Ask HN: People who use different emails everywhere, who sold you to spammers?

290 points by dyingkneepad ↗ HN
I've heard a lot about people who have catch-all email accounts and subscribe a different address to each service. So, these people may have a nice idea of who sold or leaked their email addresses based on the spam they are getting. Are you one of these people? Can you name your spammers?

As a side note, I have a friend from not-US who by mistake used a special address only for this country's IRS equivalent (he had something like "unit 12A" instead of just "unit 12"), and he would occasionally get physical spam to that address. I remembered that, then decided to ask this.

437 comments

[ 3.3 ms ] story [ 378 ms ] thread
This was years ago, but I once contacted Barracuda to inquire about buying one of their Spam Firewalls. I used "myname-barracuda@mydomain". Before I even got a response from the salesperson, I got a spam e-mail to that address.

Then I got a response from the salesperson. I asked if he knew that I had started getting spam to the e-mail address that only they had, and he said there was no way that was possible.

I figured that his machine had some malware on it, and that harvested my address and sent it to the spammers. But the cynic in me wondered if they wanted to make money from selling the spammers my e-mail address AND from selling me a spam firewall.

Sounds more like they were trying to convince you of the need for a spam firewall :)
Nice inbox you have there... be a shame if it filled up with spam...
We are your friends.
we really care about your privacy
I use a different email for everything so I have been waiting very patiently for this and guess what… so far no one.

Absolutely no one.

And I've been using this system for over 5 years now

Same here. I’ve used a separate email for everything for the past 3 years, and so far no spam has been sent to any of the addresses.

…except for single email with a google docs link that got sent to cs@mydomain. I don’t know what I used cs@ for. I don’t have any other emails to that address. Very odd.

Same.

I very rarely receive spam on the email address I used to post on the Debian bugtracker, and on the generic address I give to individuals. Apart from that, none of the specific email addresses are spammed.

It's been almost 6 years now. I sometimes understand why I receive some infrequent broadcast mail thanks to the specific address I used to subscribe.

It actually happens extremely rarely, perhaps less than once a year. Though that may just be an artifact of my already heightened discretion in who I give an email address to at all.

The most recent offender was my kid's tee-ball league.

Most recently I got an email that was clearly spam (had a link to a website with a .zip file that was clearly malware) that was a reply from an order I placed with a supplier a few months ago ($8,800 worth of 105Ah rackmount SLA batteries) - the entire email I had previously sent was quoted. It's pretty sad when your legitimate suppliers are getting compromised and leaking data like a sieve.
Had this same thing, but then with a couple of my customers.

This is a phishing attack.

After a while I talked with one of those customers and they knew about it. It was "an email that got compromised".

Eg. one of their employees did fall for the phish and opened the email, clicked the link, opened the binary. Got infected and (a part of?) their inbox uploaded to the spammer. That is then used to send out new targeted phishing attacks where the name is spoofed, but send from another victim of theirs. Pretty effective phishing attack it seems. Took me a bit before I realized what I was looking at as the email seemed to come from that customer. It was only because it was a bit weird that I noticed things being off like that the email address itself was different.

Avery (the brand that makes those label stickers you get at Staples) spammed me even though I explicitly declined their marketing list.

Once a month or so I get unsolicited mail to my LinkedIn email address.

Other than that, I was surprised to find after a good 5 years of monitoring that I haven’t gotten spammed through unauthorized sharing of my email.

I actually do this for every service I put my email down for. It’s been about 2 years since I started.

Fortunately (unfortunately?) my email has only been sold once, and it wasn’t as egregious as you might think.

Amplitude, the user analytics company, sold my address to at least 3 companies who simply started emailing me as if I’ve always been a subscriber to their newsletter.

I do use their free plan though so I’m not mad about it.

Mostly cryptocurrency stuff in my case. Over the past 5 years, almost all of my spam (a measurable but manageable amount) has come via my old btc-e address. I've probably been getting this shit for more like 7 or 8 years in total, long since before they got shut down, and I mailed their support when it first started. They said there was definitely no hack and definitely no breach. Not sure whether that makes this worse or better ;)

I get the odd one from the address I used when buying my ledger hardware wallet in 2017. Their address list was famously leaked a while ago, and this email address was on it - luckily not my address or phone number though.

