bbs.spamgourmet.com

[Naru]

I have recently set up a username with spamgourmet and I did the following test:

user name: user1
prefix: p1
reply masking enabled
forwarding address: m1@x.y

I sent an email from my yahoo account m2@yahoo.com to p1.s1.to.user1@xoxy.net
It arrived at x.y correctly. I then sent another email from the same yahoo account to s1.user1@xoxy.net. Tht also arrived to my x.y account. The from address showed m2.@yahoo.com and a string containing various things. the to-address was s1.user1 as expected.

I then replied to the second email. This arrived at the yahoo mailbox. However the from address was shown as p1.s1.to.user1, thereby revealing my prefix. I expected it to show s1.user1.

Is this how it is designed to work?

Thanks for any help!

Naru

[ebuleheb]

Yes this is how it's designed to work. Spamgourmet saves your exact disposable address (not just the "word") when it is created, and from then on, the "reply-address masking" feature always shows this address in the messages you send through spamgourmet. The developers are considering making a feature available to change the stored address, but it has low priority.

I think it's more secure this way. You first created p1.s1.to.user1@xoxy.net. If a random spammer sent mail to s1.user1@xoxy.net later, your correct "from" address would be damaged when you reply to legitimate mails coming to the address you created (in this sentence I'm mentioning the threat of changing the stored address (exemplar) automatically by incoming messages).

[Naru]

I started to write a couple of other options to allow for account security without having to end up with ugly addresses, but then I realized there is already the capability of doing exactly what you want to do.

It's called "prefix" and it's an SG feature in the advanced mode.

Watchwords are required to be PART of the address-word, and they will always be part of that word. Prefixes are different, in that they are ONLY required to ESTABLISH a new address. Once established, you don't need the prefix to send to an existing address.

Here's how this solves your problem. Set up a prefix, consider it to be a second SG password, something that you will never tell to anyone else. In James Bond fashion, I made mine "prefix".

Now, whenever you want to create a new email address, instead of the suggestion below of sending a starter message from the account's own forwarding address (which requires new programming from SG) all you do is send an address from ANYWHERE to the address:

PREFIX.DESIREDWORD.NUMBER.USERNAME@SPAMGOURMET.COM

SG receives the message, establishes the new address, and you then give just:
DESIREDWORD.NUMBER.USERNAME@SPAMGOURMET.COM

or even

DESIREDWORD.USERNAME@SPAMGOURMET.COM

to your new correspondent. Because they are now writing to an existing email SG address, they don't need the prefix. And since there is no way a Spammer would ever have access to your prefix word, there is no way for them to establish new addresses. If your prefix word ever leaked out (unlikely, but maybe sending from an unsafe internet cafe PC) you just change the prefix word. Again, changing the prefix has no effect on existing SG addresses.

I'm actually quite excited about this feature, and had forgotten about it for a long time . . . thanks for the discussion that brought it back to mind!

--Jason

P.S. One thing to keep in mind -- I usually just use word.username@xoxy.net for my addresses, I like the way they look better than the number format. That won't work with the FIRST email to an address, since:
PREFIX.DESIREDWORD.USERNAME@SPAMGOURMET.COM

will be interpreted as
PrefixString = none
Word = PREFIX
Number = 4 (Desired starts with D, the 4th alpha character)
Username = USERNAME

And since you've enabled prefixes, it will eat the mail (unless the word PREFIX happens to be an existing SG address already) but it will not set up a new address with that format. Once you've established it, though, you can go back to WORD.USERNAME@xoxy.net to give to your webform/correspondent/contest etc.


P.P.S. In case you're interested, here are the other suggestions I was working on before remembering prefixes . . .


1. Since the proposed "starter email" would require access to a computer anyhow, you could briefly disable the watchword any time you wanted to start a new address. Log in to SG, turn off the watchword, send your starter email (from ANY email account) to establish the address as an SG address, then turn watchword back on.

2. If youw ant to have addresses available "on the fly" you could create several in advance, maybe jot them in your Palm (or whatever) and then keep watchword enabled.

3. Pick just a letter or two for your watchword, like x or y or q, such that most spammers won't happen to send to a word that works, but you'll still have lots of aesthetically pleasing options to choose from. This is the most "spontaneous" solution, not requiring timely access to a PC.

The above is how prefix is desribed by jbs. If prefix is like a password I do not expect it to be shown in the from-address openly.

Also, the email address I have given to the sender is s1.user1@xoxy.net. When he sees a reply from p1.s1.to.user1@xoxy.com he is going to get confused.

I would say if this is how prefix works it is notuseful at all


Naru

[josh]

prefix is deprecated, really -- use watchwords instead

[curious guest]

but will the watch word get revealed too? or si that hidden?

Does it do as the original poster had in mind?

one of many guests

[josh]

If you're *really* paranoid... -- you can use a single watchword like:

JFIEOJIWF324

or something, then, go to the website and go to the place where you send a message from one of your disposable addresses. If you only want to generate a new disposable, but not send from it immediately, it doesn't matter what you put in the recipient box (if you do want to send from it immediately, then, obviously, put the recipient in the recipient box). Then, instead of choosing one of your existing addresses, type a new word in the word box, choose a number or letter (or leave the number box blank), choose a domain, and go. The address will be created *without* comparing it to your watchword list (because we know *you're* creating it) -- the created address won't have the watchword in it (unless you put it there, but there's no reason to), and you can use the address without revealing your watchword. Effectively what you've done is to disable auto-create altogether, and force yourself to explicitly create each address using the web interface.


I don't do this, and I probably never will. I don't even use a prefix or watchwords, and haven't had a problem with it (and my account is nearly 4 years old). Some spamgourmet users (people who frequent usenet, for instance), get into situations where these features are needed -- but isn't it easier to just pop in every few months and change your watchwords around?