I actually wrote about that guy not long ago. His name is Mike O'Connor, and he owns bar.com, grill.com, place.com, and television.com, among others.
Probably his most famous domain was corp.com, which was recently bought by Microsoft because it turns out that older versions of Windows and other Microsoft products actually invited people to use corp.com for their internal Active Directory names. Problem is, when those machines are outside the internal network, they're constantly trying to share passwords and other sensitive data with corp.com.
I am really glad that I do not have one of these email accounts. While I cannot speak firsthand of some of the shenanigans that are mentioned in the article, I have worked in the web hosting industry for 20 years. I have seen some of the horrible security practices in use by customers and, surprisingly, people in the industry.
I've seen many people locked out of their hosting accounts because they have their primary account email address as one of the hosted email addresses on their accounts, and suddenly they've lost access to their web hosting control panel because their domain expired or their email was otherwise taken offline.
I think what all of this boils down to is that people don't receive any actual training about how these things work. They pick up a phone and start using it and figure it out along the way, or they buy a computer and set it up the way Microsoft says and never think twice about anything else. The amount of training that people receive is dismal at best and most the time it's not even that.
There's also a contingent of the public that doesn't want any training and their main argument is "well this is how I've always done it!"
> I've seen many people locked out of their hosting accounts because they have their primary account email address as one of the hosted email addresses on their accounts, and suddenly they've lost access to their web hosting control panel because their domain expired or their email was otherwise taken offline.
This is a surprisingly difficult risk to effectively mitigate.
If you have a domain and tie your domain registration and hosting accounts to an email address hosted by the domain, you could get locked out if something goes wrong with the domain registration.
If you tie your registration and hosting accounts to a third-party email account, you could get locked out if the third-party decides to nuke your account for any arbitrary reason (cough, cough, Gmail).
If you tie your registration and hosting accounts to a cell phone number, you could get locked out if someone attacks your phone account (unauthorized porting, SIM swap, etc) or if the cell phone network goes down (think California fire protection blackouts, or hurricanes).
If you tie your registration and hosting accounts to TOTP or Webauthn 2FA, you could get locked out if you lose or damage your 2FA device.
There's no good way to authenticate domain registration and hosting accounts unless your registrar and host have the foresight to allow multiple authentication paths.
> If you tie your registration and hosting accounts to a third-party email account, you could get locked out if the third-party decides to nuke your account for any arbitrary reason (cough, cough, Gmail).
This is interesting. I usually point all my WHOIS info to <something>@<other-domain>, but <other-domain>'s WHOIS goes to one of my personal Gmail accounts.
I'm going to switch it to a domain where I control the DNS, so I can change the MX record if a provider decides to nuke my account.
Now I'm wondering how this works with any registrar's domain privacy feature — technically, they're the "owner" of the domain in the WHOIS record.
Just be careful that your DNS is sufficiently restricted; I've heard of DNS being the weak point for taking over accounts involving custom domains.
I'm surprised there aren't more in person or by mail verification options available. I guess partly due to the "who pays for it" aspect (and people moving, etc., plus no verificaion method is completely accurate), but the current state of authenticating online accounts is rather worrying in general and allows anyone anywhere in the world to try to take over your accounts.
I'd personally tie a domain to a paid email account hosted by a provider that is in a sound market position (not e.g. Yahoo), doesn't have a reputation for arbitrarily revoking accounts (not Google), and doesn't have overly aggressive spam controls (not Microsoft).
Years ago I considered setting up a hosting company. This is part of the reason why I didn't go through with it - dealing with idiots locking themselves out and/or letting their website get compromised & send spam/host inappropriate content wasn't worth it even though the technical side looked pretty straightforward and a fun challenge.
I don’t have an “OG” account but a common first, last and middle initial and I get about 1-2 new signups for stuff every week.
It’s amazing how many services will not confirm email addresses and just send sensitive info (and make it hard to unsub).
Many years ago I had a CEO who made us keep one of those “retype your password to confirm” that I thought was stupid, but we did it. I think of how right he was every time some Uber driver signs up with my email.
Due to a bug, for a few months I received email addressed to google@gmail.com. This was years ago, when Gmail was still newish.
I couldn't send mail from that address, but I sure did receive it. An endless torrent of weird junk, and a surprising amount of personal data, business secrets, and passwords. If I was maliciously minded I could have done a lot of damage.
I spent those months trying to find any way to get a message into Google to fix it, and only eventually succeeded when I learned a friend-of-a-friend actually worked there, and they helped un-scramble my account.
