp3.com I signed up as mp3@davidj.org knowing that since that mailbox isn't configured it would be sent to my main address davidj@davidj.org.
The concern I had on this one is that a bounce would still be sent for mp3@davidj.org. I guess I will have to look into what mail software powweb uses, though I think it is qmail. I would not want the bounce to be generated, just suck up the mail.
Using the domain@davidj.org will alert me in the future to anyone that sold my name against my wishes.
Posted by: davidj on October 4, 2002 05:33 PMAs the owner of davidj.org, I do something similar when filling in forms at a domain. at mp3.com I signed up as mp3@davidj.org knowing that since that mailbox isn't configured it would be sent to my main address davidj@davidj.org.
The concern I had on this one is that a bounce would still be sent for mp3@davidj.org. I guess I will have to look into what mail software powweb uses, though I think it is qmail. I would not want the bounce to be generated, just suck up the mail.
Using the domain@davidj.org will alert me in the future to anyone that sold my name against my wishes.
Posted by: davidj on October 4, 2002 05:33 PMHello,
can you explain where you see in the RFC that a + is allowed? I've searched the document for the "+" sign, but did not find any (except in the time notation part of the page)
Greetings,
Stig
You can mail me at blog@hell.be
RFC 822 has these definitions:
~~~~~~~~~~~~~~~~~
CTL =
specials = "(" / ")" / "" / "@" / "," / ";" / ":" / "\" / / "." / "[" / "]" ; where an unquoted "/" means "or"
atom = 1* ; where "1*" means "one or more"
word = atom / quoted-string ; where "/" again means "or"
address = mailbox / group ; ditto
mailbox = addr-spec / phrase route-addr ; ditto
addr-spec = local-part "@" domain ; global address
local-part = word *("." word) ; which means "one or more of 'word' separated by periods"
~~~~~~~~~~~~~~~~~
Note that I have edited the comments (following the semicolons in the above) heavily.
Hence an email address/mailbox/addr-spec is "local-part@domain"; "local-part" is composed of one or more of 'word' and periods; "word" can be an "atom" which can include anything except "specials", control characters or blank/space; and specials (the *only* printable ASCII characters [other than space, if you call space "printable"] *excluded* from being a valid "local-part") are:
()<>@,;:\".[]
Therefore by the official standard for email on the internet, the plus sign is as much a legal character in the local-part of an email address as "a" or "_" or "-" or most any other symbol you see on the main part of a standard keyboard.
Posted by: Jeff Woods on April 17, 2003 06:34 AMOkay, so does that mean you can have apostrophes in the local-part of an e-mail address?
Would appreciate some comment on this as I can't exactly follow the text above.
Cheers,
Carl
Need a bit of help on this one...
Is "*" valid in an e-mail address as well? Could this be a valid address:
*david*@domain.se
Thanks in advance!
/David Bergkvist
Posted by: David Bergkvist on May 15, 2003 10:48 AMYes, a '*' is valid in an email address.
Your address: *david*@domain.se is valid
i can't help but wonder why you don't just relax and change the pluses to hyphens or underscores.
cnet probably did not make a concious effort to not allow plus signs on their website. probably what happened was whoever wrote the regular expression they're using to validate email addresses didn't specify in the reg ex that plus signs are allowed. i would go a step further and say the person who developed the cnet sight took a regular expression they found somewhere at a code site and may not even know how it works (as regular expressions have bit of a learning curve/take some effort to learn).
but anyway, if you weren't so stubborn you would just use a different character that's more common than trying to launch a crusade against the injustices of organizations not allowing plus signs in the email addresses of their members.
Posted by: scott on September 24, 2003 08:15 PM
That isn't the point Scott. They are not following widely accepted standards that were published LONG before they built the site. The value of following these standards lets us use built in functionality of programs like Qmail and Sendmail. Why should the majority of people "following the rules" be forced to change when the web designers aren't?
are you sure this is correct:
()<>@,;:\".[]
are + sign's not allowed?
mail me at berry@vanthiel.nl or berry.van.thiel@recreatiemedia.nl
thanks
Posted by: on November 8, 2003 11:58 AMWhile the RFC allows the use of the + character, is there an RFC that states how the + character should be treated as part of an email address. Who is to decide whether pete+mary@somesite.com should actually go to that address rather than just pete@somesite.com after it drops the + character and the characters following it. I know I have tried this format with a few mail servers who have given a mailbox not found error as they look for everything proceeding the @ symbol.
