313 comments

[ 4.6 ms ] story [ 275 ms ] thread
90% of the spam I get when I occasionally review it has dropped the dot in some silly effort to canonicalize my address, so yeah, the dot matters, as I filter the non-dotted address.
Same here. The "no dot goes to trash" rule catches an awful lot of spam.
My email is firstlast I use first.last for subscriptions I am unsure I want to keep. I can then filter out based on to address and also use diff combinations when I already know I don’t want them contacting me (firs.tlast) for example
If you use the + character (e.g. `firstlast+subscriptions`) it'll still arrive to your `firstlast` inbox, but will allow you to filter it more meaningfully.
I've been using this trick for a while (usually 'firstlast+per_service_identifier') and I've encountered more than a few systems which erroneously claim that any email address containing a '+' is invalid.
That's why I now own my domain, and added the first([\.-]suffix)?@last.tld -> first@last.tld mapping at my provider.

For selfhosting, there's `recipient_delimiter = +-.` in postfix' config. [0]

The most infuriating ones are those where you can subscribe with the '+', but the unsubscribe function errors on it.

[0] https://try.popho.be/email.html

Also in many cases I am allowed to proceed with the +, but never receive confirmation emails because the sending system chokes.
You could encode the service_identifier in a pattern of dots around the letters of firstlast for cases where the '+' is not allowed. But that's probably hard to do in a way that's easy to encode on the fly, unless you already know morse or something similar.
Also doesn't work if I'm not using Gmail :)
I have used it all the time over a dozen years, both for site-specific email addresses and also for having lots of handy test email addresses in my personal app development. Often I just wish I had been more disciplined about using it even more for site-specific addresses, but fortunately more websites about friendly about unsubscribing these days.
I have a fun story about this.

I had an account on some site and didn't use it for years. When I go back and try to login they demand I reset my password and verify my email. Sure, no problem. Thing is I used a foo+bar@ email and they had a little sanitizing script running that removed it when submitting the form. Rewriting their spaghetti and getting the form to submit successfully was fun. I was very surprised it worked. Guess they weren't sanitizing on the backend.

Some services recognize this and do not allow email "aliases." One reason is that it essentially would allow you to sign up for an endless number of trials with the same email account.
The level-up for this trick is if you have your own domain, and a provider that lets you use a wildcard alias (Fastmail, for one), you can use anything@yourdomain.com. On the fly. No way to block that!
I like that idea. I use Fastmail, in fact. So I could use hn@yourdomain.com or any address specific to a service.

I guess the risk would be potentially not remembering that was done or exactly what was used. Also, could keep you locked into Fastmail or limited to providers who have this same feature.

Luckily, there's a lot of providers that offer this :)
I did that for a while, and then my provider decided that people using catch-all e-mail addresses were causing their systems to store too much spam and stopped letting people use them.

That left me in a slight bind as I had used well over 50 different e-mail addresses. I had switched to Gmail as my primary e-mail address, but hadn't bothered changing my accounts. Luckily, they allowed a very easy way to create forwarding addresses and basically set it up to forward 50+ addresses to one.

So “firstlast+@gmail.com”?
What about + signs? That's the trick I use.
They also don't matter, but you already know this
In theory, providers/servers should ignore everything from the + to the @ so that should work just about everywhere else. And since most forms don't filter that out, you can make numerous "unique" addresses connected to a single one.

Now odds are, someone is going to respond with the one service where the + becomes significant..

> providers/servers should ignore everything from the + to the @

Why? I'm not sure it has ever been a standard and it's certainly not a default implementation for most providers?

Been using this for a while -

https://github.com/johno/normalize-email

That is a shamefully bad library. There's a million ways this is broken but the worst by far is that it lowercases the local part. Case MUST be preserved in the local part.
It is fine if you want to try to block duplicate emails, but you should always continue to use the original. But yes, it has false positives and false negatives. I don't think I would call it "broken".

But at the end of the day doing this kind of comparison probably raises more questions than it solves.

It's not even fine for that. If you assume that JayNesmith@ and JayneSmith@ are duplicates, you're eventually going to annoy someone.
Does MS Exchange or any other relatively big email server allow multiple emails with mixed case? As far as i'm aware all of the big consumer providers (Google, Yahoo, Outlook) don't allow it.
That isn't the theory. There are almost no rules for the local part of an email address and you must not attempt to "validate" them. Whether a '+' terminates the user name or means nothing is entirely up to the domain operator.
The exception being when you know that the domain operator supports RFC5233 then you're allowed to be aware of subaddresses.
That does this RFC even say? I read it twice and it seems to say "Some mail servers may use the part of an email after any character as a subaddress which doesn't affect which inbox a message is delivered to."

It seems to only talk about the receiving server and gives no way for the sending server to do anything useful as it doesn't specify the character to use if the receiver implements it at all.

I think this is good, I would like to not have senders try to guess anything about the structure of my email, but it makes me wonder what the point of having the RFC at all is.

That's part of the RFC email address spec. Ignoring .'s isn't, AFAIR.
Nope, the + trick is not standardized. The RFCs only specify that everything before the @ character is specific to the recipient system and Should Not Be Messed With; even case-folding that part of an e-mail address is a no-no, since the recipient system might distinguish case, and the sender has no way of knowing.

The + trick arose later, as a feature of certain mail recipient programs like Sendmail and Postfix, and most of these programs allow you to change from + to any character you like.

Subaddressing or "plus addressing" is a standard defined in RFC5223.
Note that RFC5233 doesn't actually standardize the delimiter. It uses "+" "#" and "--" in examples.

All RFC5233 does is specify how sieve (a protocol for specifying server-side email filters) can describe filtering on subaddresses. It does not confer any actual interpretation on email addresses, especially since many email providers don't actually use sieve for their email filters.

This is indeed the case. I have checked it myself. The link below shows how this can be used maliciously.

https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-t...

I do not know if this has been mitigated.

OP of that post has an ad at the bottom for their product that I actually found compelling.

