TechBite: A Nifty Spam Tracking Trick


By Steve Bass

Major Companies Hacked

Another hack attack: The bad guys gained access to the
database that stores customers’ names and e-mail addresses
for Capital One, JPMorgan, Brookstone, BestBuy, TiVo,
Walgreens, Kroger, and a long list of others

The breach occurred through Epsilon
, the firm each of the companies used to
manage their e-mail communication with customers.

Chances are good that if you’ve corresponded with any of
the companies, you’ll see phishing e-mails in your inbox.
They’ll likely be messages for you to confirm a recent
order, or reconfirm or update a credit card.

By this time in your computing career, I feel safe saying
you’re sophisticated enough not to be suckered in by
phishing e-mails. But I’ll play it safe: If the e-mail
looks authentic and asks you to click a link to go to the
company’s site, don’t do it. Instead, type the company’s
URL into your browser’s navigation field to go to the

There’s nothing you can do to prevent a third party from
exposing your e-mail address. But there’s a handy trick to
monitor if a company you’ve given an e-mail address to is
using it to spam you. And then block it so you’ll never
see it again.

A Nifty Spam Tracking Trick

Start using e-mail addresses that are specially — and
easily — coded. Create a new one for everything you sign
up for, things like newsletters, banking, coupon sites —
whatever. If you receive an e-mail from that address with
anything other than what you asked for, you’ll know the
company’s been breached — or is selling your e-mail
address to spammers.

The technique is called plus addressing and the trick is
to create an e-mail with an extra character between the
real e-mail address and the @ sign and domain. Don’t fret,
it’s easy to understand.

Many ISPs let you do plus addressing, but I’ll use Gmail
to describe how it works.

Let’s say your Gmail address is
(and for the reasons I’ll explain in a minute, you ought
to use Gmail). When you sign up for a newsletter, say,
SuperUser, use Banking
with Chase? Got the idea?

Use a throwaway e-mail
to track spammers

Gmail understands what you’re doing and the e-mail still
lands in your inbox.

However, if you get something other than the newsletter at
that address, you can stop it in its tracks. Just create a
filter in Gmail (yep, I’ll get to that, too) that
automatically deletes anything from and you’ll never see it

Of course, once you filter that specific address into the
trash, you won’t see either the spam or the newsletter. If
you still want the newsletter delivered, create a new plus
address and resubscribe.

Besides Gmail, I’ve tested plus addressing with EarthLink
and Yahoo
.html] (they use a hyphen — instead of the plus
sign). Neither MSN nor AOL is smart enough to use it;
experiment with your ISP to see if it works.

Sign Up for more great TechBite content here

 1,308 total views,  1 views today

(Visited 1 times, 1 visits today)

16 thoughts on “TechBite: A Nifty Spam Tracking Trick”

  1. Simply obviating the possibility of more spam isn’t enough. Be proactive. Resolve IP’s to domains the bombard the abuse department of the host with emails and phone calls about the offender. Eventually the few bucks they get for hosting will cease to be worth the trouble.

  2. You can use character blacklisting in yahoo mail and it works. Throw away addys work but they can become primary addys if you’re not careful. I blacklist words in subject and body like “beneficiary, lotto, euros, usd, etc. etc. and send them to a scam folder. If you want to make things hard for con artists, phishers, and such, join a site like, or at least support our efforts. It’s helpful and downright funny at times.

  3. I have used yahoo mail plus for several years. It comes in handy for those sites which require that I give an email address so that they can email me a message with which I can use it to click on a link therein to confirm that I’m actually a person rather than a bot.

    I pay $20 a year. Once set up I select a base name which is then followed by the word mailbox and a hyphen. This is my permanent base name.

    When responding to this site I would add it to Yahoo’s redirect process in the following manner.

    After creating a permanent base name of say.. newguymailbox- I would add newguymailbox-pitstop to the yahoo database. When supplying an email to the website I would give that address as my address. The site sends an email to newguymailbox-pitstop which Yahoo redirects to my real email address which neither looks like nor has any other connection to my real address.

    If I start receiving spam I can simply delete newguymailbox-pitstop from Yahoo as an active address leaving all my other newguymailbox- addresses intact. It is not a filter. The pitstop address simply ceases to exist.

    I have used drop dead addresses in this manner for years. I happily give these type of addresses anywhere with no concern as they can’t possibly connect to my real email address.

    Some may be wondering what would happen if Yahoo itself got compromised so that someone got my real Yahoo email address. Well, I would simply deactivate my original Yahoo account and open a up a brand new one and start all over again. Of course, I would comb through my Yahoo account to get the addresses of all those sites that I wanted to continue communicating with and send them my new basename suffix combo.

    As I mentioned previously I give my Yahoo plus email addresses everywhere and spam has never been a problem. If I get some I just kill it. It can’t possibly come back once that particular suffix has been killed.

  4. One of the best non-patronising and non-dumbed down – not to mention useful – articles that I have seen written by a PC Pitstop writer for some time.

  5. The advantage of Yahoo’s Plus account method for creating your ‘disposable’ address is 1) it does not use your real address as the ‘base’ address to which you add on the customization so you a) never reveal your real address and b) it yahoo knows to send it to your real address, and 2) it uses a minus character, not a plus character and I have never had but one site in 5 years reject this.

  6. I own a domain through go daddy. I use a catchall box which delivers everything addredded to When dealing with any company online i use “companyname” as my adddress. their email comes through my catchall box. I have received little spam ik the years I’ve been going that.

  7. According to the Yahoo page referenced in the article, this works for “plus” accounts. (Get a whole year for $19.99—that’s less than $2/month!)

  8. @jose. You keep using your original email. You just use the plus addressing email for companies or websites that are likely to sell your email to spammers. If you block a plus addressed email, you still get your regular email from your friends and business associates.

  9. Seems clear enough to me. Use your regular email address for regular email – i.e., to the family, friends, and companies you know and trust. Use the anti-spam address ONLY when supplying your email address to a company that will not process an order or request without it. Mind you, I think twice about dealing with companies who won’t let me order without signing up for their ‘important’ newsletters. You could, of course just manufacture a spoof address that means nothing, but some companies also want to send you a confirming email or one with a confirmation URL, so pick your targets carefully.
    It’s simple; so simple I can’t see why anyone *can’t* understand it…

    And I’m sorry but I can’t see why it’s so essential to use web-based systems like Gmail. My ISP runs a nice secure IMAP server that I can access from anywhere; why run the risk of webmail?

  10. can’t the spammer just create a simple program that looks for any “+” character and then have the program remove any characters between the “+” character and the “@” character? Then run the program on the email lists.

  11. My comment to the yahoo tutorial went as follows, and I paraphrase:
    Too complicated to actually (remember to) use. I know, I followed all the instructions, and I have used it once, maybe twice…

  12. i love this feature of gmail, but most sites out there won’t let you sign up with a + sign in your email address, you get an error that the email address is invalid.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.