Am a Googler who doesn't write Javascript, opinions are my own etc etc...
I don't know how many there are, but are you saying that 3 would be a lot? There's probably hundreds of internal libraries for other languages like Java, C++, Go, etc. 3 really doesn't seem excessive.
I've got one of these. I've been invited to golf tournaments, received medical records, been included in family reunions for many years running. I've had power bills sent my way. I've seen tons of SS#'s and bank account routing numbers. Countless password reset attempts. A long time ago I decided I'd never interact, reply or respond to any mail I received apart from opening.
Tangentially related -- catch-all email accounts also get a ton of mail when the domain name they're tied to is close to something that many people send messages to. If you own a domain one keystroke away from a high volume domain - you'll get access to all sorts of things you shouldn't be seeing.
I have one of these accounts (it's a dictionary word), and I can confirm everything the author has said is true. I receive constant onboarding emails I can't opt out of, "so and so thinks you're cute" dating profile notifications, weekly account recovery notifications, all kinds of random crap that was meant for someone else but due to slight misspellings come to me, such as important contracts from lawyers, endless spam and newsletters I will never be able to escape. I've long given up trying to help others deal with mistakenly using my email. It sucks massively and has made my email unusable. Had I known this when I registered my email, I probably would have thought twice about being cute and registering it. These days, I mostly use my own domain for email and carry on.
Sorry to hear that. As a fellow 'OG' gmail user, I feel your pain, but between the constant 2-3 daily unsubscribe hits and many many Gmail filters it is actually manageable and usable.
Google's "targeted-journalist-level" Advanced Protection Program means I don't have to worry about password resets or account recovery stuff on the account.
Though I have lost track of the number of services I didn't have immediate access to since someone signed up using my email address, and reclaiming it can be a battle sometimes. The Apple ID was interesting - but luckily everyone's "first pet's name" was "Fido"... (Seriously... Please validate your emails everyone!!!)
Often, whenever a real mailing address is included I print out the email and send it in a real letter with a friendly (if just a tad passive-aggressive) note inside. But overall I try to do the right thing for important documents and correspondence.
I do shudder to think how many random accounts are just an email-password-reset away from having access though...
I don't have the same degree of problems with first initial + family name @ gmail (with an uncommon family name), but I've had someone use it for something related to car insurance (which has resulted in a _ton_ of spam), to enter a university run, and had company internal documents forwarded to me (turns out the CEO shares my name).
I have name.wifename@gmail.com and I have not gotten many subscriptions but I got quite a few random emails meant for other people.
I did get a subscription for a Diners credit card, and I am torn about contacting the guy; I don't look at the emails but I probably could find the owner relatively easily. I contacted Diners and they didn't believe me. (Who the heck is using Diners these days?)
I got on Google's APP a while ago. Google is great for this specific purpose - if there's one thing you can count on Google for, it's never ever listening to their customers, no matter what.
OMG some guy has signed me up for EVERYTHING from Home Depot to every dating site, to porn sites to cheating sites. It's absurd. I get daily emails from these services still even with unsubscribes and blocks. They're insessant.
I had to set up a filter to automatically reject anything from any of their domains, they're an absolute plague that Moses would be proud of.
I don't really like email alerts for social media as a concept anyway, if I want to hear what LinkedIn has to say I'll look at LinkedIn itself, it has no business injecting itself into the rest of my life via out-of-band methods like email.
My wife and I have "OG" name based gmail addresses. We only get about 5 emails a week not to us nowadays, but we have also given up trying to route the stuff to people. Somehow we've made it onto government distro lists, business travel itinerary lists and the normal distros.
The worst was when my wife began receiving outage alerts from a Fortune 100 company's NOC. Not just simple Nagios alerts, but detailed technical information accompanying the alert. When we attempted to notify their security team they threatened us for having "hacked" their system. Turns out they realized a former employee added their personal address to the distro when they left so they could help with the transition.
Same. People signing up for various services, apparently not understanding that they will never be able to read anything sent to this email address.
I get emails from middle schools, online shopping of course, but also emails for at least a couple Trump supporters (not trying to profile; simply getting Trump campaign's constant barrage of emails demanding more money; nothing from Joe's side yet)
What I find particularly annoying is when parents use this account to register for a kid's school alerts. All sort of important stuff like "Do not send your kid to school this week!" or "Where did your kid go?" and because the school itself is also not super savvy, there is nowhere for me to send a reply saying "You need to fix this!"
