reactive-emails
TypeScript icon, indicating that this package has built-in type declarations

2.0.0 • Public • Published

Reactive Emails

Reactive emails are a solution to the long-lived problem of spam emails. Spam emails take advantage of one critical flaw of most email addresses: they can't be easily changed.

Reactive emails provide a system for generating unguessable yet recoverable emails that can be changed at any time. The idea is to use a separate reactive email for each service, so that if an email for one service ever gets leaked, you can easily generate a new email address and only need to update it for that one service. In other words, your email addresses are "reactive": they can be easily changed whenever they get leaked.

Algorithm

Reactive emails are generated via the following algorithm:

[Purpose][Email Version Number][Reactive Hash]@[Domain]

Purpose: A word representing the purpose the email is used for. Most of the time, this would be the name of the service you're using the email to register for (e.g. github).

Email Version Number: The version number of the email. This is needed when an email needs to be regenerated because it got leaked.

Reactive Hash: Each email contains an unguessable hash based on the Purpose, the Email Version Number, and a Reactive Hash Secret.

Reactive Hash

The reactive hash is the core of what makes reactive emails work. The reactive hash is an unguessable 4-letter string that is deterministically generated from every reactive email.

To generate the reactive hash, the SHA256 hash function is used on the combination of the email's purpose, version number, and your reactive hash secret:

SHA256(Purpose + Email Version Number + Reactive Hash Secret)

In addition to this hash, we also need a character set which includes the full set of characters that our final reactive hash contains. The character set is important because it needs to ensure that we don't accidentally generate a reactive hash that contains words or letter combinations resembling words (especially offensive words).

A character set for English that I've found is the set of the following 8 characters: bdhmnqvz.

Once we know the length n of our reactive hash character set, we can then convert the bits generated by the SHA256 function into a base-n number and then take the last 5 digits of the number (or in other words, finding the result of our base-n number modulus n^n padded with 0s to the left such that our final number contains 5 characters). For example, with the 8-letters character set bdhmnqnz, we would convert the output of our SHA256 function into base 8, and take the last 5 digits of the base 8 number and map it using the following table:

Character in Raw Reactive Hash Character in Final Reactive Hash
0 b
1 d
2 h
3 m
4 n
5 q
6 v
7 z

So, if the last 5 digits of our base 8 number was 65247, then our final reactive hash would be vqhnz.

Example

If we're generating a reactive email for a new account on GitHub, our purpose string would be github, our version number would be 1, and our reactive hash secret can be any secret (which should be the same for all reactive emails):

Purpose: github

Version Number: 1

Reactive Hash Secret: mysecret

Using the character set bdhmnqvz, our raw reactive hash would then look as follows:

Raw Reactive Hash = Last 5 digits of base8(SHA256(github1mysecret))
Raw Reactive Hash = Last 5 digits of base8(3159390368171057825165797341632474171120321070660410313251193864284542513063)
Raw Reactive Hash = 27647 (base 8)

Using the raw reactive hash character map, our final reactive hash would look like:

Raw Reactive Hash   = 27647 (base 8)
Final Reactive Hash = hzvnz

And thus, if our email domain is example.com, our reactive email address for GitHub would be:

Reactive Email Formula = [Purpose][Email Version Number][Reactive Hash]@[Domain]
Final Reactive Email   = github1hznvz@example.com

Note that the email domain must be a custom domain and not a domain like @gmail.com since you need to be able to link all these reactive emails to one email account.

Now, let's say this email accidentally got leaked publicly (maybe you accidentally associated one of your public GitHub commits with this reactive email). Now, spammers are unapologetically sending this email tons of spam. Luckily, reactive emails allow you to easily refresh your email by simply bumping the version number and generating a new unguessable reactive hash:

New Raw Reactive Hash = Last 5 characters of base8(SHA256(github2mysecret))
New Raw Reactive Hash = 54244 (base 8)
Final Reactive Hash   = qnhnn

Thus, our new reactive email for GitHub would be github2qnhnn@example.com.

Explanation

So, why are we using such an involved algorithm to generate reactive emails? Can't we just generate a random unguessable string and have the same effect?

The reason why reactive emails are designed this way is to provide a last-resort in case you lose access to your list of reactive emails. Since reactive emails are not meant to be memorized but rather stored on an email manager, such as a password manager like Bitwarden, it's possible that you may end up losing access to your list of reactive emails (e.g. if you forget your Bitwarden password).

The problem is, many sites depend on your email address for identifying your account. If you lose access to your email, you will end up losing access to many of your accounts with no way to recover them. However, since reactive emails are generated deterministically, you can easily recover the email you used for a certain account as long as you remember the Purpose string you used (which should be the service's name) and your reactive hash secret.

Application (TODO)

  • Easily generate a new reactive email + password combination for a new service. Because I don't want to manage passwords, I'll definitely be integrating with a password manager like Bitwarden.

  • How the integration is likely to work is probably just a simple Dock app where you can enter a service name, version number, and your reactive hash secret to generate a new email. The reactive hash secret should be hashed so that you don't accidentally mistype it.

  • The application should automate the process of whitelisting the email over at Google Workspace (since that's what makes this whole system work). I'll need to experiment with integrating Puppeteer with Electron.

Readme

Keywords

none

Package Sidebar

Install

npm i reactive-emails

Weekly Downloads

10

Version

2.0.0

License

MIT

Unpacked Size

15.8 kB

Total Files

11

Last publish

Collaborators

  • leondreamed