How to stop email aliasing?

Email address aliasing is a technique where users create multiple email addresses by adding characters or strings to the base email address (e.g., john.doe+1@example.com, john.doe+2@example.com). While aliasing can help users organize their inbox for different service subscriptions, it doesn’t benefit merchant websites. This is because it can be easily exploited by malicious actors to bypass sign-up restrictions, abuse referral programs, create multiple free trial services, and evade detection mechanisms. This article will discuss how online merchants can mitigate the risks associated with email address aliasing.

Understanding Email Address Aliasing

Email aliasing is a technique that often employs the “+” symbol. This is a strategy that’s supported by a wide range of email service providers, including Gmail. This method is commonly known as Plus Email Addressing. What happens in this method is that emails sent to an address like john.doe+alias@example.com get delivered to john.doe@example.com. This technique allows users to establish a list of variations of their base email address, effectively creating an infinite number of aliases.

Dot email addressing is another technique that shares similarities with Plus Email Addressing. In this method, the user can incorporate dots into their email address in varying positions to create unique variations. For instance, john.doe@example.com and johnd.oe@example.com are different addresses, but in reality, they route incoming emails to a single inbox, johndoe@example.com. This technique is a unique feature supported by the Gmail service provider. However, it’s important to note that this method is not universally supported. For instance, Outlook and Yahoo do not support Dot Email Addressing as of my current knowledge.

Besides the free email provider mentioned earlier, plus addressing can also be conveniently set up on a self-purchased domain. Users simply need to configure the settings to support it.

What are the potential abuses?

Attackers can bypass one-account-per-email policies by creating multiple accounts using different aliases from the same base email address. This is a significant loophole in the system that poses a threat to the integrity of user data. Most services have email verification, which sends a link to the provided email address for verification. With email aliasing, all verification emails are sent to the base email address, allowing the malicious user to easily confirm the email’s existence, thus undermining the verification process.

In addition to creating multiple accounts, multiple email aliases can also be used to inundate a service or website with spam. This could potentially overwhelm the server, affecting its performance and usability. Even though some websites use an email verification service, they cannot stop the spam because the alias email is a valid account. This means that spam filters will not be effective in this case.

Another issue is that by creating numerous aliases, attackers can artificially inflate referral statistics to gain benefits, which is a form of fraud. This manipulation of data can skew analytics and misrepresent user engagement. Such practices can potentially cause losses for merchants who pay for referral commissions or benefits, thereby affecting their profit margins and overall business performance.

Strategies to Mitigate Email Address Aliasing

To address this issue, we should standardize email addresses into a base form, subsequently using this format for verification. For instance, we can change john+alias@example.com into john@example.com when storing the email address. This approach not only simplifies the process but also eliminates the potential for confusion caused by aliasing.

In addition to email verification, implementing an SMS verification to authenticate users’ phone numbers could be beneficial. While bad actors can create an email alias, they cannot do the same for a phone number. This extra layer of security can significantly reduce the risk of fraud and abuse.

Though no single strategy can entirely eliminate the risks associated with email aliasing, a combination of various approaches can significantly enhance protection. It’s worth considering the use of other validation tools to perform checks against IP addresses and device validation, alongside email validation. With a fraud validation tool, you’re not only monitoring and analyzing the behavior of bad actors but also proactively putting measures in place to mitigate abuse.

Conclusion

Email address aliasing presents a significant challenge for online merchants trying to preserve the integrity of their user base and prevent misuse. By applying a layered defense strategies, such as email addresses canonicalization, extra validation steps, and ongoing monitoring, your platform can be safeguarded from harmful activities, providing a safer environment for your users.