This is a most excellent place for technology news and articles.
The myaddress+shop@gmail.com should be trivial to defeat by a spammer. Its a very simple string remove/replace to get back to a stock email address, or change it to impersonate another service, eg. myaddress+netflix@gmail.com.
It's only useful for the actual service, after that, you can't rely on it.
Correct. Everyone knows this trick so everyone filters out the everything from the + to the @.
Even when email lists are “legitimately” sold it’s removed.
This guy’s using 1990s techniques in 2025.
“We can prosecute using IP address!”
Ah, it's more about the receiver than the sender. If they cut it off, their letter gets deleted or moves to spam directory. Provided someone configures that.
With centralized mail services of today 1990s' techniques don't work so well, but that's a problem of adoption, not allowing mail without a correct token is still pretty modern.
The use of a "+" convention is just a convention popularized by Gmail and the other major providers. If you have your own domain, you should be able to do this with any arbitrary text schema, and encode some information in the address itself, especially if you don't care about sending email from those aliases: set up your email service to have a catchall inbox that can further be filtered/forwarded based on other rules.
It can be cumbersome but I could see it working at getting the information you're looking for.
Yeah, I love my catch-all email domain. If I start getting spam addressed to “Target@{my domain}” then I know Target sold my data; I can burn the account by auto-spamming everything addressed to it, and move on.
Also most adversaries are using VPN's
Some email services like iCloud offer scrambled permanent emails to use on different services though, that's pretty cool.
I started getting spam in German to an email address I gave to the town hall of my town. They use multiple domains to send it, but they all have the same link format that redirects to a fake AI-generated dating site. I've tried reporting some to the police, as well as the hosting providers, but haven't heard back at all. I'd like to delete the address, but it's the one town hall uses to reach me...
Ask the town hall to update the record of your email address to a different one that doesn't get those amounts of spam. When you're sure you're not losing access to any other services you used that address for, go ahead and delete it. To me, that seems like the most effective solution to get rid of it.
How annoying!
The idea of having them send an e-mail to an address containing their IP is clever, however you need to authenticate that the person who sent the e-mail is either somebody who queried your site, or somebody that got the address from somebody who queried your site or else you could just figure out how to generate that base64 yourself and impersonate somebody else’s IP address which could have catastrophic results if you then fed these IPs into something like a block list and suddenly you’ve blocked Microsoft/Office 365. To be fair, I doubt anybody is going to try and reverse engineer one person’s code to then figure out how to impersonate who sent spam, but if this became a widely distributed program you could just pull off Github then it would be more concerning.
A couple ways to solve this:
All this said, I think your time is better spent with the using unique e-mail aliases as the author suggested but with 2 changes: 1) use aliases which are not guessable to prevent somebody from making it look like somebody else was hacked (e.g. me+googlecom@ gets compromised, but the spammer catches on and sends from me+microsoftcom@ instead to throw off the scent) and 2) don’t use me+chickenjockey@, use chickenjockey@ or else the spammer can just strip “+chickenjockey” from the address to get the real e-mail address.
Spit out a random e-mail address and record which e-mail address was given to each IP.
The author mentions it's a violation of GDPR to record visitors' IP addresses. I'm not sure that's correct, but even so, it could be possible to make a custom encoding of literally every ipv4 address through some kind of lookup table with 256 entries, and just string together 4 of those random words to represent the entire 32-bit address space, such that "correct horse battery staple" corresponds to 192.168.1.100 or whatever.
Ah you’re right about the GDPR part in the article! My bad. Signing might be the best bet in that case since it avoids storage IF you were to try and implement this kind of system.
What you've described is often referred to as a rainbow table and is generally not considered to be GDPR compliant:
https://skymonitor.com/why-hash-dont-anonimize-an-ip-address-and-what-this-affects-gdpr/
As much as I like this approach, I want to hear if the author has at any time successfully sued anyone with it because I seriously doubt it.
Base64 encoding of a text representation of an IP address and date seems inefficient.
There are 4 octets in a ipv4 address, where each octet is one of 2^8 possible integers. The entire 32-bit ipv4 address space should therefore be possible to encode in 6 characters in base64.
Similarly, a timestamp with a precision/resolution in seconds can generally be represented by a 32-bit integer, at least up through 2038. So that can be represented by another 6 characters.
Or, if you know you're always going to be encoding these two numbers together, you can put together a 64-bit number and encode that in base64, in just 11 characters. Maybe even use some kind of custom timestamp format that uses fewer bits and counts from a more recent epoch, as an unsigned integer (since you're not going to have site visitors from the past), and get that down to even fewer characters.
That seems to run less risk of the email address getting cut off at some arbitrary length as it gets passed around.
That base64 is so long, and doesn't need to be. An IP address is 4 bytes so it could be represented as simply 8 hex digits (base64 also expands to 8 due to padding).
An IP address is 4 bytes
IPv6 exists you know?
Yes but OP took the string representation of the IPv4 and base64'd it, I was addressing that part specifically.
And I'm addressing your statement that "an IP address is 4 bytes" in specific. I understand their example is IPv4, but you just blatantly said that "An IP address is 4 bytes" when that's not the case for IPv6 which a good chunk of the world is using now (still not a majority though...).
His code takes the base64 of anything that's returned in both (together) ip and timestamp. So the long string is both values concat'd then encoded. Most of that string is going to be the timestamp...
Specifically MTEuMjIuMzMuNDQ is 11.22.33.44
Where ---KIApTdW5kYXksIDI3LUFwci0yMDI1IDE1OjA0OjM5IENFU1QK is the date string Sunday, 27-Apr-2025 15:04:39 CEST.
While it's still a "bigger" value than it needs to be, it's not like it's the end of the world for an email address. I mean, if we really want to get "fancy" most people don't know that you can just go to an IP address in it's decimal form...
1.1.1.1 -> 16843009 (http://16843009) No need to encode anything special at all in that case. But that's neither here nor there... Can always make your own with blackjack and hookers of course.
How the turntables have turned π radians. Maybe. We’ll see.