It's a screencast tool- but instead of putting a video of your face in the corner, it overlays/ghosts your face on top of the full screen you're sharing.

Now sure how well it would work in practice. Maybe it's too distracting.

But it looks like a neat thing to try.

James is wrong, this is Netflix's fault. The same "scam" would work under a variety of circumstances because Netflix relies on something it has no reason to believe is true. Maybe you signed up to Netflix but your house mate thinks she did, she gets an email because of Eve, now you're both paying for Netflix, but actually she's paying for Eve's account.

Netflix could make this mistake with postal addresses even, if for some reason they used postal addresses. You get a letter from Netflix, you don't notice it's addressed to Eve, who had stupidly written your address instead of hers, you pay for her Netflix.

This is a data protection violation, data processors have a duty to take reasonable care that the personal information they have about data subjects is correct. If you need it, make sure it's accurate. If you don't need it, don't collect it.

This is actually Google's fault. Because Google is large enough Netflix could be nice and have special handling for Gmail addresses but this would be going against the email RFC that says $inbox1+$subaddr@domain == $inbox2+$subaddr@domain iff $inbox1 and $inbox2 are identical.

Netflix has zero idea how any particular email operator mangles or maps inboxes to actual users. Apple's private email service maps all sorts of inboxes to the same actual person. Mailinator maps every address to everyone.

This is Netflix's fault for not verifying email addresses before taking payment details for a recurring subscription.
True, Netflix should have verified that the person signing up could actually receive an email at the address they gave.

But in addition Netflix is right to allow the creation of two accounts where the difference is only dots.

There is no RFC specifying the interpretation of address formats. Every domain can use whatever scheme they wish. The RFC only declares that senders can't impose additional formatting rules on receivers.
Wouldn't the real James be notified that someone used his email to sign up for another Netflix account? When 'Eve' signed up for Netflix with james.hfisher@gmail.comm the signup confirmation would go to jameshfisher@ inbox?
I have been getting financial emails from several people for many years at my GMail ID. They apparently have given my address but without the dot.

But what mystifies me is how these people keep going for years without ever realising they aren't getting account transaction emails (from their banks), notifications of stock trades, even OTP emails etc. How is it possible for people to use these services for years without ever wondering why they aren't getting the routine emails they're supposed to get or even why they aren't getting the OTP email they had generated?

Also none of the institutions I contacted to ask their clients to update their correct email bothered to do so. On the contrary they sent me back what looked like automated replies asking if their customer service was satisfactory.

At this point I'm sorely tempted to delete my email and start over with another service provider. The nuisance of having to delete almost a dozen emails not meant for you every single day is annoying to say the least. At least with spam you get it sent to spam folder and there it stays. Confidential emails not meant for you is awkward and uncomfortable to have to put up with.

Set up a filter? Did you ever try to contact the institution where the emails come from?
Yes, I do have it filtered. And yes, contacted all the institutions. They don't bother at all in updating their records. And these are banks and other financial institutions. One would think they'd take the integrity of their data more seriously.
Yeah, this is a tough one. You can't just have random people saying "please change this email for another person" without permission, on one hand, but you violate other codes if it's clear you send med or financial info to the wrong people. That's why you get so little actual info in emails from bank and medicals these days.

But without a confirmation process to verify correct emails, this will continue as a fact of life, just like wrong phone numbers in the last generation, and wrong postal addresses in the gen before that.

Set it up to forward to their support e-mail addresses...
"they aren't getting account transaction emails (from their banks)"

I had a bank account I thought I had closed, but hadn't. Finally noticed and closed it 10+ years later. We moved around a lot.

> At this point I'm sorely tempted to delete my email and start over with another service provider.

Why not? Or you could start over without deleting your current email and go into Gmail settings > Forwarding and POP/IMAP > Add a forwarding address, and make it forward all of your emails to your new provider, where it should be easy to sort all emails from your old address to a certain folder or tag that you only check and clean, say, once a week (for any senders that don’t have your new email).

> But what mystifies me is how these people keep going for years without ever realising they aren't getting account transaction emails (from their banks), notifications of stock trades, even OTP emails etc. How is it possible for people to use these services for years without ever wondering why they aren't getting the routine emails they're supposed to get or even why they aren't getting the OTP email they had generated?

Perhaps they also get paper statements in the mail and text message notifications, and don't even know that they also are being sent redundant emails?

(It can go the other way, too. I think I've got some of my financial institutions configured to only send me email and text. If one was also still sending paper statements and those were going to the wrong address, I'd never notice).

You can filter your gmail based on the TO field (so anything without the dot goes to spam) if you like. I've done the same thing myself intentionally: I give the dot-less version to sites/companies where I need to receive an email or two (account confirmation etc). Then I manually grab them from spam and then forget the whole thing knowing I'll never see the other crap they send me.

Hope that helps, as someone with a common name I sympathize enormously.

I've done this — I have a filter to move any email I receive without a dot into a "Not For Me" folder, which I periodically go through and usually send a canned response back about how they probably have the wrong person.

You can also automate this part, perhaps to reply with "You probably have the wrong person, but if it is actually for me I'll get back to you shortly".

You can also append “+whatever” to the username part of your gmail address and filter it that way.

E.g. johndoe+mailinglist@gmail.com

Unfortunately some services won’t accept that as a valid address.

And most email scrapers / aggregators these days also ignore the + and whatever comes after.
I use this all the time, everywhere I can.

The worst example of "we know what are valid email addresses better than anyone" case was when adidas.com decided that they'd redesign their registration flow and in the process disabled logins with "invalid" email addresses when they previously had accepted registrations and logins with email addresses tagged with + for years. That was genius.

I've encountered the same problem. One day I'm going to stop being polite and cancel the Hotel Reservations, Conference Invites, and other shit that this guy keeps signing up for using my email address. Maybe that will get him to finally pay attention.
I imagine then you've probably gotten receipts/confirmations with the person's phone number. Have you tried calling him and letting him know?
You'd think so, but nope! In addition to the fact that about half the emails are in Spanish (my doppelganger appears to be a Central American doctor?), all of them seem to contain the bare minimum of info that would allow me to actually contact the person in question. And, ya know, you'd think a hotel or a financial institution that is notified they have someone other than the actual customer's email on file would be quick to correct that, yet so far I have never received so much as an acknowledgement from anyone that they will correct their records and try to seek out the account holder by other means.