Then occasionally I get one to my amazon-specific address. I figure via one of the vendors I've ordered from via Amazon? But who knows. Bezos didn't get his billions by not trying everything.

The worse spam I've seen in when a crypto hardware device company got hacked and my email got leaked.

The worse constant spam I've ever seen, some of it use legit expensive mail services, and a lot of it doesn't land in my spam folder.

I have another email that's put publicly in a website and it gets crawled, and I get no spam from it, just legit emails that are probably automated from people that wanna do business.

I used to. Stopped doing it as it was too much hassle to keep track of, but the biggest spammers were tech recruiters. I think some of them post fake jobs just so they can harvest your email address when you apply. Then that email address gets passed around on various lists for years.
There's a recruiting firm in Dallas, TX that requires you to come into their office in order to apply for a position at one of their customers. What does this meeting consist of? A literal list of PII-based questions - nothing pertaining to the role. When I called them out on this they insisted that this is how, "their process and culture" works.

Also not to say this is how all recruiters work. I've spent enough time in the industry to know in 2 minutes or less if I'm talking to a decent recruiter.

I've experienced similar. It's so they can tell their clients they've met with each candidate in person. Decidedly less of a selling point these days.
"I used to. Stopped doing it as it was too much hassle to keep track of ..."

Can you describe what it is you need to keep track of ?

I imagine giving out servicename@domain.com and if you get spam on that pseudonym you just block it in procmail or smtpd.conf or (whatever you do in gmail).

Right ?

I always laugh to myself about the "too much hassle" lines. My password manager has 0 issues managing the unique usernames and strong passwords for each account, therefore, it is not a hassle for me. If they want to be a glutton for punishment and an easy target for being pwnd, then so be it.
Hasn't LinkedIn pretty much replaced this? I get recruiters on LinkedIn all the time, but very few if any on my personal email.
Allow me to introduce you to the world of recruiter email lookup services:

- https://recruitin.net/

- https://www.gitrecruit.co/

- https://amazinghiring.com/amazinghiring-chrome-extension/

Recruiters feel that email/phone have better response rates, so many of them try to bypass linkedin by looking up your details in such a service. The third of these in particular found my details from the gravatar leak, as best as I can tell, so I wouldn't expect high ethics from these companies.

It happens about once a year for the 15 years I've had my emails set up that way, and as far as I can tell, 90% of it has been hacked systems rather than sales.

The worst was when spammers got ahold of my email from a hotel chain and would add random letters to the username. So, for instance, the email address I provided to the hotel chain was something like hotelchain-jawns@example.com, and the spammers would send to aaahotelchain-jawnsaaa@example.com, bbbhotelchain-jawnsbbb@example.com, etc.

That forced me to stop using a catch-all and only accept usernames that conformed to a certain format.

Sounds like pattern based blocking would have been a nice feature in that case.
That's interesting, I wonder why they decided adding random letters? It reminds me that I used to get a bunch of spam to completely bogus addresses for example:

     E1iusbp-00017V-NM@steve.org.uk
It took me a while, but I realized that these were Message-ID headers that were being used as email-addresses, I just assumed there were some badly written scrapers out there, treating "blah@blah" as an email address and harvesting all such matches.
I started getting satellite radio spam to the address I used at the car dealership/service.
The most common thing I see is companies emailing me after I've asked them not to. In that case I just disable that site specific email and move on.
After doing this for years most of my catchall email spam is from breaches.
Dropbox and gravatar breaches.

In particular recruiters (including from 1 faang) have picked up the gravatar breach, and after some gdpr digging I've found a few of the unscrupulous vendors that laundered the breach data into the recruiter spam industry

The list is long and I'm on my phone. Several were from breaches like Adobe.com and Park mobile. MyFitnessPal. Cadillac (used email for a free brochure).

