I just found an undocumented feature in ProtonMail… which I thought you might find useful to know.
I use ProtonMail as my primary email hosting provider nowadays, as it gives me convenient PGP encryption across my devices, and all incoming emails that are not already PGP encrypted will be encrypted with my public key, meaning emails are encrypted at rest.
I never had an issue with spam, until yesterday… Yesterday, I suddenly started receiving spam, and they’re all the same kind: “Invest X amount and get Y in return”, but from a different sender (address) in each email, but I do believe it might be the same person (or people) behind this.
All these spam emails target the same email address of mine… or so I thought. At first, I was worried there might have been a breach somewhere and my email address leaked, but I think I have a different explanation:
Without revealing too much, the email address they targeted is a very generic one, of the first name and last name kind, no dots, hyphens or underscores in between…
…but the spam emails I’m getting target firstname.lastname, firstname-lastname and firstname_lastname… all with a dot, hyphen or underscore.
So, clearly it could not have been a breach since I don’t use that ProtonMail address with dots, hyphens or underscores anywhere.
That’s when it hit me: Someone must have started brute forcing ProtonMail addresses, using a list of possible names (and patterns) just hoping the email address exists, and clearly it works.
The reason I believe it must be the same person (or people) sending these, is because the spam all started coming in the same day, it’s all the same type (different content but same type) and they all seem to be guessing email addresses.
The ProtonMail feature
So, as it turns out, ProtonMail “ignores” the hyphens, dots and underscores. While sadly, I did not find anything about that in the official documentation, I did find ProtonMail confirming this in several places of their Subreddit (by /u/ProtonMail, which is the official ProtonMail account). I also did test it by sending myself emails with lots of random dots, hyphens and underscores, which all arrived.
Why is this feature useful? Well, other than to receive spam, it’s actually useful when someone isn’t sure whether there was a dot, hyphen or underscore between your names and sends it to the “wrong” address, and you will still receive it.
But that’s not the intended use-case, actually: According to /u/ProtonMail it’s so that when you’re talking to someone, say a journalist, with the email address journalistname at protonmail dot com, an attacker can’t just create an account as journalist.name at protonmail dot com and email you, which might be just a small enough detail that you don’t notice and respond thinking it’s someone else than it actually is.
The Gmail feature
If you’ve used Gmail, you might know that Gmail has this same feature, but limited to just the dot.
The Email semi-alias feature
On another note, you might know that the + (“plus sign”) separator is a standard email feature (not necessarily supported by all providers), where you can create virtually unlimited email addresses by adding a plus sign at the end before the @ (“at”) symbol, followed by anything you like. For example, firstnamelastname+something at domain dot com.
Both Gmail and ProtonMail do support this. It’s handy if you want to sign up to a website, where you can give them email+website at example dot com, and if you ever start receiving spam on that address you will know that “website” leaked it, and you can block all emails going to that address.
Please note that my email address is not exactly first name and last name, but a similarly common pattern, so if you happen to know me in person, please don’t try emailing to some guessed address. I’d also like to apologize for the weird formatting of email addresses (spelled out) and would like to explain that this is because crawlers on the web would otherwise pick up on them and start spamming there. I’m sure someone thought it would be funny to create an email address with literally “firstnamelastname”, and I wouldn’t want them to start receiving spam…
Update August 7th – 06:55
I can now confirm with high certainty that it’s the same person/people behind these spam emails that I’ve been receiving because I took a closer look at the links in those emails, and they all point to the same location, with an ID as a parameter that is also always the same.