I've marked most of them as Spam at this point, so hopefully Gmail's filters are simply learning to automatically send anything in Spanish to my Spam folder.

Have you tried emailing them? You have their email address apparently ;)
I have a common name, also a name used by a huge construction firm. I own firstnamelastname@gmail.com and firstnamelastname.com . There is no hope for these people. I have tried everything under the sun to get them to give out the correct email address.

What I HAVE noticed is that it's usually transcription error. These people that share my name are writing down their email with a pen and paper and a secretary or transcription service is inputting it incorrectly. Lately I reply back to hotel confirmations asking for a complimentary hotel upgrade with lots of extra soap in the room.

Yeah that's not going to help. I've got a guy using my email address for close to a decade. When it started, he was a high school student ordering lacrosse equipment. More recently he was buying a house -- I received the contract.

If my email is foobar@gmail.com, his is foobar7@gmail.com.

You'd think 10 years would be enough time to learn the difference, but nope.

That's when you start embarassing the person.

A group of students included my email address in their project discussion. They ignored my emails asking to remove my address. So I started replying as if I was a part of their project, but requested/suggested slightly stupid things. They figured it out real fast after that.

If you have the person's actual email, CC him on all that. If not, include a note saying your a different John Doe and to please remind the John Doe they want to reach, to use his own email address.

Reset their account passwords.
I’d rather not commit a federal computer crime thanks
They provided false credentials. The account is yours.

I did this once when someone created a Facebook account using my address. I let it go for a year and then did a password reset and deletion. At the time there was no requirement for email verification so the account was fully functional. Again, this is Facebook's responsibility to verify new accounts. A confirmation email link is last century's technology.

Moreover, what happens if this doppelganger is committing crimes via said account and investigators track you down from the email. It is in your best interest to eliminate these accounts. Kindly explaining the situation to non-existent customer support will get you nowhere.

They provided false credentials. The account is yours.

IANAL but I don't think it works like that. Ownership is not the same as control.

Ownership was never established in the first place.
Sure it was. I create an account, accept the terms and condition and put in your email address, your phone number and your street address. It's still my account, I am the one that accepted the conditions (you would cry foul if you were bound by the conditions you didn't accept).
If you want to be legalistic then the person who used the wrong email is in violation of CAN-SPAM[0], though my guess is courts don't have the time for petty matters like this.

[0]https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003

Only if it was willful. We've kind lost the point of the OP but the example was accidental miss-typing and in my hypothetical above I meant accidentally
You have no legal business relationship with a service you've signed up for with no exchange of funds. An EULA is not a contract and they fully indemnify the service provider anyway. All you've done is initiate the creation of some database entries on someone else's property.
You have no legal business relationship with a service you've signed up for with no exchange of funds.

Yeah, no. Peace out dude, I'm done here.

I don't think this analysis is legally or ethically correct and I certainly would not want to have to test it against the CFAA in court.
There's an xkcd for everything. Sure, that's probably my email address.

https://xkcd.com/1279/

Annoyingly that is different, everything after the + is _ignored_ so only one person can have <first>+<any lastname>@gmail.com. Other people I am guessing use first.lastname and that is where the confusion is. =)
The XKCD cartoon isn't talking about a literal plus symbol.

If you took it literally that would imply the actual email address is a single letter @gmail.com and although some ex-SRE people and others at Google have said there were ways to get short addresses for employees, nobody has suggested a single letter would be available even for them. For normal users the minimum was six characters.

I created and removed several single letter emails as part of a test once, and I made several short names (mine, spam@, etc). The biggest problem was that too short would take the backend down because it received more mail than could be indexes at the time so too short or too common would get deleted to protect the system. As far as I know Randal still has his though. :-)

But yea your right about the plus I guess Ii didn't read it detailed enough.

The plus sign in the comic might just be meant to denote string concatenation (in other words, jsmith@gmail.com, not j+smith@gmail.com).
Same. The ones that surprise me are the credit card information or cell phone plans. I was able to contact the phone company and tell them to remove my address, but the credit card was an exercise in frustration. You can't get through without account or personal info. I just mark most of them as spam these days.
Forward the email with the explanation you've given to abuse@<sender>. Most companies should have someone monitoring such an inbox. If that doesn't work I'd call the desk of the cto or shame them on Twitter.
Same exact issue. Especially with people from Africa for some reason. I get a lot of stuff from 3 people from Kenya, Zimbabwe, and South Africa. Most everything there is managed by phone, and they just use my email as a throw-away address. The guy in South Africa has a collections agency after him. The guy in Kenya likes to order food delivery quite a bit. I occasionally change his order to extra spicy. The guy in Zimbabwe works for a college of some sort. I make sure he's signed up for all the educational trips to Europe.

Also some senior woman in Oregon, who is a frequenter of "silver singles".

Some industrial supply company in Canada is very confused by the fake Groupon I sent them for the free stuff they are trying to bill me for.

Some guy in Australia has his security deposit box setup with my address, and is way overdue on some payments.

(I've tried multiple times to correct the wrong email address of the people I mess with, and have been ignored)

Lots of US political junk mail, from many localities, both parties. LOTS AND LOTS OF KINKY PORN SITES.

Fortunately none of them have the dot in the address and I have a filter to send them all directly to trash.

I don't receive any junk mails anymore after switching to my custom domain.
It’s weird, but that’s been my experience too. I switched off Gmail (where I got tons of spam, although most properly caught by the spam filter) several years ago, and have received fewer than 200 spam emails in total since switching. I know this because my new host won’t allow the personalized spam filter to be enabled until you’ve received 200 spam.

I’m not at all careful to keep my email address hidden on the internet either.