Indeed. Mine is firstnamelastname, and I've gotten many emails I shouldn't. The worst was an excel spreadsheet with login details for several dozen midlevel managers at a small banking chain.
Yeah, I have the same type of email, and I received legal and medical documents, letters from schools about students, tons of personal notes, and daily signups for services.
I've got [first initial][last initial]@[my email provider] and have come to find much of the mail I receive seems to be addressed to people with the same initials as myself. It's incredibly frustrating to find the same culprits over and over again. Do they not know their own email address? Or do they just not care? (I suspect the latter)
For three years in a row I received an amazon gift card on father's day. Always intended for as far as I can tell the same person who has the same first initial and last name as me.
I contacted Amazon about it the first time and they wouldn't cancel it or issue a refund because I was the recipient, not the purchaser. I worry that someone has been written out of their Dad's will because he thinks they have forgotten father's day 3 years running.
I have lastname[initial]@gmail.com and it’s not a terribly common name, but I’ve gotten Interac payments (Canada) sent to me for little league practice (emailed back and they apologized).
Most recently I’ve been getting a cell phone bill for a South African person. It had their address so I looked it up on gMaps and it was a small home in a shantytown. I just received an email telling me the service was being cut off for non-payment. No email for me to reply to.
I had another person with the same name as me put my email address in his resume. I started getting a heap of emails to come in for interviews, in a small town in Northern Ireland that my family emigrated to Australia from 150 years ago.
Fortunately his phone number was in the emails, so I called him and had a great chat, he got his Nan on the phone and we spent ages walking through our family tree finding connections.
Technically there is, I think SMTP has 'VRFY' or similar to check if an email address exists. However I recall reading (like, over a decade ago) that it's often not supported as it makes it easier for spammers to validate real email addresses.
We're actually moving in the opposite direction now. A lot of services nowadays became less strict in what they require to open an account (for the sake of growth and engagement) compared to a decade ago.
Didn't realise this was a common problem. My gmail address has about 9 filters with ~100 terms each. Would be nice if Google automatically had an allow list with countries where I will accept account recoveries requests from.
Worst though is that PayPal created an account for another person with my email address. Apparently they don't send out the initial prove-your-ownership email. Still unresolved because PayPal refuses to believe me that I own the address, even though they don't even want to send a test email.
I get multiple account recovery requests per day. Google should have a good idea that they are not coming from me based on where I'm declining them from and where I log in correctly from, but they still spam me with those requests. I don't know if Advanced Protection blocks those requests, but I'm not willing to give up access to F-Droid just because Google can't be bothered to fix its account recovery process.
Similarly, on Office Snapshots, we regularly receive contact form messages from people who search stuff like ‘NFL headquarters’.
A lot of them are people releasing some political steam and we can usually tell if a company has been in the news based on the type of messages that come in.
I still don’t really understand how people make the mistake given the nature of our site, but it is what it is.
I was so happy when I was able to get my (exceedingly common) full name as my gmail address.
1.x decades later, I regret it. I get people's medical information, legal documentation, all of it. It is stunning to me the quantity of PII that flows into my inbox daily. Back when it was a trickle, I used to try and contact the people involved to let them know of the issue. It almost never worked out, and I got tired of getting yelled at.
At this point, I keep my account simply because if I were to close it, I don't trust whomever might have it next. It is what it is.
My email address most recently was used for some online courses at a .mil address. They took me off their list when I asked, the amount of notifications was pretty incredible. It’s been used for dental records in Oklahoma and to buy heavy machinery in Germany. It’s still obscure enough not to be a real problem, so it’s mostly amusing.
I share a name with a famous person and my first and last name are also my email address (@ a certain mail service) and I often get receipts for things he’s purchased as well as personal correspondence. When it’s a person I always respond and say that unfortunately I’m not the person they’re looking for just so they know.
Yep, I secured a firstnamelastname.gmail (both common) for my wife early in gmail's life- and its very useful for ease in sharing.
I have a similar .mac/.me/.icloud email.
Unfortunately the innumerable 1,2,3 ended users of the same email get wearying to deal with for both of us. We both have persistent UK versions of ourselves, lots of offers for free tickets to football games in the UK that I have to regretfully pass up; as well as a variety of other people that we've managed to classify by geography.
The PII stuff is really the hard part- real estate documents, job offers, legal communications, x-rays, etc. You want to help but often it just generates a lot of heat without helping.
I feel like you could simply stop using it, set up a vacation auto-responder, and log in once in a while to keep it from expiring and reverting to someone unseemly.
