Tagged Email Addresses

A tagged email address is any email address that provides some additional information to the recipient when they receive email sent to that address – typically something about who they originally gave that email address to or what the email address was intended to be used for.

As a very simple example, someone may have a “real” email address provided by their ISP and a gmail address. If they only ever sign up for bulk email using their gmail account then they know that any bulk email they receive at their ISP email address is not mail they signed up for, and hence that it’s spam.

A more flexible way of having multiple email addresses is what’s known as “boxing” or “tagging” – being able to make up new variants of your email address on the fly. How that’s done varies depending on the mail system you use, but typically you’ll be able to add a string to the end of your email address, separated by a “+” or a “-“. For example, if my main email address is I can create a tagged address like They’ll both be delivered to my inbox by default, or I can use the tag to route the mail to another mailbox (either using the filtering rules in my mail client, or something like procmail or sieve running on the mailserver).

Because I’ve never sent mail from the email address, nor given it to anyone, nor even mentioned it anywhere other than this blog post I know that any email I get to it was sent by a spammer who harvested it from this page or the blog rss feed. On the other end of the spectrum I have tagged email addresses that I’ve created specifically to give to one of our vendors, and so I know that if I see email sent to that tagged address it’s almost certainly mail from that vendor, and I should have it skip my spam filters and send it directly to my inbox or a mailbox specifically for mail from vendors.

I’ve talked previously about some of the implications of address tagging for ESPs, both for signup and list hygiene, and Laura has talked about tagged, disposable and temporary addresses from a recipient perspective. Today I’m going to touch on another aspect of them – they mean that if you harvest addresses, or purchase addresses, sooner or later you’re going to get caught.

Last month I got a mail from a senior account executive (aka “salesweasel”) at Cisco/WebEx:

Hello Steve,
I am the Cisco WebEx Solutions Specialist responsible for supporting your region.
Are you available this week or next for a brief discussion of your current business objectives?
I would like to share some creative ideas about how you can reduce expenses and increase productivity throughout your organization.
Please reply with the best time to reach you.
Best regards,

I don’t recall ever having any relationship with WebEx, and we swapped out all our Cisco networking gear quite some years ago. It could be that I gave them a business card at a trade show or somesuch, as I was vaguely looking at web conferencing providers a couple of years back – but it’s a bit odd that it doesn’t have my full name, nor does the salesweasel seem to know who my employer is. Sure enough, the mail wasn’t sent to either my personal or work addresses – it was sent to a tagged address. If that tagged address had been steve-webex or steve-cisco that would have told me that I probably had given it to them at some point in the distant past.

It wasn’t, though. Instead it was a tagged address that had only ever been used for one thing – it was used to register a domain that’s used primarily to host the CBL blacklist’s website. So WebEx or, more likely, the salesweasel is harvesting email addresses from whois in order to send spam to them, or is buying lists of addresses from someone who did. Given that they’d have to violate their agreement with the .org domain registry to do that, it’s clearly unethical business behaviour (and possibly even punishable by a fine or imprisonment of no more than one year).

I just caught a potential vendor playing fast and loose with privacy. At the very least, that makes it unlikely I’d use them unless I got a really good explanation as to how this happened, and how they’d prevent it happening in the future.

It’s bad marketing, and the more technically literate your target demographic is the more likely they are to catch this sort of behaviour, and the more they’ll hold it against you. If your company doesn’t have a policy against this sort of address acquisition, it’s a good time to think about one (“Don’t do that.”). And if you do have one, check that your salesweasels are aware of it, and that it applies to email addresses bought from jigsaw or appendleads or zoominfo or emailappenders just as much as it does to that CD of fifty million email addresses they bought from a guy in a bar.

Edit 1/6/2015: We do not run or have any connection with Tagged. We cannot help you. We cannot disconnect your account. We cannot fix your address problems.


  1. Tim Linden says

    Ah I’ve been getting the same emails. I couldn’t remember if I had asked for more info..

  2. Targeted attacks via email – phishing for WoW gold – Word to the Wise says

    […] was compromised and their email addresses stolen. I can track this because I gave Curse a tagged email address. Since then that tagged address has received a steady trickle of plausible looking emails claiming […]

  3. Real. Or. Phish? – Word to the Wise says

    […] morning. Plausible looking mail with Marriott branding, nothing specific to me other than name and (tagged) email […]

  4. Epsilon – Keep Calm and Carry On – Word to the Wise says

    […] it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of […]

  5. Analysing a data breach – CheetahMail – Word to the Wise says

    […] morning I received Ukrainian bride spam to a tagged address that I’d only given to one vendor, RedEnvelope, so that address has leaked to criminal […]

  6. Who leaked my address, and when? – Word to the Wise says

    […] tagged email addresses to vendors is fascinating, and at the same time disturbing. It lets me track what a particular […]

  7. valdo castillo says

    please delete my account now i do not like it .not the website for me

  8. Ophelia Cunningham says

    I can’t access my tagg account its telling me its not active, please reactivate it for me… Thank you

  9. Virginia AVETTA says


  10. Virginia Avetta says


  11. eva anyionu says

    Please delete my Account.
    Bitte löschen Sie meinen Account sofort

  12. Daniel Arzrouni says

    dear Tagged,

    I lost my password so could you be so kind to send it to me.thanks in advance


Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments