Spam: How to find out who leaked your personal information
Spam e-mails are a huge time killer. In the time period between Q4 2018 to Q1 2019, more than 50% of all mail traffic was spam. Even if those e-mails are filtered by your spam protection system, you still need to have a look into your spam folder from time to time and check if not an important mail was flagged as spam.
But have you ever wondered how all those spammers got your e-mail address or even personal information of you so their e-mails sneak easier to your spam filters? Has that small online shop you’ve registered last month a security vulnerability and your information got stolen from there? Or was it that chat website you’ve visited last week? What about that newsletter you’ve subscribed, did they sell your personal information to some other shady company?
If you would use a different e-mail address for every online service that forces you to register yourself, you could tell for sure which company has leaked your information. Sounds complicated? It’s not…
Gmail plus addressing
Most people are not aware that their Gmail address includes an endless number of e-mail addresses. Let’s say your e-mail address is xyz@gmail.com, you can attach a + sign followed by any text in front of the @ sign and the mail still gets delivered to your Gmail inbox. So if I would register myself at a website “Fancy Online Shop” I would use, instead of my normal Gmail address, the alias xyz+fancyonlineshop@gmail.com.
Disclaimer: The name “Fancy Online Shop” is used in a fictitious manner. Any resemblance to actual websites or businesses is purely coincidental.
If I would now receive spam e-mails via xyz+fancyonlineshop@gmail.com I would instantly know that this shop has leaked my personal information. Why does this matter?
- As I’ve used this e-mail alias for this online service only, I can prove that my personal information was (willingly or unwillingly) leaked by this website.
- As this address has been compromised I can create an inbox-rule for this alias that all e-mails directed to xyz+fancyonlineshop@gmail.com should be moved into the spam folder. I don’t need to rely on the automatic spam filter system.
- My main e-mail address was not leaked and stays spam free.
Limits of plus addressing and other e-mail providers
A limit of “plus addressing” is that some online services might not accept an e-mail address containing a + sign. The good news is that there are other e-mail providers out there that offer a similar approach without the need of special characters which is called subdomain addressing.
The e-mail provider FastMail for example allows you, next to the already shown plus addressing format username+whateveryoulike@domain.tld, to use whateveryoulike@username.domain.tld as a valid e-mail alias. On top, if you create a folder with the same name like the alias, FastMail will deliver this mail automatically to this folder. A useful feature for your VIPs like your family members who could send you e-mails to family@username.domain.tld. You can find the full manual here.
Check the FAQ of your e-mail provider, they are maybe already offering you plus- or subdomain-addressing. It might not help you with the spam you already receive on your main address, but you will have more control about the spam e-mails you’ll receive in the future.
Your personal data matters
Disclaimer: The following information should not be seen as legal advice. You should consult with an attorney before you rely on this information.
It’s a sad fact that too many websites and companies are still not handling your personal data in a secure and responsible way. New regulations help you to protect your sensitive data online and ensure you know who to contact if something goes wrong. The EU General Data Protection Regulation (GDPR) for example enforces a company to provide you with their contact information whenever personal data is collected from a website visitor from inside the European Union:
Art. 13 GDPR: Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
b) the contact details of the data protection officer, where applicable;
[…]
As a company MUST provide this information for all EU citizens, they will probably provide it for all their worldwide visitors. So even if you’re not visiting the website from inside the EU, you still benefit from this information.
However, even if new regulations help you to protect your personal information, you should still try to minimize the consequences of a data leak. Using a different e-mail alias on each website can be a precautionary measure.