This whole thread is the reason I started requiring extra email verification when members signed up at our hackerspace/makerspace. A surprising number of otherwise-bright people don't know their own email address.
Honestly, I'm not far from doing exactly that. It's just frustrating to be forced from one's own name by nothing more than legions of derppelgängers, you know?
I have my not-so-common name as my gmail address and I still get a ton of crap. The most frustrating is from a power company in Ohio that sends me billing statements every month. I contacted them to ask them to stop emailing me because I'm not the intended recipient. They said they can't stop emailing me because only the account holder is allowed to change the email preferences. Apparently my only recourse is to reset the password on the account and claim it as my own... for the last few years I've just been deleting the monthly emails.
I also get fun things like family photos from people I've never met before
I have the same issue. I never waste time trying to find a way to forwards these emails to the right people, because I am extremely suspicious, so I often assume there is a phishing attempt behind these emails. I mean, often, money is mentioned in the email (like booking a hotel, a bill, a car insurance, Internet subscription, etc.). It might be legit, but it is not worth the hassle for me, and it is none of my business anyway.
...for now, yes. I just don't trust them to keep that policy, you know? Microsoft & Yahoo already recycle, and I am willing to bet that Google will eventually, too.
I have at least three people that have used my address for things as random as harbor freight and Redbox. Every month or so I’ll get an email receipt and it is always interesting to see what these other people are buying at harbor freight or renting from redbox. My wife has another woman who apparently doesn’t know her email address because she gets notifications about this woman’s spa appointments (it’s interesting how often this other woman gets Botox and lip injections), ballet lesson invoices for her two daughters, etc.
The crazy thing is that we don’t really have any way to contact these people. None of the invoices include identifying information other than what state the businesses are located in.
I get Harbor Freight as well. I’ve been getting someone’s AT&T bill for years. No amount of trying to convince AT&T to fix this has been successful. I agree that it’s maddening that there’s often no way to tell these companies that they have the wrong person.
For a while, any time I got signed up for something where they provided a cell phone, I’d use my Google Talk number to text the cell phone and inform them. I don’t really bother any more, as generally people are just confused and it ends up being a lot of back and forth.
A sampling of the other emails I’ve received over the years:
- Nude photos from a woman who, when I informed her that I wasn’t the person she meant to send them to, got quite offended that I didn’t want her pictures. After a little back and forth she realized her mistake (and I deleted the email and the pictures).
- Pictures and video of a baby, along with emails criticizing me for not wanting to see my baby, and not supporting her.
- There’s a man in Texas and a man in Florida who have both used my email address to sign up for what could only charitably be described as dating sites. These sites all seem to use the same base software, and have no way to remove your account. With these I’ve taken to resetting the password and deleting the account. Sometimes I’ll have a little fun and change the bio to something like “I hope you like STDs, because that’s all I’m bringing to the table”.
- Receipts for web purchases. Mostly these are boring, clothes, home goods and the like. However one person used my email address when purchasing several hundred dollars in sex toys. The email included his name (same as mine) and his address, along with a detailed accounting of his purchase. I was tempted to print that and mail it to the address with a nice note advising him to use his own email address next time.
- Job search emails. Sometimes it’s scheduling interviews, sometimes it’s notification of a start date and some paperwork. I’ve also gotten an email with the results of a background check that wasn’t favorable.
- The absolute craziest one was an email exchange that lasted over a year. This man in California would send texts from his phone to a bunch of different email addresses complaining to his wife, who had left him (and was included on the emails). He would rant about her new boyfriend, complain that she had stolen money from him and wouldn’t visit with his kid. It was a bit sad but I tried repeatedly to convince him that I wasn’t the person he thought I was, even going so far as to send him a selfie and asking him if I looked anything like the person he thought he was emailing (his response: yes, but you’ve gained a few pounds! Jackass.). I never did convince him, and he refused to stop sending emails. He told me I should just block him. I suspect he was having some mental health issues and perhaps wasn’t all there. The emails finally stopped. I kind of wonder if he passed away or ended up in a facility without access to his phone.
Tip: Don't use generic names like johnsmith@whatever. It might be your name but a lot of John Smiths are going to use that account on a variety of services they use, for some reason. If you do that prepare to receive a bunch of registration and password reset emails. I even got linked with some guy in another country who did a very expensive Uber ride, which was kindof scary.
If someone signs up for Uber with your Gmail address, you can log into their account without changing their password using Google login. This is a very old Uber vulnerability that I know at least a few people have taken advantage of.
