Is there any list of email addresses reserved because of security concerns for any Public Email Service like Gmail / Yahoo?
Here is a list of addresses that you may want to treat as reserved:
- abuse 1,4
- admin 2,3,4
- administrator 2,3,4
- hostmaster 1,2,3,4
- info 1,3
- is 3
- it 3
- list 1
- list-request 1
- majordomo 4
- marketing 1
- mis 3
- news 1
- postmaster 1,2,3,4,5
- root 3,4
- sales 1
- security 1
- ssl-admin 4
- ssladmin 3
- ssladministrator 3
- sslwebmaster 3
- support 1
- sysadmin 3
- trouble 1
- usenet 1
- uucp 1
- webmaster 1,2,3,4
- Listed in RFC 2142 as a mailbox name for a common purpose
- Used by Comodo to issue SSL certificates
- Incorrectly used by RapidSSL to issue SSL certificates
- Treated as a reserved group name by Google Groups
- Listed in RFC 822 -- Standard for ARPA Internet Text Messages as a reserved address
This article suggests that you reserve all mailboxes that start with "admin", "administrator", "webmaster", "hostmaster", or "postmaster". If I were doing that, I would also add "ssl" to my starts with rule. Based on what RapidSSL did, it would make sense to implement an "ends with" rule as well.
RFC 822 also has the reminder that mailboxes are generally case insensitive. You should reserve lower-case, upper-case, and mixed-case versions:
Note: This reserved local-part must be matched without sensitivity to alphabetic case, so that "POSTMASTER", "postmaster", and even "poStmASteR" is to be accepted.
This might be slightly related list, although its not for Gmail, but for Google Groups for G Suite:
https://support.google.com/a/answer/6093413?hl=en
Reserved group names:
We reserve certain names that cannot be used if you are creating a group using Google Groups or Google Groups for Business. However, you can use these names if you are creating a group using the Groups control in the Admin console.abuse
admin
administrator
hostmaster
majordomo
postmaster
root
ssl-admin
webmasterThe names abuse and postmaster are reserved. You can, however, subscribe to them and receive all mail sent to these addresses.
Based off previous answers and my research elsewhere, I have compiled this GitHub repository which has an updated JSON file, as well as JavaScript/Node.js based code example for implementation.
https://github.com/forwardemail/reserved-email-addresses-list
List of 1250+ email addresses reserved for security concerns
npm install reserved-email-addresses-list email-addresses
The string you are comparing with must be converted to lowercase and trimmed of whitespace. The reason we are converting to lowercase is because the dictionary of words we are comparing with are all lowercase, and in order to compare for strict equality, we must have matching case.
It is also highly recommended that you check for strict equality, and for a list of admin-related usernames, you should check for strict equality, starts with, or ends with comparisons as well.
const reservedEmailAddressesList = require('reserved-email-addresses-list');
const reservedAdminList = require('reserved-email-addresses-list/admin-list.json');
const emailAddresses = require('email-addresses');
const email = '"Admin***!!!"@example.com';
const parsed = emailAddresses.parseOneAddress(email);
if (parsed === null)
throw new Error('Email was not a valid address');
const str = parsed.local.toLowerCase();
let reservedMatch = reservedEmailAddressesList.find(addr => addr === str);
if (!reservedMatch)
reservedMatch = reservedAdminList.find(
addr => addr === str || str.startsWith(addr) || str.endsWith(addr)
);
if (reservedMatch)
throw new Error(
'User must be a domain admin to create an alias with a reserved word (see https://forwardemail.net/reserved-email-addresses).'
);
References:
- Is there any list of email addresses reserved because of security concerns for any Public Email Service like Gmail / Yahoo?
- https://support.google.com/a/answer/6093413?hl=en
- https://docs.google.com/spreadsheets/d/1Gj1LidTJgA1TgOjhxTaoQKaZTvV2-xZlvo9XEsBnZ5I/edit#gid=0
- https://gist.github.com/riaf/9067235
- https://gist.github.com/citrusui/d755cf6bf8374d413fe8f453fa40f0c6
- https://www.npmjs.com/package/reserved-usernames
- https://help.salesforce.com/articleView?id=pardot_admin_role_based_email_address.htm&type=5
- https://www.entrustdatacard.com/blog/2015/march/what-happened-with-livefi