Windows Secrets Newsletter • Issue 72 • 2006-03-30 • Circulation: over 400,000

Every time you give out your e-mail address, you take a risk that your address will get on spammers’ lists and you’ll be bombarded with junk mail.

As a test (which I’ll describe in my Datamation column in a few weeks), I entered an e-mail address into a signup box at one of those “get a free laptop” promotional sites. In less than six weeks, the address I provided was hit with more than 1,000 junk messages — over 23 per day — and they show no sign of slowing down.

I was willing to risk my Inbox being overrun in this way because I used a "disposable" e-mail address. This is an address with a different keyword that you add for each Web site or personal correspondent. Such addresses make it easy for you to filter incoming mail into different folders, if desired. To prevent “dictionary attacks,” any mail sent to you without a valid keyword can be rejected. And, if an address you gave out is abused by spammers, as my test address was, you simply make all mail to that address bounce (as I eventually did to the promo site).

Disposable addresses let you register for free services on the Web without fear. At the same time, you get strong protection against spammers.

Protecting yourself against spammers and harvesters

My recently revised e-book, Spam-Proof Your E-Mail Address (see below), describes easy ways to encode any address you place on a Web site. This prevents your addresses from being collected by "harvester" programs. Harvesters are software bots that scour the Internet, copying e-mail addresses and adding them to spam databases. Studies show that harvesting is the most common way spammers build up their multi-million-name lists.

Keeping harvesters from getting your address is important, but you also need to protect any addresses you enter into forms at Web sites. In the e-book’s 2nd edition, I mentioned SpamGourmet.com, one of dozens of services offering disposable addresses. SpamGourmet allows you to insert an integer number up to 20 when inventing a new address. For example, I might register at Amazon using an address like the following:

amazon.20.secretspro@spamgourmet.com

In that case, SpamGourmet would accept no more than 20 messages from Amazon before deactivating the address. This number allows you to receive confirmation notices and the like, but your alias would automatically shut down if Amazon started sending you a lot of junk. If desired, you can configure certain addresses so SpamGourmet doesn’t stop at 20 messages but will forward to you an unlimited number from contacts you trust.

SpamGourmet is free but has drawbacks. Administering each address is an extra step. Also, there’s no way to log in to SpamGourmet to see your messages. You must provide a separate, valid address — one that you maintain at some other domain — in order to receive the messages forwarded to you from SpamGourmet.

After researching the market, I’ve decided that Yahoo.com’s AddressGuard is currently the best value in disposable addresses. The service isn’t free, requiring $19.99 per year. But this reasonable fee also gives you all the features of Yahoo Mail Plus. This premium account provides 2GB of storage, strong antispam filtering, no graphical ads in your Inbox, and the elimination of the promotional lines of text Yahoo tacks onto the end of its outgoing free messages.

Before I explain Yahoo’s disposable-address technique, let’s first look at an approach that doesn’t work — Google’s free Gmail.com service.

Gmail’s disposable addresses are the worst

Gmail provides a form of free disposable addresses, but it turns out to be fairly worthless. You first obtain an ordinary Gmail address, like so:

brilivings6789@gmail.com

You then build disposable addresses at Gmail by adding a plus sign (+) and a word that represents the contact you’ve given that address to. If you register an e-mail address at Amazon.com, for example, what you enter might look like this:

brilivings6789+amazon@gmail.com

Unfortunately, many Web apps reject or mishandle e-mail addresses that contain a plus sign. The plus sign is legal on the left side of e-mail addresses, according to Internet standards. But it’s an illegal character in Web addresses (URLs). Due to the confusion, many major Web sites mistakenly strip the symbol out before accepting an e-mail address. Other sites just choke, displaying nothing but an error message with an e-mail address containing a plus sign is entered.

Such well-established sites as Cingular, Bank of America, and eBay mishandle e-mail addresses containing plus signs, according to an experiment by blogger Wayne Burkett. 

(Note to Windows Secrets Newsletter subscribers: You may reliably use a plus sign anywhere to the left of the at sign in your delivery address. All of our signup forms on the Web accept such addresses. Also, we encode the plus sign to make it a valid character whenever the address must appear in a URL, such as in our change-your-address links.)

Adding insult to injury, if a Gmail address that contains a plus sign is ever harvested, it’s very easy for spammers’ computers to leave out the plus sign and the characters leading up to the at sign. This automatically lets them add your true Gmail address to their spam databases.

Yahoo makes custom addresses easy

In contrast to Gmail’s flawed design, my vote for the best provider of disposable e-mail addresses is Yahoo AddressGuard. This feature allows you to create up to 500 alias addresses, which is plenty. (I’ve created fewer than 300 aliases in over five years, and I’m super-active at signing up for lists.)

When someone responds using one of your alias addresses, Yahoo delivers the message to your Inbox or to a personal folder of your choice. Here’s how it works.

1. Realname. You start out with a Yahoo ID, which you give out to no one. For example:

brian.livingston.6789@yahoo.com

You then create disposable addresses using a different basename. This is followed by a hyphen and a different keyword for each contact you give your address to. The resulting addresses look as follows:

basename-keyword@yahoo.com

2. Basename. You choose a basename that’s different from your Yahoo ID. You give out the same basename in all of your disposable addresses but a unique keyword for each contact. For example, my basename might be secretspro.

3. Keyword. The keyword you make up for each disposable address reminds you which contact you gave it out to. You’ll probably insert the brand name of any Web site that requires a valid e-mail address. If I want to register with Amazon.com, for instance, I could choose amazon as the keyword. The disposable e-mail address I’d give Amazon, therefore, would be:

secretspro-amazon@yahoo.com

Spammers who gain access to one of your disposable Yahoo addresses can’t simply truncate the hyphen and the keyword and get your valid address. If spammers did send e-mail to a truncated address, such as

secretspro@yahoo.com

the messages would just bounce, since that isn’t a valid Yahoo address.

Yahoo makes it easy. You can create new addresses as you need them, using either the Mail Options page or the Yahoo Toolbar.

Create free disposable addresses on your server

If you maintain a domain name of your own, you may be able to create your own free disposable addresses, which would be the most convenient of all. Say your domain name is example.com. You could create your own realname, basename, and keyword system, just as Yahoo does. Your e-mail addresses might look like this:

brian.livingston.6789@example.com would be your realname, which you’d never give out;

secretspro@example.com would be your basename (mail sent to this address would bounce); and

secretspro-amazon@example.com is the style of disposable addresses you’d give to your contacts.

When you receive mail that was sent to a disposable address, and you reply, your system must insert the disposable address into the outbound message’s From and Reply-To fields. The best disposable e-mail services correctly format such replies automatically.

If you don’t run a mail server of your own, or all of the above sounds too complex, Yahoo is a low-cost alternative that’s easy to set up and manage. Although you can’t automatically forward mail from your Yahoo aliases to another e-mail address of your own, you can retrieve messages from Yahoo using any POP3-enabled mail client. You can also, of course, log in to Yahoo from anywhere in the world to check for messages.

In addition, Yahoo.com is a well-established domain name these days. It would arguably be more respectable-sounding when telling people your address than trying to explain a niche domain name like SpamGourmet.com.

Some Windows Secrets readers are already using the trick I describe above. As of yesterday, 12,000 or approximately 8% of the delivery addresses in our subscriber database end in @yahoo.com. Of those addresses, 143 include a hyphen somewhere to the left of the at sign. About 1 in 5 of the hyphenated addresses, in turn, use a familiar-sounding keyword such as -brian or -winsecrets. These readers obviously made up a special address just for us — which is exactly what disposable addresses are for.

To send us more information about disposable addresses, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.