What if you simply changed all your accounts to use a + variant (e.g. johnsmith+official@gmail.com) and filter out everything sent to you without a + in the address?
I’ve learned that there are a lot of places that auto remove the +official (or whatever you have after the + sign). I assume there is a common email library out there that auto strips this information.
Perhaps adding dots then? They shouldn't normally be stripped, but are also ignored by gmail. john.smith would obviously still get a ton of spam, but something like j.ohn.smith might not. (If we were literally talking about the name John Smith I expect it still would, but for other names that should work...)
I have one of these, and sometimes I wonder if the stuff I get is really from someone who registered somewhere with my account, or just some highly elaborate phish/spammers' "live account detection" (register for a service using the target's email, then watch for signs of that service being touched, such as the target attempting to unregister itself from the service.)
I don't know where else to tell this story, but I got the most amazing piece of spam the other day. According to the sender, an unnamed person had told them to contact me. They allege that over the past 50 years the CIA has been investigating life itself and the sender wanted me to see some bombshell revelation that world governments and large corporations had known about for the last 17 years. I was given a shortened link where I could find out the truth and learn how I play a role in fighting the nebulous yet nefarious powers. In the final part of the call to action I was informed that I better hurry up because unnamed powerful people are going to censor this information from the internet soon.
Yeah I've got a 6 digit semi-common name Gmail account (from the invite-only days) and the amount of junk I get to it is mind blowing. Not "spam", that gets filtered pretty well by Google these days, but emails specifically sent to me but not for "me" personally like TFA talks about.
100+ emails a week in my primary inbox that are from people signing up to random stuff in my name, basically any/every service you can imagine where I don't already have my own account (large social networks and sites in countries other than me own, online shopping sites, etc).
The other interesting thing is I seem to get a LOT of email for addresses that "almost" match mine, as though Gmail is doing fuzzy-search for addresses? Eg lets say my email is "david@gmail.com", I get dozens of emails a week for "david.17@gmail.com" and "davidab@gmail.com" and stuff like that. I can't explain this one, and everyone I bring it up with says it shouldn't be possible.
It's gotten to the point where I've created a more normal fullname@gmail.com and then do some filters/forwarding on the old one for the more important emails, then just check the old one every couple weeks to see if I missed anything, because it's just not usable anymore with notifications on.
Same here. My GF at the time received a couple of the earliest GMail invites from someone she worked with, and I remember thinking, "Wow, this'll be great, nobody will ever forget my email address."
Almost none of that is actually spam. Mostly list/membership subscriptions, reminders that my $(VEHICLE) is due for service at $(DEALERSHIP), and misdirected personal emails ranging from amusing to upsetting.
Story time: I never considered my email to be OG as it contains at least two digits after firstLast but I've experienced the same thing. A man very well off man from Texas has assumed my email as his own, shared it with his entire extended family and booked hotels and flights using it.
At some point both his wife has asked me what I thought about a forwarded message from their mortgage broker and his brother in-law asked me my input on buying a 30ft yacht and what to name it.
I always ignore the serious ones for obvious ethical reasons but can't help myself with the more innocent cases. I've found I quite enjoy giving non-commital responses to these emails that won't give up the gig but also don't help them either, things like: "that seems pricey" or "cool! What are you going to name her?", and "she's a beaut!".
So I own a domain that is very similar to a ballet company for children in Florida and once, a mid-sized CEO emailed me PDF images with credit card details!
I tried reaching out, but my email was probably ignored because they thought it was a scam.
I'm sure that sending that info insecurely at least... violates mastercard agreements? I dunno. I just hope people checked and double-checked what emails they send.
I own a domain name that is a generic word but is also an one-off of a medical company (and a very "likely" typo).
My catch-all mailbox has received an insane amount of highly sensitive medical records over the years. Most of these mails were coming from employees of the company itself, not external correspondents.
I have since modified the catch-all mailbox to reject mails from the medical company, so they get a bounce message. This has not reduced the number of messages, but at least they will know something went wrong...
People are not very careful, even with highly sensitive data...
I have an uncommon last name OG email address. One time, I got someone's rental car reservation. A few months later, I got something from the agency about the car being in a crash. A few months after that, I got an email from a collection agency.
Luckily, I didn't have any issues. I just wrong a short, blunt email saying this is the wrong email address, I have no relationship with this company, and they realized the mistake and left me alone. That said, this was a European rental car company (and a European collector, I assume). The American ones might have been more aggressive.