It never occurred to me that it might be due to being on a custom domain. I figured either I was just lucky, or that there’s less spam these days.

I think you are lucky, I get around 5-10 spam mails on my custom domain daily. Granted, my address has been in a few data dumps.
Eventually you start getting a bunch of spam. I feel most of mine originated from GitHub and data-leaks.

Tip: configure a catch-all to your email address, and use custom email addresses for every website. I love having e.g. news.ycombinator.com@gilani.me and being able to filter out bad email addresses whenever they become tiresome.

I've also configured Mailgun on the domain (not what it was intended for but ¯\_(ツ)_/¯ ) so whenever I need to send an outgoing email from one of my custom addresses, I use their SMTP credentials.

At this point, I've been me@ amin@ heyamin@ and even notamin@gilani.me.

Setting up catch-all email addresses is a recipe to get absolutely inundated with spam.
Possibly, but I pipe my email through Gmail so I haven't noticed.
I'm the only email address on my domain, and I haven't set up a catch-all. I use my actual email address to sign up for anything that requires a signup. I don't have a junk account, and I don't use +-aliases. I don't hide my address; it's listed on my website, in my HN profile, and likely in a bunch of random places on the web, unobfuscated. In general, I just don't worry about it.

My GMail spam folder has around 10-15 messages in it per day. My inbox is nearly always fine. The nice thing that GMail does is sort promotional emails that it doesn't judge to be outright spam under the "Promotions" category, which I don't see unless I seek it out. That one still isn't that bad, on the order for 10 per day, but it is genuinely stuff I don't care to see.

If I were to move away from GMail (which is on my todo list), I'd have to figure out what to do about those. Likely they mostly have unsubscribe links; after a quick scroll down the list, I think it's nearly all from companies that I do have or had an existing relationship with.

I wish GMail had an "unsubscribe" button so I don't have to hunt through emails for their often-hidden unsubscribe link. Yes, I could click Spam and then "Unsubscribe + Mark Spam", but I really want just "Unsubscribe", but that's not an option.

I do have a fairly uncommon last name, so it's not something that spammers might accidentally put in a word list to use as an email domain, but overall I've just mostly not cared about "protecting" my email address, and it's mostly not been a problem. Is this entirely atypical? If so, I wonder why...

> Likely they mostly have unsubscribe links; after a quick scroll down the list, I think it's nearly all from companies that I do have or had an existing relationship with.

At one point I decided to actually hit the unsubscribe links rather than just archiving these emails. Turns out I was subscribed to nearly 200 different mailing lists. But there were only 1 or 2 that wouldn't let me unsubscribe.

There doesn't seem to be a lot of undirected spam. No one seems to be harvesting git repos, for example.

I keep dedicated email addresses for most purposes, and the two that are getting any are a random mailing list, and the kickstarter address. That one has been caught in a vortex of spam, clearly meaning that kickstarter can't keep their mouths shut about customer emails.

I'm pretty sure the campaigns get your email address, I often get emails directly from them.
I've got a catch all email redirect for my address. I do get a decent volume of spam these days.

Most of it goes to:

* admin@<mydomain>.com - listed in whois publicly for a few years, understandable

* <dropbox's address>@<mydomain.com> - started coming in 2014, the fact they were breached only became properly known in 2016.

* <my first name>@<mydomain.com> - This is the actual email address I give to in person contacts. Not quite sure how it ended up on spam lists, my best guesses are from a recruiter sharing it, git commits (though the fact the address I use way more commonly for git isn't there indicates probably not) or someone just figured it out.

with all the data breaches spammers have millions of verified email addresses no need to scan the web for more.
I get a couple emails a day, which is about how much I was getting when I was on Gmail. However, I have been much less careful with my address too–I think spammers might just be less likely to mail custom domains because those addresses might be more likely to be invalid.
I, too, am 95% better after switching away from first.last@gmail.com to something@firstlast.com and using g-suite on that domain for the last decade or so.

I gave up on Gmail for all the same reasons as the stories in this thread.

Fortunately I have a rather unusual last name so I have first@last.dev. It comes with the bonus of having it work for my future children as well :p
> The guy in Kenya likes to order food delivery quite a bit. I occasionally change his order to extra spicy.

> The guy in Zimbabwe works for a college of some sort. I make sure he's signed up for all the educational trips to Europe.

Both made me laugh, you are a wild man!

Same exact situation here. I have {commonFirstName}.{commonLastName}@gmail.com and get so much legit email without the dot for other people with my name. There’s at least a few of them - a retired vet, a substitute teacher in Ireland, a middle school student in Montana. And just this week I got some from a bail bond place for a kid in Texas that included his picture. I don’t understand how these people aren’t constantly confused about not getting emails they expect
I get the same thing all the time. I think it's relatively common for people who signed up for Gmail early, and thus we able to get a bare named email (i.e., no numbers afterwards like john.doe420).

The weird thing for me is that it seems to be more than just a single person writing down the wrong email or using it for junk mail. I have gotten emails from places all over the US, a couple places in the UK, and in the past year or so from someone in France. And while some of it is junk mail, I've gotten emails about rental agreements, company emails, insurance policies...

I used to try to be nice and email people back and tell them they had the wrong person. Now I just delete them. It's not worth the time and effort. Unless it's a kind old lady sending an email to her grandson, it's getting deleted. Hopefully their insurance company or whoever will call them after not hearing a response. Unlike regular mail, there's no consistent "return to sender" function, so...deleted.

I have a fairly common first name and last name and I thought I was a genius when I jumped onto an early gmail invitation in (I think) early 2005 to bag my "firstname.lastname@gmail.com".

Now I realise I was a chump and should probably have just stuck with sexxiboi69@hotmail.com

> sexxiboi69@hotmail.com

If you put that on your resume and they hire you, it's probably a good place to work.

My gmail address is simply my lastname @ gmail.com

So I get a lot of emails meant for other people whose email is firstname.mylastname@gmail.com where some sender drops the firstname and the dot for some reason.

