132

My question is based on this tweet after I commented about forbidding + symbols in email addresses. The tweet says, "This is a measure we've taken for security reasons."

This can be frustrating and inconvenient for people that have (or use) plus signs in their email address, and I'm sure web sites don't intend to do that. I'm unaware of the security vulnerabilities related to using the + character; is this something I should change to improve my own security? What is the security reason for a web site to disallow that character on an email field?

Update: Meetup Support responded positively. Turns out it's more of a UX issue than a security one. They clarified in this tweet that they disallow + to prevent spam (?) and they acknowledged a suggestion for improving the user experience. (My intent here was not to gripe about Meetup; let's be gentle! I wanted to make sure I was not missing something important in my own web sites that receive email addresses.)

Teun Zengerink
  • 111
  • 1
  • 4
Matt
  • 3,242
  • 2
  • 22
  • 27
  • 59
    I doubt they have any valid security reason, rather they are just lazy and don't want to fix it. – user2813274 Aug 12 '14 at 19:19
  • 2
    As an aside, it may be possible to bypass that validation if it is done client-side (IE by javascript). Also, @martialdidit, you should just mark the question as a favorite and not comment saying that it is something you will come back to. – Matthew Peters Aug 12 '14 at 19:53
  • 22
    related: "plus haters" – David Cary Aug 13 '14 at 02:47
  • 9
    I too use the + sign a lot in my Gmail address to filter out mails and to see who has sold my mail address. I believe most sites just use the same regex to check the validity of an entered mail address and that this regex doesn't allow a + sign. I've contacted many sites for this and most answer it's just the way the system works (i.e. they're to lazy to fix it) – BlueCacti Aug 13 '14 at 08:33
  • 1
    1 thing I can think has nothing to do with registering on a site. Some mail clients might show a mail coming from phisher+paypal@ItsLikeFishing.com as a mail from PayPal. Although this issue is already years old and has been 'fixed' by most mail providers – BlueCacti Aug 13 '14 at 08:36
  • 2
    I wonder who from MeetUp has seen this post... – Matthew Peters Aug 13 '14 at 14:00
  • 8
    This reminds me of another silly tweet from last year – Lightness Races in Orbit Aug 13 '14 at 16:00
  • 23
    One reason is that, at least with Gmail, anything after the + is ignored. That means that example+a@gmail.com, example+b@gmail.com, etc. are all delivered to example@gmail.com's email. This is useful in finding out who is selling your information. For example, if I sign up for Fabrikam Inc.'s newsletter with example+fabrikam@gmail.com, and I get an email from Contoso Ltd. directed to example+fabrikam@gmail.com, I'll know Fabrikam is selling my information. – Cole Tobin Aug 12 '14 at 22:54
  • 1
    Gmail allows unlimited numbers of addresses containing a plus to forward to the same address. I.e. bob+xxx@gmail.com forwards to bob@gmail.com. If the site allowed users to use emails addresses like these, spammers would have an easy way of creating an unlimited number of accounts from a single email address. – Brice M. Dempsey Aug 15 '14 at 08:36
  • 4
    @JamesT.Huggett At that point it's more of an engineering/UX problem than a real security issue. There's ways to strip out or ignore the "plus" portion of a Gmail address and check for duplicates. It can be inconvenient to implement, but it gives more security/control to the user. – Matt Aug 15 '14 at 14:40
  • 1
    The way I read their response is "we would like to be able to sell your email address with others without you being able to tell we've done this". – user541686 Aug 16 '14 at 08:11
  • 1
    @Cole another use for that is filtering emails: I can set mail sent to myname+banks@gmail.com to go in a specific folder. – Anonymous Penguin Aug 16 '14 at 17:05
  • That's why I just configured my mail server to use the underscore as the decoration character (in addition to + of course)... so now I can sign up with doktorj_shadysite@example.com and it actually goes to doktorj@example.com with all my other email, but is filterable and accountable, and underscores are common enough in email addresses that most places accept it :D – Doktor J Apr 09 '19 at 20:08
  • An additional problem with the + sign is that you must get URL-escaping right, otherwise it can be silently reinterpreted as a space character, since spaces were encoded as a + in URL parameters on the early web. I've seen many web forms accept a + character in an email address, but change it into a space on the next page. The solution is to edit the URL, changing the + into %2B, which is a URL-encoded + character. – gpvos Aug 07 '19 at 08:31
  • @gpvos Yes, I found this problem on a retailer website a few weeks ago and reported it. (They rewarded me with a voucher.) So plus addressing has still been profitable... – Matt Aug 07 '19 at 22:03
  • One possible security vulnerability is that a hacker can sign up for one valid email address that might require phone verification to prove that the person is real. After that one verification, the hacker now has an unlimited number of email addresses to use when registering accounts on various sites. This could be a problem for sites that require minimal identity verification, like a birthdate and matching some contract number. In those cases, a hacker can write a script to register for multiple accounts that aren't theirs, and they don't need to get another "real" email address to do this. – Toby Artisan Jan 14 '21 at 15:38