I think the real worst offender is LinkedIn. I put one email on my resume and a different one for logging in to LinkedIn that should not be public. And yet I get direct recruiter spam there all the time.

Linkedin in forwards a recruiter messages to your email. Are you really getting emails without a message in your linkedin inbox? I get quite some recruiter spam, but always via a LinkedIn message.
Not the person you responded to, but I've had the same problem. Recruiters will email me directly with shallow compliments on my LinkedIn profile.

It might not be directly through LinkedIn- about once a year, random recruiters will call my personal cell phone, even though I have no how they possibly got it. By now it's on a list that gets sold, I'm sure, but where it started, I'm clueless.

The most infuriating are recruiters who cold-email me at my work email. There's something about contacting me via my official capacity as an employee to take a different job that really gets under my skin. Might just be that I am very, very much not a "bring your whole self to work" kind of guy and more of a "keep a hard divide between my work and personal life" one.

I mostly use one single address, but I can tell you exactly where all the spam comes from: idiots whose name is the same as mine.

They give my address as if it belonged to them. Probably they created addresses like narag33@server and they believe that it's narag@server instead.

So not only I receive all the spam from dubious sites that they suscribed to, but also their legitimate mail from lists and friends.

My namesakes are idiots. But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

Same here. I thought I was lucky when I snagged one of the first GMail invites and was able to pick a 5-letter user name. Oops: https://i.imgur.com/Y5c1iIt.png
I thought Gmail didn't allow usernames shorter than 6 characters.
Ah, you're right, it's 6 (first initial + 5 character last name.) I can't count...
Same. I even paid about $10 on eBay to snag an early invitation.
I have the exact same issue. My name is quite common and I registered my email address more than 15 years ago, so it looks something like <firstname>@<server>.

Now I get phone bills, internet bills, promo emails, subscription emails, two factor emails, and sometimes even bank related emails addressed to someone who shares their first name with me.

It's been years now. I've reported the emails, but neither the intended recipients, not the sending organizations seem to care.

I agree, my namesakes are idiots too and so are the companies who don't have a simple email verification system. :(

What I do is log into the billing account and change the email to support@billingcompanyinsertedhere.com

Never heard from them again.

This is one hundred percent the problem. I got my address back when gmail was invite-only (so its super simple), so I get tons of emails meant for other people.
Any time I can I login to their accounts and update the email to null@void.com .
You’re probably joking, but in case you aren’t, don’t put in an address for a registered domain like void.com, as you’ll just be redirecting the spam to them.

Instead use the reserved domain example.com.

I just use the domain of the site the account belongs to. If I'm getting really naughty, I will put sales@<server>
Oooh, I hadn’t thought of sales. I always use support@server whenever a site asks if I want to join their newsletter.
I deal with the same problem with fullname@gmail. My name is very common, surprisingly so if you're not Italian. I get emails for:

* A Joe who runs a lego engineering team at his high school

* A Joe who goes to bible study in Utah

* A Joe who is building a house in Victoria Australia (I'm so familiar with him/others screwing up his email that I can forward it to him and his wife easily.

In my personal metaverse, I'm really into falconry (I've ordered several leather falcon hoods), I have a commercial truckers license, I'm part of a pushy childrens' soccer league, and am eagerly planning a trip to the holy land. I did get an invite from one of them to play golf together in Wales.
> In my personal metaverse, I'm really into falconry (I've ordered several leather falcon hoods), I have a commercial truckers license, I'm part of a pushy childrens' soccer league, and am eagerly planning a trip to the holy land. I did get an invite from one of them to play golf together in Wales.

Your targetted ads must be really interesting :-)

The silver lining is, of course, that no one has yet built an accurate profile of you ...

For me, it's a Shawn in Colorado who goes to bible study, renovates houses, and signs (me!) up for every Republican newsletter he can find.

Also: When I use Facebook's feature "show data that others have uploaded about you" (or similar), it is full of this guy's stuff that was provided to facebook (and attributed to me) by businesses this guy has relationships with.

Nothing I can do to remove it.

