Home / Blogs

Gmail as an Email Honeypot

You all remember cybersquatting, a popular sport in the late 90s, right? McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.

If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up—you will type McDonalds.com and expect to see the latest dollar meal menu.

But the same is true for the other popular form of communication—email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.

Of course, back in the Hotmail days when John was [email protected] I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on Gmail, Yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email [email protected], it could actually be dangerous if some bad guy owns ‘[email protected]’, ‘[email protected]’, ‘[email protected]’, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to [email protected] (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for Google. Then they sign you up for a new experimental beta Google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As Gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register Gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…

By Aviram Jenik, Chief Executive Officer

Filed Under


John Berryhill  –  Oct 30, 2007 7:08 AM

be sure to only use your address book

Depending, of course, on how your address book works.  Many users of Outlook, for example, have auto-add-to-address-book, auto-lookup and auto-completion turned on.  This opens up an interesting type of spoof attack.

Let’s say you know that John Smith and Jane Doe exchange email among a group of folks, and you’d like to receive misdirected emails from that distribution.  If Jane is “Jane Doe”

, then you sign up with a free email service as “Jane Doe”

.  Next, you send an innocuous email to John Smith such as “testing my email account.  let me know if you got this. thanks.”  When John Smith hits ‘reply’, two things happen.  Your freeservice email account is added to his address book, AND the next time he quickly starts to writeJane Doe’s email address into a To: line, your free email address will be the one picked by Outlook to fill in for Jane Doe.

Again, the effectiveness of this strategy depends on several variables, but I’ve seen it happen.

Kerry Webb  –  Nov 2, 2007 6:27 AM

Ain’t it the truth.

My Gmail username is very similar to the abbreviation that people might guess for a certain Irish journalist, and I get lots of hot tips for stories in the Emerald Isle.  Nothing yet that I can turn into a profit, though.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API