4 Answers4

101

There is no security vulnerability per se with having a '+' in your email address. It's permitted as per RFC 2822, and not particularly useful for SQL or other common forms of injection.

However, many systems (let's call Meetup a system for this purpose) enforce security through whitelisting, not blacklisting. Someone defined a limited list of characters they expected to see in email addresses (probably upper, lower, numeric, ., _, and -) and wrote a filter to block anything outside that list. And they didn't think anyone would use +, so you're out of luck.

This article describes how to set up Postfix to tag, and to use '-' instead of '+' because:

However, during a recent discussion on the Postfix user list, it was mentioned that some websites (particularly banks) use JavaScript to try and validate email addresses when they are entered into online forms, and that many don’t allow the plus symbol as a valid character in an email address.

I switched from '+' to '-' over a decade ago, for similar reasons.

Community
  • 1
gowenfawr
  • 72,893
  • 17
  • 165
  • 200
  • 3
    Can you use a combination of + and -? I know gmail will attempt to filter your + tags into separate labels where possible, ie, my.email+spam@gmail.com will send any emails from that particular service to the spam tag. I've never tried my.email-spam@gmail.com though. – Seiyria Aug 13 '14 at 00:51
  • In short, both + and - are legal characters and you can use both, in any combination, in your email address. However, it's up to your mail server how that's handled. Courier and Postfix both support tagging with simple configuration settings, but I don't think either will support two tag markers without extra work. YMSMV (Your Mail Server May Vary). – gowenfawr Aug 13 '14 at 12:07
  • 3
    If you're not running your own mail server, you can't control how they will process a hyphen. In most cases, "doktor-spam@example.com" is a completely different email address/account from "doktor@example.com". OTOH, most providers treat "doktor+spam@example.com" the same as "doktor@example.com", allowing you to use it for client-side filtering purposes. – Doktor J Aug 13 '14 at 17:54
  • It's important to note that according to RFC 822 the only characters explicitly not allowed are: ( ) < > @ , ; : \ " [ ] (technically . belongs here too, but it's handled a little differently, and is permitted in a fashion) – Doktor J Aug 13 '14 at 18:04
  • @DoktorJ isn't anything permitted inside a quoted local-part? Or does RFC 822 not allow quoted local-parts? (RFC 821 does, so that seems like a problematic inconsistency) – user253751 Aug 13 '14 at 21:24
  • @Seiyria I just tested that, and it does not work, at least not with custom labels. – Zombo Aug 17 '14 at 18:30
  • 1
    @immibis Yes, you are correct: RFC 822 allows the local part to be a sequence of dot-separated words, and a word can be a quoted string, which can contain any character (some of which may need to be backslash-escaped). RFC 2822 also allows this, but specifies that it "SHOULD NOT" be used. – Jules Aug 17 '14 at 20:26
  • 5
    Is there any reason to not support all valid email addresses (besides perhaps the simplicity of validating the address)? – Kat Aug 22 '14 at 17:18
  • @Kat I've done some client-side validators, and I've found that I always want to enforce a .domain at the end of an e-mail, even though something like me@localhostis technically a valid address. – Brendan Apr 20 '16 at 12:04
  • When you are a developer anyway (having the ability to configure your own mail server) you can as well edit the filter for the input field. – Hacky Sep 15 '22 at 07:22
85

They are likely incompetent and may not even know they are lying to you.