LOL. So, my name is a pretty standard Indian name and many a lot do not confirm their email addresses (Banks, Insurances, etc). India's default email provider is, of course, GMAIL (even government officials use it). I was one of the early distributor of Gmail invites (I invited a lot) and I own brajeshwar@gmail.com

Now, I get Bank Statements, Credit Card, Health, Insurance and whatnot for over 5+ "Brajeshwar"s in India. I just ignore them as I use my GMAIL ID just for newsletter subscriptions and ramnants of the old Internet but I do check once a week during my weekly digital chores.

> I do check once a week during my weekly digital chores.

OT, but I’m going to start using “digital chores”. When my partner asks what I’m doing and I answer “paperwork” it doesn’t sound quite right.

I have the same problem and at least once a week someone tries to recover the password to “their” email address. I’ve gotten unlimited spam which my provider usually deals with well but sometimes there are periods of days where 5+ per hour get through. I’ve gotten dick pics and all kinds of receipts. I have hotel logins with the wrong name assigned because I could only make accounts by recovering one someone else made (so my hotel receipts have the wrong name on them).

I used to reply to misaddressed mail when it amused me. I used to string along a whole family of people that included me in group emails with racist Obama memes and pictures bragging of poaching.

I stopped replying to these when in another case I was asked to tell estranged and family member that their sister had cancer since I was the only one still in contact with her. I did inform them they had the wrong address at that point.

I’m still on a mailing list for senior members of a local police department and even was sent logon/passwords to some of their systems but I’ve learned not to try to correct these things, it’s just too much of a hassle. In the case of Venmo and Verizon I couldn’t get it fixed even with phone calls.

Maybe this is why I’ve received upwards of 500 requests to reset my Instagram password over the last year?
I had an entire Comcast account registered to someone with the same name in another part of the state that took me years to get rid of. Could even login with my email address because he registered it to my account and somehow the email side stepped verification.

Imagine dealing with Comcast customer support. Then imagine not even being a customer anymore trying to get this resolved. Now imagine explaining how you're not the person on the account yet have the same name and how this is a huge privacy/security violation.

Took years to get rid of. One day I'm waiting for a silly collections bill or something to show up in "my" name for the other person.

I've had this with credit card accounts. It usually gets settled pretty quickly when I escalate it to fraud or security.
There's a <starwind> in Australia so occasionally I get stuff for <starwind>@gmail.com. I got his golf club membership info sent to my email address. I've gotten his dinner reservation info sent to my email address. For like 2 months I got his paystub sent to my email address.

I really wish I could get his phone bill sent to my email address so I could call and tell him he could have gotten a larger raise

> But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

+1. My OG name email has been mistakenly registered for a PayPal account, but there's no way I can go about disavowing the account, or removing my email address from it.

I’ve had a few folks use my email. This is going to prove wildly unpopular but I just reset the password using the email, go in and delete the account (or submit a ticket with support to do so).

They can make a new one with their own email if it’s important.

Not wildly unpopular with me. I’ve canceled multiple Netflix accounts using my $firstInitial$lastName@gmail account. My excuse if they ever challenged me would be to say I thought it was fraudulent because I didn’t set it up and I didn’t want my email to be the only contact method.

Edit: there is one boost mobile customer who has done this to me and I can’t figure out the exact address they used (the thing where you can add periods gives a lot of possibilities), and I really wish I could password reset and close this account because approximately every other month for years I get late payment notices, then impending cutoff notices, then cutoff notices, then “thank you for your payment your service has been restored” notices. It’s both sad and annoying and I finally just black-holed everything from boost mobile and hope I never decide to be their customer in the future because troubleshooting mail delivery problems when I’ve forgotten about this will drive me insane.

I have had this happen to me as well. It was pretty annoying. Somebody used my name for a Twitch account. I wanted to do things the 'right way' so I didn't verify the email, didn't log in and change their password -- I contacted customer support instead (mostly just to see how it would work -- I have a very unusual name, so this is a kind of rare event for me). It took them, I think, years to delete the thing.

