BLOG

Typoed email addresses

By creating web domains that contained commonly mistyped names, the investigators received emails that would otherwise not be delivered.
Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages. BBC News

The focus of the article is on how companies are opening themselves up to security holes. While most marketing email doesn’t come with security risks, some of it does. For instance, some companies require a user type their email address in to reset a password. If the user typos the email address, the password can be sent to a completely unrelated third party. Depending on what information is stored in the account, some accounts have credit cards, for instance, this can be a problem for the customer.
All senders should think about the security implications and go through account processes with an eye for “how can a typo cause problems?”
 

10 comments

  1. Martijn Grooten says

    “If the user typos the email address, the password can be sent to a completely unrelated third party”
    Lets ignore the bit about storing unhashed passwords, if you have a system like this I think proper typos are the least thing you should worry about. I mean, if I tell the system a username (say, yours) and ‘accidentally’ make a huge typo in the corresponding email address (say, to the point where the address entered is mine), should it send me any kind of information about the account?

  2. steve says

    The interesting case is when the original user typos their email address at account creation time. Then the account activation code is sent to the typo domain owner, and they now own the original account.
    A smart typo domain owner would forward *@aol.co to the corresponding aol.com address, while keeping a copy…

  3. laura says

    Martijn: I was thinking about situations where I was trying to recover my password and the system requires me to enter in an email address to send the password reset to.
    Now that I have had my coffee, though, I’m not sure that it matters. If the email address I put in then is a typo, then it will not find a corresponding account and not send me info.
    Steve’s right, though, it’s definitely a problem that should be considered and planned for during account creation.
    As for passwords being stored and transmitted in plain text, think about mailman.

  4. Martijn Grooten says

    Yes, it did sound like a pre-coffee remark 🙂
    Mailman does store pws in plain-text but at least makes that clean when you choose it.
    And Steve has a very good point that this does matter — I know the importance of proper COI, but that someone else might ‘own’ the account is not something that had occured to me.

  5. laura says

    In my experience a small percentage of accounts are typoed accidentally during setup. There are 3 things that can happen: the mail bounces because the address is totally invalid, the mail is delivered to someone else who now thinks the sender is a spammer, the mail is delivered to a spamtrap.
    It’s one of the reasons I suggest special casing the first email (welcome message or confirmation) you send folks in terms of bounces or lack of engagement

  6. Martijn Grooten says

    I think your post (and Steve’s comment) suggest a 4th thing that can happen, even if it may be a rare case: the mail is delivered to someone (possibly the owner of the typosquatted domain) who then ‘owns’ the created account. It’s good to keep this scenario in mind when designing a login-system. In particular, it is important to make sure the email address is verified before any sensitive information is attached to the account.

  7. Craig Swerdloff says

    Hi Laura. We see mistyped email addresses 2-5% of the time. If the mistyped address is invalid, our clients will prompt the user to try again. if the mistyped address is valid, then the user is registered with the wrong email address. I wonder how often people mistype the domain vs. the username. I also wonder if we can identify mistyped domains, and suggest the correction. The examples would be Yaho.com, A0L, Gmal, and Hitmail. Interesting and thanks for starting this discussion.

    1. laura says

      2 – 5% is about what I was guessing.
      It’s an interesting question about local part vs. domain part. I find myself typoing (usually by typing too fast and getting letters out of order) both the local part and domain part pretty evenly. We’re also assuming people know what their addresses are. I’ve seen more than a few address lists that have things like http://www.username@domain.com and other sorts of oddities.
      I’m leery of suggesting corrections, though. How do you *know* the domain part is wrong? Or that your suggestion is a better choice?

  8. Craig Swerdloff says

    We do not know for sure that the domain is wrong. But we could come up with a list of the 20 most popular mistyped domains. When we see them, we could prompt the user on the registration form by saying something like, “We are wondering if Yaho.com is supposed to be Yahoo.com?”.

  9. Martijn Grooten says

    @Craig there’s a Firefox plugin that fixes typos in URLs based on a number of regular expressions. That may be a good point to start.
    I’d be very careful with simply disallowing addresses that you think are misspelled in case you got it wrong. A warning — using JavaScript perhaps — as you suggest may be a better idea.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.