From a input-validation standpoint, they have no leg to stand on; there are a specific set of RFCs that robustly describe the format of a valid email address. Even if an email address is technically invalid according to the RFC, it may still be possible to deliver mail to it anyway. You can check an email address is deliverable by sending mail to it with a unique link for the owner to click on.

As the linked site says:

Sadly, many websites won't let you register an address with a plus sign in it. Not because they are trying to defeat your tracking strategy but just because they are crap. They've copied a broken regular expression from a dodgy website and they are using it to validate email addresses. And losing customers as a result.

Even if we assume they have completely broken code and they are using a crap validator because they literally paste the validated email address into a UNIX shell, that still doesn't give a valid reason why joe.bloggs+meetup.com.better.not.sell.this.to.spammers@example.com should be considered invalid.

There is no valid security reason to ban the use of + in email addresses. Even if spammers use it as a low-rent way of making multiple accounts, websites can easily see if someone signed up both as joe.bloggs+1@example.com and joe.bloggs+2@example.com; if Joe Bloggs is abusing their service, they can easily ban both accounts. Anyone with their own mail server can generate valid email addresses like joe.bloggs1@example.com, joe.bloggs2@example.com. They gain no additional security by prohibiting the use of +.

Stuart Caie
  • 1,517
  • 1
  • 9
  • 7
  • 1
    That was my thinking too but I wasn't quite sure. Thanks for the explanation. I assume that most of these sites aren't really incompetent, but it's probably likely that there is misinformation and wild assumptions that go on. So I guess the real issue at hand is more of a UX thing, not security. – Matt Aug 12 '14 at 20:09
  • 4
    So maybe the "security reason" is that they're selling your email address to spammers, and trying to secure themselves against users identifying them as the vendor ;-) Of course they'll fail for the reason you say, that someone with their own domain will figure out what they're doing. – Steve Jessop Aug 13 '14 at 12:28
  • "Anyone with their own mail server can generate valid email addresses" there are also some existing mail services which permit all usernames as valid (eg, mailinator.com and its aliases) – Brian S Aug 14 '14 at 22:50
  • 1
    Well, they might be accepting the email address as GET parameter somewhere and post it onto a Unix shell without validation (turning the plus into a space). Of course, in that case, the whole approach of not allowing a character rather than doing a proper validation is so stupid that the "solution" is kind of ill... – Damon Aug 15 '14 at 08:15
19

As others have pointed out, there are no real security reasons to disallow a plus sign in email address.

Being a web developer, the main reason I can think of is to prevent users from making multiple registrations using different aliases, especially on an E-commerce website where you have a one-time free offer that you want to limit to each individual.

From the point of view of a database administrator, an extra query on the database has to be made if you want to accept the plus symbol and at the same time limit the registration of email to one alias per email address. Otherwise setting UNIQUE key on the email address would be sufficient to prevent an INSERT if the email address is a duplicate.

The above reasons are a combination of technical and commercial decisions which would not be easily explained in a line of words. If you are using an alias in your email address, an easy solution is to drop that part off in order to register.