I've never really been 100% sure if changing the password and logging in to delete the account would violate the CFAA. I mean nobody would have gone after me for a Twitch account anyway, and I'd definitely have felt moral deleting the thing, but the letter of the law...

If the only identifier on the account is your email address then:

- The account effectively belongs to you anyway.

- The person who created it isn't going to be able to recover it if they lose their password, better they know about this sooner than later by you locking them out.

I don't think the first one is actually obvious. An account was set up. It is on Twitch's computers, and it has a password designed to keep me out. Twitch thinks they have allowed in some other person (who's agreed to their licensing agreements, etc). It seems to me that I'd be circumventing their account system using the fact that I happen to control the password recovery mechanism.

I mean this is essentially silly, because almost certainly what has happened (given my weird name that nobody would normally stumble across) is that my email address has become listed in some database and somebody has decided to use it to sign up for services for shady reasons. So I'm not arguing that I couldn't have gotten away with it. Definitely I could have. But I think it is an interesting reflection on these signup systems and how they might interact with the CFAA, that this weird situation can occur.

My thinking on this is that if twitch don’t verify your email before creating the account then that’s on them.
If you still get emails from them you can open the email source on GMail and see where the email was originally sent to (the full address) with all dots and +x addition in it.
Have tried that. The address in the smtp headers only has the raw address (no dots), and yet boost still claims no such account exists.

Obviously, inquiries to boost mobile support haven’t been helpful either. It’s a mystery.

> This is going to prove wildly unpopular but I just reset the password using the email

As someone who has done this too, I wouldn't be surprised if it violates some misuse of computers act - but I'd rather that than be responsible for the security of someone else's finances

(comment deleted)
Yeah, I have firstlast@gmail.com with an extremely common German name. I’m on some investor list for a biotech company, I’ve received patent applications and internal discussions, holiday pictures, quotes for everything from building houses to repairing things.

I don’t even use gmail anymore, but I keep looking into what kind of fun emails I get (and I report every opt-out-only newsletter, which includes Google Fiber and some US Democratic Party thing, as spam).

I get random invoices in languages I don't even speak due to something similar.
I was getting some dude's email for about 7 years. Started with newsletters and discussion threads for a journalism guild and a teacher's union. I found that amusing and left it, but one day emailed whoever was in charge and let them know I'm not the intended recipient. Stopped for a while and then it started again and I ignored it.

But in the last few years I started getting hotel reservations, golf course membership, bills, orders for liver supplements. I tracked down who it is ages ago and sent them an email (I was cordial - "Hey we have such similar names but I'm on the other side of the world, crazy huh?") and got no response. Eventually I replied to the liver pill people and said "Hey this isn't me and if you could let the actual person know that'd be great" and the emails stopped. Way to go liver pill people.

I have my own domain that I used to use for hosting random stuff and my email (nowadays it's just for the email). The email is a catch-all box.

I once got someone and their family's Disney World booking details sent to <theirname>@<mydomain>. It was a real thing, I could click the link and go view their booking at the official website. I have no idea what made that person to type out <mydomain> as their email, the domain is not even close to any publicly hosted email services or any company names. I kept getting more notifications of the upcoming Disney World trip so I ended up disabling that particular address so that those emails bounce.

> I was getting some dude's email for about 7 years. Started with newsletters and discussion threads for a journalism guild and a teacher's union. I found that amusing and left it, but one day emailed whoever was in charge and let them know I'm not the intended recipient. Stopped for a while and then it started again and I ignored it.

I had a similar experience, funnily enough golf course memberships too. Doing minimal OSI work on the numerous emails I found the guy on facebook and friended him (accepted due to same surname I assume). I remember saying something like:

"Hi, I noticed you just signed up for an Epic Games account, and you happened to use my email address <lastname>@gmail. Would you mind not doing that, please?"

