by VanguardLH » Thu Jun 14, 2018 4:25 am
My concern was if the someword token would get reduced in maximum length based on how long is the prefix token. If they are treated independently then I don't have to be concerned with reduction of someword's max length. To know to whom I doled out an alias, I add an identifier in the someword token. I also add a datestamp of when I doled out the alias. This lets me know who was given the alias and when. There are times, for example, I want to contact a company and do so again later but don't want to bother reviewing aliases to see what I used before or to make sure they get a new alias next time to avoid losing their replies now by using an old alias that has expired (usecount = 0). By adding a date, I could contact a company now and a year, or more, later contact them again without concern about possibly reusing an old alias that is dead. For example, I might add a review of software at download.com. A year later, I might want to review another software product at download.com. I don't want the alias to survive for years. I don't want to have to login to Spamgourmet to make sure what I might use now hasn't been used before. So today I would use download-com061318 as someword and months later I would use download-com011419 as someword. Same place an alias is getting used but I don't have to login to check what I've used before.
I wanted to make sure that the someword token didn't get shortened because I'm already using pretty long ones, and any shortening means impacting the datestamp that I want to add. Doesn't matter to me that the username token (prefix+someword+usecount+acctname) gets really long since no real person is getting those aliases, anyway. Computers are very good at keeping accurate the content of long strings.
The only reason why I got spurred into looking at using the prefix in an alias is that I have encountered spams that do not originate from who the alias was given and the sender seems totally unaffiliated with the sender. Doesn't happen often but it does happen. The algorithm at Spamgourmet is highly simple for any hacker to obviate: once you get any SG alias, just add any random string as the someword token. Spammers harvest e-mail addresses but they also use string generators. Some even use the SMTP session to update their mailing list to find which recipients result in an error status from the SMTP server (no such account). That way, they can remove invalid addresses, so they can add others since there are time restrictions in sending out millions of turds. Spammers don't just rely on random string generators, and with SG aliases then can focus on random strings for the acctname token and then add anything they want as the someword token. As I said, I don't get many of these workaround spams but it has happened, and usually in a tight bunch (many showing up over a few days). Adding a prefix just ups how many tokens they would have to generate. Because aliases are doled out to untrusted senders, your acctname token is the vulnerability in SG: anyone getting the acctname from harvesting or sharing or selling, and they can then add ANY string as someword to get their turds delivered to you. A prefix (or watchword) ups the difficulty.
I just didn't want the someword token getting squeezed if I started using a prefix (which mandates the usecount token be specified).