I received airline reservations (where I can click and change seat assignments!), cancer diagnoses(!), wedding invitations, bank statements, real estate documents to verisign, all sorts of things.

I've been tempted to do things like switch the person's seat to a middle in the back by the bathroom, but while I've clicked through to see if I _could_ do it, I never actually completed it. I did once send my regrets to a wedding invitation.

Probably best you didn't. Unauthorized use of a computer system, even if you have the credentials, is considered hacking, at least in the US.
I've sent a physical letter, when I got an electricity bill with a home address.

A week later I got an apology email, and the incorrect emails stopped.

What's strange to me is why they thought that email address would work -- after all it's not their address. I've got years of emails from France for the same reason.

You can set up a filter for the incorrect version of your email address (any email to namenodot@gmail.com) and get those out of your inbox.

Lots of people don't understand how the Internet really works, or realize that there might be another person with the name of the person they're trying to contact.
Been there. I posted about this before but I own a 5 character common first and last name @gmail.com address. I get misdirected emails _constantly_.

Usually I am polite about it and let people know, but sometimes I make a game of it. I was invited to participate in a drum circle with an offer to pay for my flight to which I replied that I would love to join, but they would also have to pay for drum lessons. I got a mother insisting that I come home for the weekend to which I replied that I am home, perhaps she hadn't knocked hard enough.. etc.

At one point I got like 15 emails deriding me and my choice to "not support firefighters". Turns out that a member of a city council had listed his email as councilman.<me>@gmail.com and most people just ignored everything before that period. I took it as a challenge to see what the most outlandish thing I could say was that would be believed. Some of the better attempts: "My wife had an affair with a firefighter once!" and "My house has never burned down, why do we even need these guys?".. etc.

With most of the financial emails you can unsubscribe at least. =/

Likewise -- I fall firmly into this XKCD https://xkcd.com/1279/

My e-doppelgängers have priced cars across the state of Ohio, been active in the PTA, pursued higher education in Germany, and seems to always be interested in commercial real estate in the outer boroughs of NYC.

Though once -- I received an email asking me to please just apologize to my sister already.

I replied, "I think you have the wrong email address; I don't have a sister."

I saw a response -- "HOW COULD YOU SAY THAT? Your mother is crying." I thought it best to just walk away at that point.

Never thought it'd happen to me, having come across this topic before, but I'm happy to say I can join this club.

It's the same guy, who works in a Eastern European country, where I emigrated from.

The first instance, he was asking his supervisor to use his vacation time so he and family could make a trip to Mecca for Hajj. I chuckled and ignored it.

Second time random picture of some massive metal parts from what looked like some factory he works at.

Third time was this year, very recently and I received a pretty unnecessarily detailed email about how he had to turn back home because he had soiled himself while driving to work... That one made me worry he had gotten Covid.

I guess I'm this guy's boss now.

almost positive 6 is the minimum character length for gmail addresses.
almost positive 5 + 5 > 6
nono.. its a single word that is common as a first and last name. There are a BUNCH of cases where its applicable! =)

But yea, 5 characters. I was an early gmail SRE so I was able to circumvent the restrictions. =)

Was it <gecka@gmail.com> ?
No.. but iirc I made that one at one point before abandoning it.
See my comment above.. It is, I was a Gmail SRE that could circumvent the restrictions on that. =)
> I own a 5 character common first and last name @gmail.com address

Were you a Google employee? Or did you mean something other than how I read this, that your first and last name combined are 5 characters? Because I believe 5-character usernames are not permitted for gmail addresses.

I tried to confirm this and provide a link, but all of support.google.com appears to be non-responsive right now. When it stars working again, this may support my assertion: https://support.google.com/mail/answer/9211434?hl=en

I was an early Gmail SRE so I was able to circumvent the restrictions. It was a bad idea it turns out. For a project I also created "spam@gmail.com" and caused a production outage due to the volume of mail it got forwarded. =)

But yes your right, 6 characters is the minimum of "open" gmail accounts. I know of at least a dozen 2 character accounts created by insiders though.

I am 'pwinnski' nearly everywhere now, because on April 1, 2005, I was not allowed to create a gmail account of only the first five characters. Goodbye to 15 years of the old 5-character username, and hello to what is now 15 years of the new 8-character username!

At the time, I thought about pestering my Google-employee friends, but decided to just suck it up.

Synchronicity: You joined HN June 28, 2016 I joined May 8, 2016
Weird. I wonder if you told me about it back then, or it was a coincidence.
That is such an interesting question; it could be either one IMHO, with equal likelihood
I got a friend that also snatched a 5-letter Gmail account back in the day. He was kind enough to facilitate that I get one to but I got my own domain since forever so didn't get to get one.
> I was an ... SRE ...... I ... caused a production outage

I have nothing to add, except that you made me smile on a Friday afternoon.

Nearly all SRE's have caused an outage of some kind... The trick is to design your systems well enough that even when there is an outage few/no people notice...
Google war story: we used to get digital badges on our employee profiles to indicate useful things like ability to write c++ or python, or having worked on a specific project, etc. I got "porn cookie" for working on the safe search stuff.

Anyway, I designed a badge called "I broke Gmail" that would get applied to anybody that did exactly that. I intended a hint of shame but I got a wall of emails asking to get it with explanations of how each had broken the service at some point.

Unsubscribe, man, I'm jealous.

Some dude 2,000 miles away from me has bought a Lexus and now I get regular emails about the status of his vehicle, receipts for all work done to it, and reminders of all maintenance not done to it. For a year and counting.

Each email helpfully includes instructions for unsubscribing: First, you log into the Lexus app...

I finally got fed up with it and reported them to abuse@.

Well, since you have the email, you can log in to the Lexus app. Then you could turn off the notifications.
I'm not sure about this but wouldn't that be a felony?
Yes.

99.9% chance no one would care. But people do freak out over this stuff.

Knew one guy that saw that a Bank got hacked on the news. Did an nslookup or similar to check the banks site.

He was arrested the next day and expelled from college for hacking the bank.