He responded that I was a creep and that it was his email, and proceeded to block me. I mean he might've been right on the former, but patently wrong on the latter.

it has gotten so bad in usa, with creep calling. Seems whenever somebody is not happy with something their immediate response is you are a creep. I find those kind of people disturbing.
You might even call it creep creep. (Sorry, couldn't resist)
> Sorry, couldn't resist

The creep creep creep ;-)

Incorporate the first strike doctrine. Before contacting someone that is erroneously using your email address, call them a creep up front to disarm them mentally. Then proceed with your demand that they stop using your email address.
I waited until my Gmail doppelganger ordered a pizza, then from the phone and address details in that email I was able to text him and say I hoped he enjoyed the pizza, that his house looked nice from Street View, and please stop using my email address. He did.
I kept getting receipts from a nice grandmother from Missouri (at least I think it was Missouri, but that detail doesn’t matter). I don’t live in Missouri. However, she must have had a similar gmail account. But she couldn’t get her email address right. It was fine for a while, just the typical odds and ends emails. Then I started getting shipping receipts and return information from a clothing company. And then receipts for holiday presents for kids. Eventually I had to use the info in the emails to write and actual letter to this woman, letting her know about the email mixup. I only knew her address from billing information on the prior receipts.

In retrospect, I probably should have printed the emails and then sent those too. That may have been taking the bit too far, but it would have been much funnier from my POV.

I have a similar experience, I received emails from his families with children photos, emails from his certification, notices about his internship, etc..

I sent a few emails to his family explaining this, they told me that I was wrong. I gave up and just ignore all of those emails.

It's on gmail and I don't use gmail for important things anyway...

> they told me that I was wrong

What a bizarre response... somebody who isn't the person you intended to email has replied to you from the address you sent the message to. What could possibly make someone think that the person replying is the one who was wrong?

Someone who doesn't want to make the effort to correct things?
Some people just don't understand how all this works behind the scenes. It works by 'handy wavey magic' and the messages just arrive.

In their minds, they did email their brother, and the weird guy who replied is wrong. It might be possible, with enough investment of time, to help them understand how/why it went wrong, but as nicolas_t experienced, it is sometimes easier just to block them and move on.

I was lucky, I was a Hotmail early adopter and I regularly receive emails for two namesakes. I was able to figure out their correct email addresses over the years and they are both tech savvy enough to understand the issue. I forward on messages when they come through, and I actually met up with one of them at a house party he was invited to.

When I forwarded the invitation, he suggested coming along as well and I figured why the hell not. It was a fun ice breaker in a room full of strangers.

Print out the emails you get from them, highlight the recipient email address, then mail them a love letter containing their own messages. Put a parking garage as the return address.
For 20 years I've been getting emails from construction industry companies, addressed to a Japanese sounding name but my email address. Sometimes they are of a personal nature and I reply telling them I'm not Soichi. Sometimes I leave the guy messages through those contacts hoping they reach him. It originated from a (now gone) directory entry in the San Francisco chamber of Commerce which used my email for some reason I'll never know.
Someone decided to start a weed business in Spokane Washington using my gmail address as their business email contact for all of the greenery suppliers. Now I get tons and tons of marijuana-related spam. I guess they are too stoned to tell the difference between 20 and twenty? I don't know.
A lawyer in Texas has the same initials as I. Their domain is the same as mine + "law" at the end. Guess how many of her clients forget the "law"?
That would stress me out! I'm a completely legitimate medical cannabis patient in the UK and I still get nervous about reading emails from the clinic when I'm at work.
Same here. My name is very common and I have an email similar to John Smith <smith.jj@gmail.com>, and I have around 10 people around the world named like me or similarly that use my email for everything. I receive, almost weekly, paid invoices, flight tickets, appointment reminders, a teen soccer club newsletter, new instagram accounts, etc anything you can imagine really.

A few years ago I tried to contact some of my other selfs to ask them to mind their email, but never got any response. I'm just ignoring them now or hitting the spam button (after all, the senders should have a process to check the address instead of taking erroneous email addresses written by hand on paper).