Not an og public account but my first name starts with the first letter of the English alphabet twice. By quiencidence so does the first letter of my last name. That puts me dead top of any and every AD corporate email list. I get CCed on so many things. I think the worst, not the worst but it was the first time and I was brand new in my tech career and didn’t say anything until waaaaay after I should have. The CEO of a small NASDAQ was using his work account, my employer, to discuss the building of his mega house with his contractors. Specifics like cost, the address, window choices.
I get emails occasionally for I think 3 people in America all of whom have the same name as me. One is always to do with tires (tyres) he's bought, another is for a guy who buys a lot of expensive consumer goods in Costco and the third is for a guy who's involved in a charity. I don't get any for the latter for any more but I do for the first two, despite emailing all three repeatedly about it. The last email I got about the charity was a disrespectful one about a wealthy couple who they were expecting to receive a large donation from. He took action after he realized that one had escaped into the wild.
284 comments
[ 3.5 ms ] story [ 269 ms ] threadhttps://www.bar.com/
Probably his most famous domain was corp.com, which was recently bought by Microsoft because it turns out that older versions of Windows and other Microsoft products actually invited people to use corp.com for their internal Active Directory names. Problem is, when those machines are outside the internal network, they're constantly trying to share passwords and other sensitive data with corp.com.
More here:
https://krebsonsecurity.com/2020/02/dangerous-domain-corp-co...
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-...
I've seen many people locked out of their hosting accounts because they have their primary account email address as one of the hosted email addresses on their accounts, and suddenly they've lost access to their web hosting control panel because their domain expired or their email was otherwise taken offline.
I think what all of this boils down to is that people don't receive any actual training about how these things work. They pick up a phone and start using it and figure it out along the way, or they buy a computer and set it up the way Microsoft says and never think twice about anything else. The amount of training that people receive is dismal at best and most the time it's not even that.
There's also a contingent of the public that doesn't want any training and their main argument is "well this is how I've always done it!"
This is a surprisingly difficult risk to effectively mitigate.
If you have a domain and tie your domain registration and hosting accounts to an email address hosted by the domain, you could get locked out if something goes wrong with the domain registration.
If you tie your registration and hosting accounts to a third-party email account, you could get locked out if the third-party decides to nuke your account for any arbitrary reason (cough, cough, Gmail).
If you tie your registration and hosting accounts to a cell phone number, you could get locked out if someone attacks your phone account (unauthorized porting, SIM swap, etc) or if the cell phone network goes down (think California fire protection blackouts, or hurricanes).
If you tie your registration and hosting accounts to TOTP or Webauthn 2FA, you could get locked out if you lose or damage your 2FA device.
There's no good way to authenticate domain registration and hosting accounts unless your registrar and host have the foresight to allow multiple authentication paths.
This is interesting. I usually point all my WHOIS info to <something>@<other-domain>, but <other-domain>'s WHOIS goes to one of my personal Gmail accounts.
I'm going to switch it to a domain where I control the DNS, so I can change the MX record if a provider decides to nuke my account.
Now I'm wondering how this works with any registrar's domain privacy feature — technically, they're the "owner" of the domain in the WHOIS record.
I'm surprised there aren't more in person or by mail verification options available. I guess partly due to the "who pays for it" aspect (and people moving, etc., plus no verificaion method is completely accurate), but the current state of authenticating online accounts is rather worrying in general and allows anyone anywhere in the world to try to take over your accounts.
That doesn't leave many options.
It’s amazing how many services will not confirm email addresses and just send sensitive info (and make it hard to unsub).
Many years ago I had a CEO who made us keep one of those “retype your password to confirm” that I thought was stupid, but we did it. I think of how right he was every time some Uber driver signs up with my email.
I couldn't send mail from that address, but I sure did receive it. An endless torrent of weird junk, and a surprising amount of personal data, business secrets, and passwords. If I was maliciously minded I could have done a lot of damage.
I spent those months trying to find any way to get a message into Google to fix it, and only eventually succeeded when I learned a friend-of-a-friend actually worked there, and they helped un-scramble my account.
I don't know how many there are, but are you saying that 3 would be a lot? There's probably hundreds of internal libraries for other languages like Java, C++, Go, etc. 3 really doesn't seem excessive.
Tangentially related -- catch-all email accounts also get a ton of mail when the domain name they're tied to is close to something that many people send messages to. If you own a domain one keystroke away from a high volume domain - you'll get access to all sorts of things you shouldn't be seeing.
Google's "targeted-journalist-level" Advanced Protection Program means I don't have to worry about password resets or account recovery stuff on the account.
