Skip to content

Using Tagged Email Addresses for Fun and Profit

Pascal van Hecke recently caught some spam that was sent to a unique email address he gave to Read the details. One problem is he used a very simple tagged address that could be easily guessed. For example, I would guess that his MyBlogLog email address is[at] So what’s to stop the spammers out there from bruteforcing popular domains at other domains? For example,

That’s why I use a bash script to create unique email addresses when I register at a new site. The script uses the MD5 function to create a unique 32 character email address. Then it adds the address to my mail server’s virtusertable file. Here’s the script:

echo $ts
echo $password
echo $1
echo $password $1 | md5sum –
echo $password $1 $ts >> listing.txt
echo `echo $password $1 | md5sum – | cut -c 1-32`@$domain
echo `echo $password $1 | md5sum – | cut -c 1-32`@$domain >> listing.txt
echo >> listing.txt
echo `echo $password $1 | md5sum – | cut -c 1-32`@$domain pm-list >> virtusertable-list.txt

This is much safer than simply using “their domain name”@”your domain name.” See Bruce Schneie’s Crypto-Gram Newsletter for May 15, 2003 Unique E-mail Addresses and Spam for similar thoughts.


  1. David Leadbeater says:

    I’ve implemented the same thing in a bookmarklet, this has the advantage of being one click in my browser (it fills in the currently selected form field on the page). Unfortunately it doesn’t use a decent one-way hash (although I think it should be possible to fit MD5 in there, if a little tricky) – hence I don’t want to share the code 😉

    Also I notice your script doesn’t actually make use of the date, is this deliberate? – I don’t use it as this means the address is repeatable per site, I can simply click the same button and not have to remember if I’ve previously used an address on that site.

  2. Whoops! I do echo the date out into the logfile. And it would be trivial to add it into the hash. But then you’re right, you can’t recreate the hash if you forget the date. I’ve fixed my script above. Thanks David, for pointing that out to me.

  3. Tim Fabian says:

    how do you implement that because I’m unsure how to, and it would be useful to know how to seeing as when I unsubscribed at one website a few years ago I started getting about 100 spam mails a day in the email account. Admittedly I only use it to sign up for things, but before that it had gotten about 5 spam mails and I had it for about 6 months by then but the sites privacy policy claims that they will never sell or pass on in any way a persons email.

  4. Seth says:

    Btw. if you left the time component out, you’d better pick a damn strong password indeed.

    Otherwise, any of your generated email-addresses would be very vulnerable to dictionary attacks (given the algorithm is published). Also, guessing that people will reuse their favorite password for different boxes, this implies that i can repeat the generator for different sites and probably get a working combination of email&password without any effot.

    Now I know (1). that *you* are smart enough to pickle the script with something undeterministic and preferably unpublished (2) as well as to use unique, strong passwords all the time, but

    your visitors will probably just copy the script as is and stick to their not-so-safe favorite password. Worth a warning, i think

  5. Well, the “password” above is actually more of a salt, to make the hash more difficult for an attacker to recreate. You could easily use your name as the salt (what I called the password), and the domain name alone to feed into the script.

  6. […] I know, it hasn’t ever happened to me (why would anyone do that?) but if you’re careful as Michael Boyd Clark is, you might use a instead […]