Posted by: Shay Rickman on November 13, 2003 02:43 PMShay - the whole idea is that the whole address (username+something@host.com) is a valid address. By default, no chopping or "ignoring" occurs. How your mailserver parses it is up to how you configure it. Check out Qmail ( http://www.qmail.org/ ) for a great way of allowing each user to set up their own custom mail-aliases, enabling filtering as well as spam-prevention! :-)
Posted by: Anders on November 13, 2003 03:48 PMCracking website explaining what characters are valid:
http://www.remote.org/jochen/mail/info/chars.html
Do you have some clever way of wildcarding those addresses with qmail, or do you after each time you have registered at some new site have to create a new alias for that site?
Basically what I'm asking is do you have only one
~/.andersja+somethingclever+yyyy-mm-dd
file in your home directory, or is it full of forwards like this
~/.andersja+jacobsendotno+2004-02-24
~/.andersja+slashdot+2000-01-01
~/.andersja+nytimes+2001-11-13
~/.andersja+somesite+2003-09-06
~/.andersja+someothersite+2004-01-29
etc..
oh, and prepend .qmail to andersja there, obviously. :)
Posted by: Steff on February 24, 2004 11:39 AMSteff,
I use a .qmail-default which routes all unknown addresses through a spam filter and then on to my mailbox:
$ cat ~/.qmail-default
|preline procmail -Yf- .procmailrc-spam
./Mailbox
If an address goes bad (stolen, abused, spammed to, I'll set up a .qmail-{something-spesific} to bounce email to that address. As an example, my entry for dialpad looks like this:
$ cat .qmail-dialpad
|bouncesaying 'This address no longer accepts mail. Anders can be reached at www.jacobsen.no'
See also:
http://www.jacobsen.no/anders/blog/archives/2004/02/24/using_qmail_for_spamtracking.html
Does anyone know of a RegEx capable of filtering EXACTLY according to RFC822? I don't seem to find any such thing in the net... been searching all day actually. Would appreciate it greatly if someone could give me a link with that RegEx that lets in EVERYTHING that RFC822 suggests. :-(
TIA
Posted by: Ruman on April 19, 2004 01:14 PMGood afternoon, I'm not sure I'm in the right place. I have some very old email addresses and I dont know if they are still valid. Is there a site I can go to - for free - to find out ? ? ?
Thanking you in advance for a rapid response.
It took me a while to figure out that you need to add a line in /var/qmail/assign like the following
+andersja+:andersja:$(UID):$(GID):/home/andersja:+::
Where $(UID) and $(GID) are your uid and gid.
After you add it, you need to run 'qmail-newu' to rebuild the cdb.
See 'man qmail-users' for more info.
What about the "'" signs.
The "'" character is very troublesome when you process SQL inserts. This is especially true for irish names like Mc'Gregor.
On my site http://www.myTrashMail.com i just cut it out when any irish dude input his name into the forms.
When writing an application many people are not aware of it. From now on I am always useing Parameterized Queries for my DB Inserts. You even can store double byte email addresses
Posted by: Mr. Fake Email on September 24, 2004 01:21 PMYou can put antislashes before a ' or a "
it works well
According to RFC822, the period "." is a special character, and yet is used in local-parts everywhere. How can you explain this direct violation of the RFC by so many people?
Posted by: on May 25, 2005 03:58 PM>> According to RFC822, the period "." is a special character...
Yes it is, but look the following RFC 822 definition (posted by Jeff):
local-part = word *("." word) ; which means "one or more of 'word' separated by periods"
So, even if 'word' cannot contain the period because it is a special character, the actual email address can.
Posted by: mms on June 8, 2005 06:24 PMI'm not sure if I understand the '+' issue in email addresses completely, however, RFC-1642 is an EXPERIMENTAL PROTOCOL (not yet a standard) that uses UTF-7 to encode Unicode characters using 7-bit ASCII characters.
That way, people in Japan could use Japanese characters in their email address (for example). Using RFC-1642, good old 7-bit ASCII addresses would look the same as they always did.
But here's the kicker... RFC-1642 uses the + symbol as a shift character to help encode the Unicode characters.
So maybe sites and/or programs that have issues with + signs in email addresses are following RFC-1642 rules even though it's not a full standard yet? Microsoft and Yahoo cater to a more 'global' market so maybe they are experimenting with RFC-1642? Just a thought.
Posted by: Robert Walsh on September 29, 2005 09:09 PMSo I can see the + addressing thing could be useful for some tasks, but wouldn't email harvesters just drop the + and everything after it to capture your real address? Sure it violates the RFC, but if they're collecting addresses to spam, they probably don't care.
Posted by: Terry on November 9, 2005 11:40 PMAppending my previous comment, when I say "it violates the RFC" I mean the act of dropping the + and everything after it violates the RFC (violates the directive that only the receiving site may interpet the bit before the @), I don't mean to say that the + violates the RFC.
Posted by: Terry on November 9, 2005 11:43 PM
©
Anders Jacobsen [extrospection.com photography] |