Is there any list of email addresses reserved because of security concerns for any Public Email Service like Gmail / Yahoo?

domains email email-address webmail email-accounts
5,246

Solution 1

Here is a list of addresses that you may want to treat as reserved:

  • abuse 1,4
  • admin 2,3,4
  • administrator 2,3,4
  • hostmaster 1,2,3,4
  • info 1,3
  • is 3
  • it 3
  • list 1
  • list-request 1
  • majordomo 4
  • marketing 1
  • mis 3
  • news 1
  • postmaster 1,2,3,4,5
  • root 3,4
  • sales 1
  • security 1
  • ssl-admin 4
  • ssladmin 3
  • ssladministrator 3
  • sslwebmaster 3
  • support 1
  • sysadmin 3
  • trouble 1
  • usenet 1
  • uucp 1
  • webmaster 1,2,3,4
  1. Listed in RFC 2142 as a mailbox name for a common purpose
  2. Used by Comodo to issue SSL certificates
  3. Incorrectly used by RapidSSL to issue SSL certificates
  4. Treated as a reserved group name by Google Groups
  5. Listed in RFC 822 -- Standard for ARPA Internet Text Messages as a reserved address

This article suggests that you reserve all mailboxes that start with "admin", "administrator", "webmaster", "hostmaster", or "postmaster". If I were doing that, I would also add "ssl" to my starts with rule. Based on what RapidSSL did, it would make sense to implement an "ends with" rule as well.

RFC 822 also has the reminder that mailboxes are generally case insensitive. You should reserve lower-case, upper-case, and mixed-case versions:

Note: This reserved local-part must be matched without sensitivity to alphabetic case, so that "POSTMASTER", "postmaster", and even "poStmASteR" is to be accepted.

Solution 2

This might be slightly related list, although its not for Gmail, but for Google Groups for G Suite:

https://support.google.com/a/answer/6093413?hl=en

Reserved group names:
We reserve certain names that cannot be used if you are creating a group using Google Groups or Google Groups for Business. However, you can use these names if you are creating a group using the Groups control in the Admin console.

abuse
admin
administrator
hostmaster
majordomo
postmaster
root
ssl-admin
webmaster

The names abuse and postmaster are reserved. You can, however, subscribe to them and receive all mail sent to these addresses.

Solution 3

Based off previous answers and my research elsewhere, I have compiled this GitHub repository which has an updated JSON file, as well as JavaScript/Node.js based code example for implementation.

https://github.com/forwardemail/reserved-email-addresses-list

List of 1250+ email addresses reserved for security concerns

npm install reserved-email-addresses-list email-addresses

The string you are comparing with must be converted to lowercase and trimmed of whitespace. The reason we are converting to lowercase is because the dictionary of words we are comparing with are all lowercase, and in order to compare for strict equality, we must have matching case.

It is also highly recommended that you check for strict equality, and for a list of admin-related usernames, you should check for strict equality, starts with, or ends with comparisons as well.

const reservedEmailAddressesList = require('reserved-email-addresses-list');
const reservedAdminList = require('reserved-email-addresses-list/admin-list.json');
const emailAddresses = require('email-addresses');

const email = '"Admin***!!!"@example.com';
const parsed = emailAddresses.parseOneAddress(email);

if (parsed === null)
  throw new Error('Email was not a valid address');

const str = parsed.local.toLowerCase();

let reservedMatch = reservedEmailAddressesList.find(addr => addr === str);

if (!reservedMatch)
  reservedMatch = reservedAdminList.find(
    addr => addr === str || str.startsWith(addr) || str.endsWith(addr)
  );

if (reservedMatch)
  throw new Error(
    'User must be a domain admin to create an alias with a reserved word (see https://forwardemail.net/reserved-email-addresses).'
  );

References:

Share:
5,246

Related videos on Youtube

Maharshi Raval
Author by

Maharshi Raval

Updated on September 18, 2022

Comments

  • Maharshi Raval
    Maharshi Raval almost 2 years

    I am in the process of conceiving this idea of a webApp when can be termed as a completely new take for providing Email Service to the consumers on Domains that I own. The idea is similar to what Yahoo does by providing me [email protected] email address or the same with gmail etc. Apart from the whole infrastructure the main concern I have is how to have a list of critical / important and security related email addresses that are not given out to the consumer.

    For Example:

    Is there any kind of exhaustive list of this kind available.

