Krebs asking about plus addressing

TenFour · 5 Aug 2022, 10:39 PM

I wonder if anyone here would have information on this question from the security blogger Brian Krebs?

Quote:

Has anyone ever done research that looks at past breached databases to see what % in the data set included a "+" in the address followed by the name or shorthand for the breached entity? Seems like presence of even only a few 100 of these in a large data set is highly suggestive

https://twitter.com/briankrebs/statu...43056778252291

jarland · 6 Aug 2022, 05:55 AM

I only have memories of reviewing excessive amounts of data from compromised databases. I don't even recall ever coming across a plus alias in any. I'm sure they were there but I feel pretty confident they'd be so few you could ignore them and exceed 99% effectiveness whatever your goal was for the data.

SideshowBob · 6 Aug 2022, 11:30 PM

I don't see what he's getting at, "highly suggestive" of what?

If enough addresses of the form "someuser+amazon@..." appear in spam then that suggests that amazon has been breached. Alternately if a stolen database of unknown origin contained many such addresses it would suggest it came from amazon.

What he seems to be referring to is the the case where a known organization has been breached and the stolen database contains plus addresses referring to that organization. All that suggests is that the addresses belong to external users/customers.

TenFour · 6 Aug 2022, 11:42 PM

My guess is he is looking at large databases on the dark web and if you see a few addresses like username+website, then he would be suspicious that "website" had been hacked. Of course some of the emails in those databases might be from email service providers, so the presence of +website wouldn't tell you anything.

TenFour · 11 Aug 2022, 01:02 AM

Krebs put up a new article on the pluses and minuses of using plus addressing. https://krebsonsecurity.com/2022/08/...email-aliases/

6 Aug 2022, 05:55 AM	#2
jarland Essential Contributor Join Date: Apr 2014 Posts: 399 Representative of: MXRoute.com	I only have memories of reviewing excessive amounts of data from compromised databases. I don't even recall ever coming across a plus alias in any. I'm sure they were there but I feel pretty confident they'd be so few you could ignore them and exceed 99% effectiveness whatever your goal was for the data.

6 Aug 2022, 11:30 PM	#3
SideshowBob Essential Contributor Join Date: Jan 2017 Posts: 278	I don't see what he's getting at, "highly suggestive" of what? If enough addresses of the form "someuser+amazon@..." appear in spam then that suggests that amazon has been breached. Alternately if a stolen database of unknown origin contained many such addresses it would suggest it came from amazon. What he seems to be referring to is the the case where a known organization has been breached and the stolen database contains plus addresses referring to that organization. All that suggests is that the addresses belong to external users/customers.

6 Aug 2022, 11:42 PM	#4
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,742	My guess is he is looking at large databases on the dark web and if you see a few addresses like username+website, then he would be suspicious that "website" had been hacked. Of course some of the emails in those databases might be from email service providers, so the presence of +website wouldn't tell you anything.

11 Aug 2022, 01:02 AM	#5
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,742	Krebs put up a new article on the pluses and minuses of using plus addressing. https://krebsonsecurity.com/2022/08/...email-aliases/