My wife has had the same problem for a long time. What finaly got through was to contact one of the travel agencies to point out that she got plane tickets in someone elses name and to please talk to this woman that she has the wrong idea about her email adress. Has been quiet for a few years now.
My real surname isn't a common one, so I went ahead and grabbed mysurname@gmail.com in March 2004 when Evan Williams sent me a Gmail invite. But my surname is English and one that is predominately found in the UK, Canada, Ireland, South Africa, Australia, and New Zealand. So I sometimes get invoices, signups, verifications, and other junk from someplace in Australia and those other English-speaking countries. I've also found it's a waste of time to correct it. Once an address is "out there" in the wild, it's going to get passed around.
> They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

Add Discord to the list.

Use an account with an unverified mail? Fine by us!

Go and try to actually verify the mail? Alarm bells go off and the acct locks up (sorry, not sorry for the owner of that acct)

This happens to me all the time. Perhaps the most amusing instance went as follows (quoted verbatim, with identifying information omitted):

This email is regarding: [].

Class: MATH 7 ADVANCED Prd: 2 Teacher: []

-----------------------------------------------

Good evening, please check [] for missing work, complete it and submit it. Let me know if you have questions or need any help or anything opened up or more tries. Remember the Ch. 3 test due today. Thank you, Mrs. []

I replied:

I think you've got the wrong email address.

Thanks, David

The teacher then replied:

My apologies. You are correct. Your son is crushing it :) and I failed to take him off the group email. Thank you so much for letting me know and keep up the great work! Again, I apologize for the inconvenience. Mrs. []

I then replied:

Thanks! Only one thing: I don't have a son.

> where all the spam comes from

The problem is the word spam. What you describe, misdirected mail from completely legal businesses is not really spam, even if it is junk for you personally.

There is aggressive marketing of very vaguely related products you have actually registered for. There is marketing of illegal products mostly using harvested addresses. There is phishing often using stolen addresses.

If you want to understand the problem as the OP obviously does just speaking of spam is not helpful.

Spam has a legal definition:

Unsolicited commercial messages.

If the actual receiver didn’t solicit the message, it is spam. It doesn’t matter if the business is legitimate or not, if anything it makes it worse because the FTC occasionally does fine companies for sending spam.

Legally, you have to verify the email address before sending any further messages. If you don’t, you open yourself up to some serious fines if and when the FTC or whomever decides they want to make an example of you.

So phishing and Nigeria letters are not spam because it's not commercial but criminal activity? Not everybody would agree.

What about selling fake products?

You’re getting into fraud territory and leaving spam territory.
What you describe...

Those persons give my address all over the place. Don't you understand the implication?

Also using unverified addresses by Paypal and other assholes is irresponsible and honestly I can't see why it isn't spam.

Edit: Add Netflix to the assholes list. I've just reset the password for another idiot.

I have a gmail account and a yahoo account. I consider these my spam accounts for anything that doesn't accept email with a + in the name.

Over a year ago, I noticed that somebody's paypal was set to my gmail account. They had also used my account for payments to Donald Trump (I was getting hilariously desperate and pleading messages for more donations) Banggood, and Amigo Loans (as guarantor)

I was able to get information about different addresses they have lived (Ireland - not sure how many Trump supporters live in Ireland, which was weird), what other email addresses they had, etc.

In the end, I logged into their paypal (surprisingly easy) and changed their email address to the correct email address, and emailed them their new password.

I still get the odd one-off email from other places, such as a damp report for a property in Hemel Hempstead, but at least I haven't had any more paypal messages. I sometimes wonder about the legality of what I did - obviously I did nothing malicious, but I suspect it contravenes the letter of at least one law. But the thought of being made in some way responsible for the security of someone else's finances filled me with dread.

This has been my experience too. I have <lastname>@gmail since 2004, and have for the last decade at least used a separate domain for all my accounts.

I haven't noticed many leaks/sales at all of my specific account addresses. I get almost all my spam on my regular gmail, and promotions for companies that my namesakes have signed up for, left my email at a store, etc.

I have identified several people from the variety of emails I get, including work/school/personal.

> But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

This is my absolute biggest gripe. Someone signed up for AT&T using my email. I contacted their support on facebook, and even after explaining the whole issue they asked my for my phone number, and recommended I call their support. I'm not even in the country. They stopped responding when I pointed that out.

