Two address resolving additions

1. Sub-domain addressing for users with _ (underscore) in their name by using – (hyphen) instead

Sub-domain addressing is a feature where if you have the username, then email sent to will be transformed to and delivered to your account (it’s only available for Member level users and above).

This can be a very useful way of keeping track of email addresses that you hand out to different companies. For instance when signing up to a new web service, rather than giving out your regular email address, you give our If you start getting spam at, you can just use the Define Rules screen to block that address.

One problem with this is that technically _’s (underscores) aren’t valid in hostnames/domains (the part to the right of the @ symbol). So if your account was, then is not technically a valid email address. In many cases it will work, but for strict systems, they might reject the email.

There’s now a work around to this. Simply replace the _ (underscore) with a – (hyphen). Eg use You should only do this for sub-domain addresses where your username/alias has an _ in it. If you’re using the regular address, do not replace the _ (underscore) with a – (hypthen).

2. Suppressing + address propagation on alias target addresses by adding +#noplus# on the target

If you have the account and then create an alias such as that targets, then if you send to, we propagate the +anything part to the target of the alias, so the final destination address it

This is useful when the target is a fastmail account, because the +anything is used to do fuzz folder matching to automatically file the message into a folder.

However if the target address is an external non-fastmail account, then this propagation may actually be annoying since it may result in an invalid email address that you didn’t actually want to send to.

There’s now a way to stop the propagation of the + component of an address to the target side of an alias, you need to pre-add a special +#noplus# component to the target of the alias. For instance taking the case above, if the target of the alias was, then sending to would send the email to, rather than

Posted in Technical. Comments Off on Two address resolving additions

Bots probing for XSS vulnerabilities

I’ve just noticed a large bunch of interesting requests in our logs. Basically they’re looking like this:

Our URL structure is a bit weird, and I’ve sanitized all the URLs to remove the malicious domains, but what’s happening is pretty clear. A bot is going to our home page, and then finding all the URLs on that page. Then it picks a URL and goes to that URL. Then for each parameter in the URL query string, it replaces the value with some a URI encoded domain & path part, and retries the URL again. Obviously it then looks in the generated HTML to see if that domain appears in the output.

Clearly this is some bot scraping through websites looking for any possible XSS attacks on that site.

These requests are coming from many different IPs, so it looks like it’s one of the botnets out there doing this.

Posted in Technical. Comments Off on Bots probing for XSS vulnerabilities

Get every new post delivered to your Inbox.

Join 6,404 other followers