Eventually all got cleared up, but screwed up a year of his life

He got expelled for running a DNS query?

Do you mean nmap?

Can you claim you thought it was your account? Then, to demonstrate you knew it wasn’t yours, they’d have to collect various proof, and this demonstration being erratic and risky, they’d probably not attempt a trial.
I can probably claim whatever I want, but given I've never even looked at a Lexus dealership in my life, I doubt I could pull it off.
I'm not sure either, but couldn't you argue that it _is_ your Lexus account? It has _your_ email on it after all. That is the single important identifier attached to the account. The other stuff doesn't matter.
Just create a filter to auto delete them
Perfectly reasonable solution but somehow just unsatisfying.

In the old days, when I ran my own mail server, I used to enjoy rejecting them with custom SMTP 550 messages.

Now I can't do that so I hard to resort to bothering the poor folks at abuse@.

In my defense, they have emailed me from 3 or so different domains/services, so I've had to set up a filter more than once.

As the lucky early adopter of gmail I got my last name only @gmail.com. It has been a blessing and a curse.

I have a boilerplate "you have the wrong address" email in multiple languages that I use to reply to the first email from real people. If they persist they then get added to my auto-reply "you have the wrong address" and delete rule.

For automated emails, I don't even bother trying to unsubscribe. They all get added to the delete blacklist rule.

Some of the more fun mistakes I have gotten have been multiple years worth of tax documents from New South Wales, Wine Tastings in South Africa, Church Choir concerts in Germany, and resumes for a receptionist in Colorado at a Gym.

I have a similar address and get a lot of similar email.

My personal favorite was a contract offer to play for a minor league baseball team in the Midwest a few summers back.

I also once got hired by the National Park Service for what sounded like a nice gig as a park ranger.

Ohh yea I forgot that I got mailed a bunch of movie pass financial details while they were still a hot property! That was.. erm.. eye opening.
Try having a 3 char username (@gmail), it never ends.
I have the same but it seems to be one specific person in Canada (I'm in the UK). I started getting emails about college prospectuses and applications, then I started getting them about library fines. I tried to email the library and inform them that they had the wrong email address and got nothing back. The latest has been emails from a car dealership trying to confirm some options for a new car.

I can't believe this person is missing so many emails that are presumably quite important to them. I can only assume they have the same first name as me but spelt differently and that other people are typing their address in wrong to various systems.

These days I just ignore every email like that, mostly for fear that one day I'll end up stuck with someone trying to hold me responsible for something.

Or, contact the legitimate recipient, and tell them to sue the bank.
It’s very rare to have any other contact information for these people. It’s not like you can email them. :)
I've purchased a truck in Florida, been going to college in (I forget which state) for a few years now, opened an LLC AND filed for divorce with Legal zoom, was part of a venture partnership with multiple personal invite and discussion emails about investment meetings, and more! I've responded many times to these and the only replies are from the last one, and Legal zoom (who told me sorry, disregard it??)
I had someone open a bank account with my email and I called the bank thinking someone was stealing my ID or something. How do people not know their own email address?
I have someone using my email, who best guess doesn't understand Gmail and Twitter are two different things - they have the matching @name on Twitter.
Same, but my concern is that some day one of these people will convince Google support that they own my account and then I will really be hosed.
> But what mystifies me is how these people keep going for years without ever realising they aren't getting account transaction emails

I put the blame squarely on those vendors. "well, we made them type it twice, what more do you want?" Please, please, just pretend it's a communications channel and close the loop!

Notes from BankCorp Ticket BUG-14333: "CIO saw some post on HN so we need to change the email validation. Make them type it three times."

(comment deleted)
> But what mystifies me is how these people keep going for years without ever realising they aren't getting account transaction emails (from their banks), notifications of stock trades, even OTP emails etc.

Because they never received the first one, so it's not abnormal to miss the n emails after that.

I think this is the real answer. For those people there is no disruption in communication, because it never begins in the first place.
Why not filter? If you know you always use the dot, filter without the dot. It works for me when I tried to set it up. Can even blacklist certain senders specifically so that if there are a few out there you made without the dot you will still get them.
I get a guy's bank info from the east coast of the US. Recently, he started using Zelle. His Zelle activity was being emailed to me. One of his Zelle recipients used a phone number. I was able to call her, get his phone number and tell him about this issue. He still hasn't updated his email address. I don't get it...
Yep, I live with this too... I thought it luck that I got <my_last_name>@gmail.com early on, turns out it was a curse. It's not a _common_ last name, but people with the last name seem to assume it is theirs, or maybe people miss the other letters in addresses they are given and just use the last name?

I used to get periodic emails from an elderly German couple giving me their train itinerary for their upcoming visit. I politely reply that I'm not their cousin, and consequently their cousin probably won't be there at the train station when they arrive. And then six months later it all starts again.

I have what I assume is a distant cousin on the east coast and I get an email with an invoice every time the pest control folks come out to his house to spray. No option to unsubscribe, and I've given up calling the company to let them know they have the wrong address.

There is a fellow in Quebec whose <first_inital><last_name> == <my_last_name>, and for a while I got monthly emails because someone was trying to wire him money. Again, no option to unsubscribe.

Lately I've started getting emails from universities interested in admitting another distant cousin in Oregon. I'm guessing some college lead-generation service crossed her name with my email (her/our last name). I haven't figured how to handle that one yet, I'm contemplating printing a few out and (snail) mailing them along with a note.

But I've had the address long enough that I don't want to let it go, so I guess this is all a necessary burden......

> But what mystifies me is how these people keep going for years without ever realising they aren't getting account transaction emails

The inverse happens too! Sallie Mae regularly snail mails me to tell me that the (snail mail) address they have on file for me — the same one they send this notice to — is undeliverable! I get all the normal mail (like account statements), too…

I get physical mail for a previous owner, even though I've lived here for five years. Usually I notice, I write "Not at this address" and cross through the address in Sharpie then shove it into a mailbox, per regulations.

