Spammers got the address

[ScottPeterJohnson]

(This issue was imported from Gitea) Tor on May 3, 2019: So after adding a dormant email address (my personal domain) which has never been used publically, and which I never got any spam from when I used it last (over many years, until a few years ago when it was made dormant), now I get hundreds of spam messages in the inbox I created at purelymail. Is purelymail somehow exposing email addresses stored here? It's hard to see how this situation could come up otherwise.

[ScottPeterJohnson]

Comment by Scott on May 3, 2019: We don't have any ways to enumerate users that I'm aware of, and that's something I've been watching out for on everything I've developed. Additionally, I haven't seen any spam on domains I've personally transitioned to Purelymail- even the obvious ones like the support email that's on my website.

A search through the logs of authentication attempts (we do, like every mailserver exposed to the internet, get a constant stream of low effort malicious login attempts) doesn't reveal any attempts on domains you own. (I doublechecked and we may have a logging hole on SMTP for ~2 weeks, I'll fix that and tell you if anyone's even trying. They'd have to actually succeed at breaching your account to know it exists, though.)

I'd say it's unlikely we leaked your email, and offer a different explanation for what you're seeing: Your email address was always known to spammers, and our systems don't currently flat out reject even the most obvious spam emails. (They could, but I'd like to be really confident they'd do so correctly first.) Some systems do that. Others have different means to slow down the rate of spam receipt, e.g. Fastmail has gray listing, which we haven't implemented yet.

I'd encourage you to empirically test by creating some random users and doing nothing with them. If those leaked, we'd definitely have an issue on our hands.

[ScottPeterJohnson]

Comment by Scott on May 3, 2019: One other idea: You have an email listed on the contact WHOIS for your domain. It's for a different domain, but if I were a spammer, it'd take me all of ten seconds to think of "try the local part of the contact email at this domain". I'd recommend changing that to a completely random address that still redirects to your domain at the least, or just opting for WHOIS protection. WHOIS is basically a well known spam registry.

[ScottPeterJohnson]

Comment by Tor on May 3, 2019: My whois uses a different email address, so it's not exposed there.

If you're certain about no possible leaks through purelymail then I'll have to go with your suggestion that someone picked the address years ago (that would be a decade..) and one of them somehow figured out that it was time to start pumping. I'll try some random extra email addresses as you suggested, and let them sit for a while.

By the way - does the server support '+' for email addresses the way e.g. gmail does? E.g. JoeRandom+variant1@example.com, where +variant1 is ignored - the idea is that you sign up somewhere with your email with a '+'-tag to identify where emails you get back are coming from (JoeRandom+amaz@example com, JoeRandom+netshop@example.com, and so on) - so, if you get spam to JoeRandom+amaz@example.com then you know that the one you gave the +amaz address to is the one who leaked your email.

[ScottPeterJohnson]

Comment by Scott on May 3, 2019:

My whois uses a different email address, so it’s not exposed there.

Basically I was postulating that your WHOIS for "test.com" contains your name and a "foo@example.com" email address. So a spammer can probably try "foo@test.com". Anything in WHOIS merits extra caution because it's very public, very easy to look up, and is probably a valuable address.

By the way - does the server support ‘+’ for email addresses the way e.g. gmail does?

See here under "Aliases": https://news.purelymail.com/posts/2019-04-08-sieve.html

For a custom domain you'd basically just need a simple routing rule. (E.g. redirect everything starting with "foo+" to "foo"). This will probably be added as a sane default for custom domains when I get around to tidying up the routing system.

I'd actually recommend using an _ or other symbol, or even just wholecloth prefixes since it's a custom domain and you can do whatever you want. Spammers can figure out how to strip the +, but they probably won't bother implementing things not specific to Gmail.

[ScottPeterJohnson]

Comment by Scott on May 13, 2019: I've finished reviewing all logs and points of enumeration. As far as I can tell, Purelymail doesn't leak anything about your email addresses.

I highly recommend you check the email address in question here: https://haveibeenpwned.com/

A lot of web services are really bad at leaking email addresses, which is where aliases should help a lot.

I'm going to close this issue, but feel free to reopen it if you have any other concerns.