  • Maharshi Raval
    Maharshi Raval over 7 years
    Thanks alot mate just the answer I needed. Just wondering, what majordomo stands for. Apart from the systesm names, I would also add the generic once like, sales, info, ceo , manager etc. But it is a long process.
  • DavChana
    DavChana over 7 years
    You are welcome :).. Just a long thought, do users have email addresses from single common english words also at Gmail? Like lion@, or aeroplane, or car. Am sure many of these can be instantly stopped if you enforce a minimum 7 letters username policy. Also, what about foul words? 7 word will stop dick@, but will not dickhead@
  • Steve
    Steve over 7 years
    @MaharshiRaval majordomo = en.wikipedia.org/wiki/Majordomo_(software)
  • Maharshi Raval
    Maharshi Raval about 7 years
    @DavChana yupp.. that makes a lot of sense. Would look into it , thanks a lot for bringing it up. Appreciate your time.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    "The string you are comparing with must be converted to lowercase, trimmed of whitespace, and strictly converted to alphanumeric characters only." Technically the left hand side of an email address is under control of the receiving MTA and can be case sensitive, if that MTA so decides, so lowercasing email addresses by default can be a problem. Also now email addresses are internationalized, so not only ASCII. The regex in your code example would even disallow - or . in the email address!
  • niftylettuce
    niftylettuce over 4 years
    I have fixed the example so it uses punycode toASCII.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    "I have fixed the example so it uses punycode toASCII." That handles only the RHS (that is the domain part), so it has no impact to the LHS, which is governed by EAI rules.
  • niftylettuce
    niftylettuce over 4 years
    If you note in the example I have removed the conversion to A-Z,0-9 only. And the localpart is obvious in const str declaration.
  • niftylettuce
    niftylettuce over 4 years
    Also @PatrickMevzek - this is for comparison only to find the most accurate/likely match given people may try to abuse systems, such as writing admin1 or admin_.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    No matter what, toLowerCase is wrong here. You CAN NOT take any assumption on the LHS that is under control of the remote MTA.
  • niftylettuce
    niftylettuce over 4 years
    No Patrick, you are incorrect. It is not wrong. The comparison is against a list of lowercased words. You cannot compare the two for strict equality or starts/ends with unless you either check for case insensitivity or convert it to lowercase.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    "The comparison is against a list of lowercased words." Which is wrong. Or cite a reference saying that the LHS is case insensitive (which it isn't). Until you find such reference, there is nothing else to debate.
  • niftylettuce
    niftylettuce over 4 years
    See github.com/forwardemail/reserved-email-addresses-list/blob/…‌​. This list is of lowercase words.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    Also, "[email protected]"@example.com is a valid email address, and your split will not handle it properly.
  • niftylettuce
    niftylettuce over 4 years
    This was just an basic example. I did not put in full validation or anything. I will go ahead and add validator in the example now to handle your issue.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    "This was just an basic example." The problem is that people copy and paste code without understanding the constraints and limits. So I am pointing what is wrong, so that people know in which cases this can work or not. A good example can either explicitely states what are its limits/edge cases, or just be improved to handle really all cases. Handling email addresses, like domains, nowadays is not a simple task covered by one regular expression, things are more complicated, which is the only point I want to raise.
  • niftylettuce
    niftylettuce over 4 years
    I am updating the example so that it has a full blown example that has complete edge case handling. One moment, thanks @PatrickMevzek!
  • Stephen Ostermiller
    Stephen Ostermiller over 4 years
    @PatrickMevzek This code appears to implement the other answers for a local MTA. It isn't lower casing and email address and then sending and email to the all lower case version. It is lower casing the email address to check if a local email account can be created for it or not based on a list of reserved keywords. toLowerCase looks very appropriate to me in this situation, especially since RFC 822 says that the "postmaster" mailbox must be case insensitive.
  • Sandeep Bhaskar
    Sandeep Bhaskar over 4 years
    @StephenOstermiller "especially since RFC 822 says that the "postmaster" mailbox must be case insensitive." while not saying anything about case insensitive for other cases... My point is just that, contrary to many people belief, [email protected] and [email protected] are two separate email addresses and the owner of example.com may wish, or not, to treat them separately, or not. Any code that blindly does regex matches (see first version of the post), split on @ (that can appear multiple times), does lowercasing, forgets about IDNA and EAI, is bound to have problems. That is all.
  • niftylettuce
    niftylettuce over 4 years
    @PatrickMevzek I have updated my answer/code snippet above - can you please review it?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to set a "Profile Picture" in Roundcube Webmail
Are webmaster accounts required for non-email domains?
Should I set up standard email accounts? What are they?
What is the best email address for a personal website with my name as the .com domain name?
Setting up Email Accounts EC2
Can you use a custom subdomain with G Suite if it doesn't have anything hosted there?
Setting up domain name and email servers for VPS
How to move a website and domain name without experiencing downtime for emails or site?
Is it ok to use uppercase letters in an email address?
How to use Cloudflare and Namecheap email forwarding at the same time?