One Email, Many Faces: A Deep Dive into Identity Confusion in Email Aliases
Mengying Wu
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Messaging Security
This research exposes a fundamental inconsistency in how the internet handles email identity: **email providers** treat alias addresses as the same identity (delivering them to one inbox), while **online platforms** treat them as distinct users. This mismatch enables two classes of attacks: **alias multiplicity abuse** (creating unlimited accounts from a single email) and **alias misidentification attacks** (tricking users into trusting emails from unfamiliar alias addresses).
AI review
A thorough systematization of the email alias identity confusion problem that discovers 11 previously undocumented provider-specific alias rules and demonstrates real-world abuse at scale (139 npm accounts from one email). The user study finding that technical self-confidence increases vulnerability to alias misidentification is genuinely interesting. Not deeply technical, but the measurement and human factors work is well-executed.