Though I have lost track of the number of services I didn't have immediate access to since someone signed up using my email address, and reclaiming it can be a battle sometimes. The Apple ID was interesting - but luckily everyone's "first pet's name" was "Fido"... (Seriously... Please validate your emails everyone!!!)
Often, whenever a real mailing address is included I print out the email and send it in a real letter with a friendly (if just a tad passive-aggressive) note inside. But overall I try to do the right thing for important documents and correspondence.
I do shudder to think how many random accounts are just an email-password-reset away from having access though...
I did get a subscription for a Diners credit card, and I am torn about contacting the guy; I don't look at the emails but I probably could find the owner relatively easily. I contacted Diners and they didn't believe me. (Who the heck is using Diners these days?)
Thanks, I never heard of that before. https://landing.google.com/advancedprotection/
Linkedin is criminal in this department.
I don't really like email alerts for social media as a concept anyway, if I want to hear what LinkedIn has to say I'll look at LinkedIn itself, it has no business injecting itself into the rest of my life via out-of-band methods like email.
The worst was when my wife began receiving outage alerts from a Fortune 100 company's NOC. Not just simple Nagios alerts, but detailed technical information accompanying the alert. When we attempted to notify their security team they threatened us for having "hacked" their system. Turns out they realized a former employee added their personal address to the distro when they left so they could help with the transition.
Then there was the mother who signed me up to get email when her kids didn't show up at school ....
Then again I used to have a fax phone number one off from a pharmacy, other people's prescriptions every week
I get emails from middle schools, online shopping of course, but also emails for at least a couple Trump supporters (not trying to profile; simply getting Trump campaign's constant barrage of emails demanding more money; nothing from Joe's side yet)
What I find particularly annoying is when parents use this account to register for a kid's school alerts. All sort of important stuff like "Do not send your kid to school this week!" or "Where did your kid go?" and because the school itself is also not super savvy, there is nowhere for me to send a reply saying "You need to fix this!"
Its crazy.
I contacted Amazon about it the first time and they wouldn't cancel it or issue a refund because I was the recipient, not the purchaser. I worry that someone has been written out of their Dad's will because he thinks they have forgotten father's day 3 years running.
Most recently I’ve been getting a cell phone bill for a South African person. It had their address so I looked it up on gMaps and it was a small home in a shantytown. I just received an email telling me the service was being cut off for non-payment. No email for me to reply to.
Fortunately his phone number was in the emails, so I called him and had a great chat, he got his Nan on the phone and we spent ages walking through our family tree finding connections.
There should be a standardised protocol and flow which makes the experience much better for both users and developers.
Perhaps the author collected those accounts 12 years ago when it hasn't been the case? Or does he click on the verification links?
We're actually moving in the opposite direction now. A lot of services nowadays became less strict in what they require to open an account (for the sake of growth and engagement) compared to a decade ago.
Worst though is that PayPal created an account for another person with my email address. Apparently they don't send out the initial prove-your-ownership email. Still unresolved because PayPal refuses to believe me that I own the address, even though they don't even want to send a test email.
I've been talking to their support people on-and-off for months now and they seem utterly incapable of resolving an issue like this.
A lot of them are people releasing some political steam and we can usually tell if a company has been in the news based on the type of messages that come in.
I still don’t really understand how people make the mistake given the nature of our site, but it is what it is.
1.x decades later, I regret it. I get people's medical information, legal documentation, all of it. It is stunning to me the quantity of PII that flows into my inbox daily. Back when it was a trickle, I used to try and contact the people involved to let them know of the issue. It almost never worked out, and I got tired of getting yelled at.
At this point, I keep my account simply because if I were to close it, I don't trust whomever might have it next. It is what it is.
https://www.zdnet.com/article/rupert-goodwins-diary-30391728...
I have a similar .mac/.me/.icloud email.
Unfortunately the innumerable 1,2,3 ended users of the same email get wearying to deal with for both of us. We both have persistent UK versions of ourselves, lots of offers for free tickets to football games in the UK that I have to regretfully pass up; as well as a variety of other people that we've managed to classify by geography.
The PII stuff is really the hard part- real estate documents, job offers, legal communications, x-rays, etc. You want to help but often it just generates a lot of heat without helping.
This whole thread is the reason I started requiring extra email verification when members signed up at our hackerspace/makerspace. A surprising number of otherwise-bright people don't know their own email address.
I also get fun things like family photos from people I've never met before
The crazy thing is that we don’t really have any way to contact these people. None of the invoices include identifying information other than what state the businesses are located in.