Question Overflow
  • 5,300
  • 6
  • 28
  • 48
  • The DBA perspective is refreshing, thanks! I would suppose, though, that a little pre-processing of the email address to strip out the plus-portion could save that extra query. This steps into UX bounds, but is interesting since, as you suggest, I should be able to change my email address to have a plus-sign later without negative consequence. (I agree; but I doubt most sites implement it that way.) – Matt Aug 13 '14 at 13:55
  • 2
    Yup. It's a bunch of extra work. I personally use + to understand who's selling my data. But to handle it properly in websites I've worked on, I'd need an extra field in the DB, to enforce "one free account per email address" - I'd need to record a field with the users' chosen email address, and then a field parsed to remove the decoration - and check the undecorated field for uniqueness, alone, never using it for any other purpose. That's a lot of effort for little benefit to the website. Easier to say "Nah. No plusses in email addies, innit. Security, mate, security - no telling you, eh?". – JezC Aug 13 '14 at 18:21
  • 2
    @Matt, as the RFC standard did not restrict the usage of + symbol to aliases, there is no way for website owners to have their cake and eat it too. Users with uncommon email address are going to be left once a decision is made to exclude aliases for registration. And I am not suggesting that you are able to add back your alias subsequently after registration as I believe the same validation rules would apply for email change. – Question Overflow Aug 14 '14 at 02:53
  • 5
    "to prevent users from making multiple registrations using different aliases" - I would imagine that if people really wanted to get multiple free offers they would just create a multiple accounts. I'd imagine more people know about free email accounts then aliases in gmail. – Maja Piechotka Aug 14 '14 at 17:23
  • @MaciejPiechotka, yes, you are right. That's why if business rule dictates, those free disposable email domains would be blocked as well. Although it is impossible to block all, a list of top 100 email domains would be good enough to deter most people from abusing the system. – Question Overflow Aug 16 '14 at 02:23
  • 1
    @QuestionOverflow So the business rules dictate that users using gmail, yahoo, hotmail and other similar accounts are blocked by default? Given that those 3 domains have over 96% of US market share (sorry I could not find worldwide data) it sounds like loss from deterred clients would by magnitudes larger then any possible loss from a few free riders - unless it's very specific bushiness and can afford to, say, accept only addresses from universities. – Maja Piechotka Aug 16 '14 at 09:19
  • @MaciejPiechotka, when talking about disposable email address, I am referring to one that is temporary and needs no registration, such as mailinator or guerrilla mail. Obviously, nobody in the right mind is going to block gmail, yahoo and hotmail. No system is perfect. – Question Overflow Aug 17 '14 at 09:39
  • @MaciejPiechotka the difference is, for the average user trying to game a promotion, creating new accounts has a much higher barrier to entry (several minutes creating the account) versus using + based aliases (simply submit form with random garbage after + sign over and over). Also, many of those disposable services (such as gmail) still require you to "authenticate" with a phone number or the like, further increasing the barrier to entry – Doktor J Apr 09 '19 at 20:01
-1

The only security reason I can think of is that they are using regular expressions to process emails and their software is crap, does not escape addresses properly and they hit errors. Maybe a far guess but I've seen issues related to email addresses with + and regular expressions. In any case, conclusion is that these sites are crap.

akostadinov
  • 644
  • 6
  • 9
  • 1
    Oh, I dunno about that. Their site works really well for arranging meetups and I've enjoyed the ones I've attended. Though the problem may reflect a poor UX decision, if all it takes is to change some regular expression, that really has little to do with the effectiveness of the service as a whole. – Matt Aug 13 '14 at 17:59
  • If you want a + in Regex, you just use \+. It's basic Regex. – Cole Tobin Aug 13 '14 at 19:00
  • 2
    If that were the case, they would probably not support periods either (which they do). – Fuzzy76 Aug 14 '14 at 08:29
  • @ColeJohnson No, in a basic regular expression, if you want +, you use \+. Beware of accidental uses of technical terms! – Gilles 'SO- stop being evil' Aug 14 '14 at 12:41
  • @Fuzzy76, I've seen most of the times dots used in regular expressions without escaping. Many programmers just don't think that much. But dot's do not break matching of valid use cases and often are not noticed for a long time or forever. I've also seen dots escaped in character classes, which is another issue. You guys are confusing "what they can do" with "what they do". Escaping a user supplied string requires some thought to do properly. Blocking spam with disallowing + is equally lame. If it was so easy to prevent spam, there would have been no spam already. – akostadinov Aug 18 '14 at 06:26