The dots do matter: how to scam a Gmail user

        Where is the security flaw here? Some would say it's Netflix's
        fault; that Netflix should verify the email address on sign
        up. But using someone else's address on signup only cedes
        control of the account to that person. Others would say that
        Netflix should disallow the registration of, but this would force Netflix and
        every other website to have insider knowledge of Gmail's
        canonicalization algorithm.  Actually, the blame lies with
        Gmail, and specifically Gmail's "dots don't matter" feature.
        The scam fundamentally relies on the Gmail user responding to
        an email with the assumption that it was sent to their
        canonical address, and not to some other address from their
        infinite address set.

 - - -

This has been a problem with Gmail for ages. Even if you are not
scammed by crooks exploiting this, it can be a vector for yet more
spam, not all of which Gmail will detect. Gmail users have long needed
a way to control this feature, and to specify precisely which dotted
forms should be considered as their valid Gmail addresses.

Lauren Weinstein ( 
Lauren's Blog:
Google Issues Mailing List:
Founder: Network Neutrality Squad: 
         PRIVACY Forum:
Co-Founder: People For Internet Responsibility:
Member: ACM Committee on Computers and Public Policy
Tel: +1 (818) 225-2800
nnsquad mailing list

Reply via email to