For a while, any time I got signed up for something where they provided a cell phone, I’d use my Google Talk number to text the cell phone and inform them. I don’t really bother any more, as generally people are just confused and it ends up being a lot of back and forth.
A sampling of the other emails I’ve received over the years:
- Nude photos from a woman who, when I informed her that I wasn’t the person she meant to send them to, got quite offended that I didn’t want her pictures. After a little back and forth she realized her mistake (and I deleted the email and the pictures).
- Pictures and video of a baby, along with emails criticizing me for not wanting to see my baby, and not supporting her.
- There’s a man in Texas and a man in Florida who have both used my email address to sign up for what could only charitably be described as dating sites. These sites all seem to use the same base software, and have no way to remove your account. With these I’ve taken to resetting the password and deleting the account. Sometimes I’ll have a little fun and change the bio to something like “I hope you like STDs, because that’s all I’m bringing to the table”.
- Receipts for web purchases. Mostly these are boring, clothes, home goods and the like. However one person used my email address when purchasing several hundred dollars in sex toys. The email included his name (same as mine) and his address, along with a detailed accounting of his purchase. I was tempted to print that and mail it to the address with a nice note advising him to use his own email address next time.
- Job search emails. Sometimes it’s scheduling interviews, sometimes it’s notification of a start date and some paperwork. I’ve also gotten an email with the results of a background check that wasn’t favorable.
- The absolute craziest one was an email exchange that lasted over a year. This man in California would send texts from his phone to a bunch of different email addresses complaining to his wife, who had left him (and was included on the emails). He would rant about her new boyfriend, complain that she had stolen money from him and wouldn’t visit with his kid. It was a bit sad but I tried repeatedly to convince him that I wasn’t the person he thought I was, even going so far as to send him a selfie and asking him if I looked anything like the person he thought he was emailing (his response: yes, but you’ve gained a few pounds! Jackass.). I never did convince him, and he refused to stop sending emails. He told me I should just block him. I suspect he was having some mental health issues and perhaps wasn’t all there. The emails finally stopped. I kind of wonder if he passed away or ended up in a facility without access to his phone.
100+ emails a week in my primary inbox that are from people signing up to random stuff in my name, basically any/every service you can imagine where I don't already have my own account (large social networks and sites in countries other than me own, online shopping sites, etc).
The other interesting thing is I seem to get a LOT of email for addresses that "almost" match mine, as though Gmail is doing fuzzy-search for addresses? Eg lets say my email is "david@gmail.com", I get dozens of emails a week for "david.17@gmail.com" and "davidab@gmail.com" and stuff like that. I can't explain this one, and everyone I bring it up with says it shouldn't be possible.
It's gotten to the point where I've created a more normal fullname@gmail.com and then do some filters/forwarding on the old one for the more important emails, then just check the old one every couple weeks to see if I missed anything, because it's just not usable anymore with notifications on.
15 years later: https://i.imgur.com/FlCi3xT.png
Almost none of that is actually spam. Mostly list/membership subscriptions, reminders that my $(VEHICLE) is due for service at $(DEALERSHIP), and misdirected personal emails ranging from amusing to upsetting.
At some point both his wife has asked me what I thought about a forwarded message from their mortgage broker and his brother in-law asked me my input on buying a 30ft yacht and what to name it.
I always ignore the serious ones for obvious ethical reasons but can't help myself with the more innocent cases. I've found I quite enjoy giving non-commital responses to these emails that won't give up the gig but also don't help them either, things like: "that seems pricey" or "cool! What are you going to name her?", and "she's a beaut!".
I suspect it will go on for a while.
I tried reaching out, but my email was probably ignored because they thought it was a scam.
I'm sure that sending that info insecurely at least... violates mastercard agreements? I dunno. I just hope people checked and double-checked what emails they send.
My catch-all mailbox has received an insane amount of highly sensitive medical records over the years. Most of these mails were coming from employees of the company itself, not external correspondents.
I have since modified the catch-all mailbox to reject mails from the medical company, so they get a bounce message. This has not reduced the number of messages, but at least they will know something went wrong...
People are not very careful, even with highly sensitive data...
Luckily, I didn't have any issues. I just wrong a short, blunt email saying this is the wrong email address, I have no relationship with this company, and they realized the mistake and left me alone. That said, this was a European rental car company (and a European collector, I assume). The American ones might have been more aggressive.
I used to get an insane amount of mistweets around the start of every year.