More recently I forgot to check the front before opening. I realised when the contents were about a mortgage account, I don't like debt so I certainly wouldn't have a mortgage.

Apparently the previous owner still has a mortgage on this place, which would worry me if not for the fact I have monitoring set up so I know the Land Registry says it's mine, which means even if the idiot bank thinks they've got security for a loan they are wrong and the government will cheerfully tell a court of law that if asked. Hopefully they just didn't update the name of the mortgage and actually security is now in the form of some other property bought with the proceeds of the sale to me, but who knows, these idiots didn't understand "Not at this address" for five years.

I decided to call the bank about this mistakenly opened letter, but because of COVID they weren't usefully taking calls. I could remain in a queue for fifteen minutes and then get automatically dumped out with "We're sorry" if I wanted. So I just chucked the letter in the recycling.

If you need a recommendation for a Bank never to do business with in the UK (certainly not to trust with regards to where their customers live) it would be Halifax.

My gmail doppleganger signs me up for mostly animal charities and religious stuff. I keep unsubscribing and marking as spam. Sometimes I wonder if she does this on purpose, giving a "fake email" to people she doesn't want to deal with. If so, Diane, there's a real person with that email, and quit throwing all your spam at me.
And that's why email senders need to do double opt-in.
I'm confused. Do people just assume they can think of an email address and Google somehow knows and assigns it to them automatically?

Like they're signing up for something and put in "santosh83@gmail.com" and think "My name is Santosh and I was born in '83. Google obviously knows this and will send me this email!" ????????

I can't see that being the case (except exceedingly rarely) but perhaps if they had "santosh83@live.com" on an MS device and then got a device with Google mail they think their address is now "santosh83@gmail.com"? Or they're just nuts ...
If you ever figure out why people do this or what their thinking is, let me know, but yeah this actually happens. I have a common name but a long and uncommon surname, and I have name.surname@gmail.com.

This GP from New Zealand signs up for EVERYTHING under my gmail account. A handful of it spam, but mostly important stuff - notifications for financial transactions make up most of the mails I receive.

I have called his offices repeatedly to try to discuss it with him, and even have a reasonable rapport with his secretary, but he never wants to take my calls.

I really cannot figure out why he does it.

Is he in Auckland? If it's my GP I'll take it up with him for ya :P
Could be something like this:

Had first.last@comcast.net, but migrated to gmail and had to use something else. Then they misremember and hand out first.last@gmail.com.

You can set up filters in gmail to either automatically go to a different folder ("label" they call it), or to just delete them. It's not hard at all once you get used to the interface, and there's a wide variety of rule options.
You get financial emails, I got about $1,200 through quickpay / zelle via my email address.

Still waiting for them to contact me at the email _they_ used, to ask for their money back. I have no way of contacting them as the sender info is hidden.

I share a name with a builder from Queensland and have been getting his email for years - loan applications, hardware receipts, updates about his rental properties, apprenticeship schemes - you name it. What's insane about it is how many people insisted they had the correct address when I used to follow up.
Except for when it does matter! GSuite accounts do care.

first.name@company.com is a different address than firstname@company.com.

I learned that one the hard way.

Yes the article mentions as an admin you could remove the dots but they always matter.
I still get occasional emails for `firstnamelastname@gmail.com` while I registered `firstname.lastname@gmail.com`

Which seems to contradict what the article says, since the article suggests anyone who registered my `firstnamelastname@gmail.com` would own mine.

Or is the article suggesting actually nobody ever registered `firstnamelastname@gmail.com` and some idiots just think "oh i need to write to firstname lastname" (one of many who share my firstname/lastname in French) and they just compose that email address? I don't get it.

edit: but moral of the story I think it's really a bad idea to register based on a real firstname/lastname -- I'm tired of getting junk ... and worse, getting invoices for other people for a service I also use. I got confused once and actually made a payment which was not meant for me >_>

Yes, "nobody ever registered `firstnamelastname@gmail.com". You own it.

I keep getting email without dots because I too have common name someone mistakenly sends to.

> Which seems to contradict what the article says, since the article suggests anyone who registered my `firstnamelastname@gmail.com` would own mine.

It doesn't. firstnamelastname@gmail.com is also your address. Nobody could have registred it.

> Or is the article suggesting actually nobody ever registered `firstnamelastname@gmail.com` and some idiots just think "oh i need to write to firstname lastname" (one of many who share my firstname/lastname in French) and they just compose that email address? I don't get it.

Yes, that's what is happening. If you get unintended emails, their intended destination is yet another address.

Then why did they allow someone else to create an email like mine without the dot and I even get the occasional mail addressed to them. This is really shady, specially for an important service like email.
They didn't. You get email because somebody either typo's their similar address or they simply think that's their address when it isn't.
Not sure, I contacted this person, since I got their phone number from one of their emails (e.g. they registered for a hotel). I specifically asked them if they made a typo, according to them they have been using this email for years (maybe they lied but why would they).
This is inconclusive test, and if you ask people whether they made a mistake in the signup, they will likely answer no. Try to send a mail to that account, and if you receive a reply that is a real test.
Either that email address sends mail to your inbox or theirs - there's no way it could be some mix of the two.
They might have just been using it in terms of giving it out as theirs for years. Doesn't mean they've ever had access. Or they could have typoed it a long time ago and now actually think that that they've logged in with it when they never have.
They aren't lying, just confused. They probably made a hotmail.com account and assumed it would work with gmail.com.
I think you are assuming someone else should have created that email address without the dot because you are getting emails addressed to someone else. The reality is it is more likely that someone who hasn't created that email is using it as their address because they don't really understand how email and email addresses work
not 100% true, gmail won't allow you to send to john....smith@gmail for example
That's got more to do with gmail's composer than with their mailer. "foo + bar@baz"@domain.net is a valid email address but gmail won't permit you to type it in.
john.....smith@gmail.com is not a legal email address: the local-part is a dot-atom (or quoted-string) production, so successive dots are not legal outside of a quoted string.
I think that for Enterprise customers (G-Suite) dots might matter as I tried to create a new (bot) account in Github with my email sans dots and I never received the email (email was not @gmail.com)
This is mentioned in the article, yes. It is likely to preserve backwards compatibility with pre-existing email addresses from before the switch to Gmail.
Good. So I can re-subscribe to the same tryout service again and again adding dots to my address without the need of use disposable mailbox (banned for sure) or create a new one time address.
I spent far too much of my time trying to explain this to Humanity.com’s support after someone created an account using a dotless variant of my email. I didn’t want to freeze the guy out of his account as I imagine he was using it for shift work notifications but in the end they just told me to change the password. Their support repeatedly insisted that gmail was broken and I should contact Google.
I don't understand your problem. So Humanity.com made two accounts which both sent mail to the same gmail account, right? In that case it is easy to ignore or mark as spam or go to forget password and close the second account.
Because this is really Google's problem. If someone gives you an email address you're not supposed to touch anything before the '@' and assume that if the inboxes aren't exactly identical then they are separate addresses. Because on some (most) mail servers they will be separate.

Humanity is guilty of not actually verifying ownership/control of the inbox before letting the person attach it to their account but they were absolutely right to treat it as a separate address.

Obviously. My issues is the difficulty in explaining this to tech support even when confronted with evidence.
That’s not always true. I’ve sent an email from not Gmail service, it returned the non-exists error
You can add memos as well: jdoe+ExampleMemo@gmail.com
Dots do matter in G Suite email addresses, and that can be quite confusing for people that know this trick.
I'm surprised that the "+" operator isn't commonly known either in gmail (eg. I can type "johnsmith+345@gmail.com", and mail sent to that address will redirect to "johnsmith@gmail.com"
I have about 3 people sharing my Gmail Address to their banks, credit card, insurances, etc.
I got an email from Australia with the appointment for my spousal visa application, I'm also apparently looking for a new BMW in Cape Town and I also have a partner I visit in Paris and we order Chicken McNuggets on Uber Eats.
If someone emails you without a dot and you reply from your dotted address, it will look strange in the receiver's email client.
Depends on the client–the ones I use understand that people can reply back with a different address than the one I sent an email to. (I frequently see @cs.university.edu → @university.edu, or @gmail.com → @companyname.com.)
There is also the alias of googlemail.com on the domain level... Always a cause of big headaches.

  johnsmith@gmail.com
  john.smith@gmail.com
  johnsm.ith+foobar@gmail.com
  j.oh.nsmith@googlemail.com

all are pointing to the same logical email address.
I love the way most services treat dotted addresses as separate addresses. So for example if you wanted multiple accounts on $service you could register the following:

    john.doe@gmail.com
    j.ohndoe@gmail.com
    jo.hndoe@gmail.com
    joh.ndoe@gmail.com
    johnd.oe@gmail.com
    johndo.e@gmail.com
And now you have six accounts, with the bonus of receiving mail in the same inbox for each account!
You can also add multiple dots :)
Yes but I imagine most services would spot that as an invalid address? Although it's worth trying something like

    john...doe@googlemail.com
To see if it passes as a valid address. Don't use this for evil, okay?
No, not multiple dots in a row. They still have to be between two non-dot characters.

Two dots in the email instead of one:

    j.o.hndoe@gmail.com
    j.oh.ndoe@gmail.com
    j.ohn.doe@gmail.com
    j.ohnd.oe@gmail.com
    j.ohndo.e@gmail.com
    jo.h.ndoe@gmail.com
    ...
    johnd.o.e@gmail.com
And if you somehow didn't know there is the possibility of adding +anything to your email, so that you can do john.doe+servicename@gmail.com and know which service leaked your email to spammers/advertisers
you can do that with gmail with the + character.

john.doe+beta@gmail.com john.doe+delta@gmail.com

they all go to the same address

You can also use @googlemail.com domain name instead of @gmail.com to double the number of email addresses.
Yes, you could do even more shenanigans registering with the following:

    john.doe+uniquestring@gmail.com
    j.ohndoe+uniquestring@gmail.com
    jo.hndoe+uniquestring@gmail.com
    joh.ndoe+uniquestring@gmail.com
    johnd.oe+uniquestring@gmail.com
    johndo.e+uniquestring@gmail.com

    john.doe+uniquestring@@googlemail.com
    j.ohndoe+uniquestring@@googlemail.com
    jo.hndoe+uniquestring@@googlemail.com
    joh.ndoe+uniquestring@@googlemail.com
    johnd.oe+uniquestring@@googlemail.com
    johndo.e+uniquestring@@googlemail.com
Oops there's a mistake there; there's supposed to be just one `@` symbol!
It is worth noting that these are different addresses. They all go to the same inbox but that isn't part of the "email API".

Of course some services don't like this so they special case gmail.com addresses to try to block this but it is perfectly legal for a mail server to route these to different mailboxes (such as GSuite accounts do).

well, using the dot between any two letters or not, you have 2^6 = 64 combinations (without even using double or triple dots...)
Dots does matter in GSuite's email addresses (those are the email addresses for enterprise via work or school.)

Also in the email name part of the email address, anything after + (plug sign) and before the @ (at sign) don't matter either. [1] This is the same behavior for personal Gmail and GSuite email (Gmail for enterprises)

[1]: https://gizmodo.com/how-to-use-the-infinite-number-of-email-...

It definitely is. For example I get a lot of emails sent to me+ni@mydomian for "Not Important" which I use kind of like an RSS reader. They never appear in my inbox and I catch up on them every once and a while.

You can do this for a wide variety of things and combine it with filters to get a lot of extra value from your email.

You'd be surprised how many legacy registration systems break because of the + 'trick'.

Ever since I got a basic Gsuite plan and set up a catch-all email address, I can just use websitename@mydomain and then use filters which is oh so practical!

I used this to get cheap dreamhost service back in the day by signing up once with my email with the dot and once without the dot. I now use the account without the dot permanently and it always throws me off. Worth it for the 1 year of savings :)