While I want to trash AT&T (deservedly), they're unfortunately not alone in that behavior.

Same with me-- someone used my email to register for Airtel India, and I started getting his bills. Airtel have a complaint/abuse email and I told them about the mistake-- there was a lot of "hoo-hah" but nothing happened.

The bills are in encrypted pdf-- but the encryption is trivial to remove. I looked at the bills, its someone with a name similar to mine, just one letter different. I emailed the real person, telling him he had used my email, but got no reply.

I just press spam now, and the emails have stopped coming to my inbox. But I still get the emails 6-7 years later. Its mind boggling as how a) Airtel never confirmed the email b) Havent stopped sending even though they've been going to spam for years now

Quite gratifying to read that I'm not alone in this. I was really early into Gmail so have first.last@ and get a lot of stuff emailed to me that is exactly as you describe - not spam, just mistaken address. Hotel reservations, golf clubs, Republican party bullshit, hilarious copies of order receipts from gun shops...

(The last one of the above I replied to - it was an order for a rifle scope. I sent what I thought was an obvious joke email back asking whether it'd help me hit my neighbours' puppy at a mile range. The gun shop replied back suggesting an alternative scope... Moral: never apply UK style humour to US situations, especially not about guns...)

I have the same with Gmail. I get lots of email for firstlast@ because someone can't be bothered to remember the numbers after their username. Then I have also gotten coffee receipts for a cardiologist (he likes Major Dickason's blend), wedding invitations, boating newsletters, and even modeling opportunities in a different country. It amazes me how many people either don't know their email address or can't imagine someone else might have a similar name.

Most of the organizations and individuals sending the emails are accommodating. Then there are the likes of Discord, that require you to confirm that you would like to delete "your" account, when it's not even yours. Nevermind that I have no desire to delete someone else's account. They also refuse to write you in English when you tell them you prefer it over Spanish. Luckily; I speak that too.

I received a background check result from a job application for a Florida sheriff's office.

At least it listed "my" address. :)

I have a goofy/edgy/"I thought it was cool when I signed up for it" address that is NOTHING like anyone's name, but people will absolutely sign up for cell phone plans and stuff with it. What is the plan here people? I could make someone's life utterly miserable if I was so inclined, unless it's a fraudster doing fraud things (I doubt it, the address and name they use has been pretty consistent) I have no idea why you'd put your legitimate information into someone else's hands like that.
The coffee receipts I can understand - if a shop uses Square or a similar tablet-based POS system, I could see requesting an emailed receipt, typing in the wrong email address, and then not noticing when it never arrived. Some of those systems link your email address to your payment method, so if you just hit "email receipt" every time, without double-checking and catching the typo, you (the wrong recipient) will just keep getting them.
> The coffee receipts I can understand - if a shop uses Square or a similar tablet-based POS system

Oh, no; this was direct from Peet's website. Doctor's office had a recurring shipment.

Or maybe they were out- UKing you :p
Hear hear.

I have lastname@gmail.com and keep receiving various e-mails intended for people with my surname. Insurance documents and other semi-confidential stuff included.

I have a lastname@gmail and I get a steady stream of material invoices for someone who builds prisons in Africa. I tried for a while to push back but to no avail. Upside - I know how much concrete is denoted by Zambian kwacha.
Funny how it's always the republicans who can't get their email address right.

I have similar problem, from trump watch newsletters to random local republican party emails, also received few invitations to parties, medical results, private photos from trips and the list continues. Also when the covid started I was cced on some action group that was solving the covid problem in their area. The worst thing is the spam from dating sites that I get.

I think the problem in my case is that the person uses exactly the same handler but at yahoo instead of gmail.

Oh, it's definitely not "always the republicans", the Democrats also can't figure out their own email addresses. I routinely receive DNC and other left wing nonsense, including invites to parties, Biden fundraisers, etc. to my more "generic" (ie. first initial, last name) Gmail account. I've marked these as spam, unsubscribed, etc. and still get them because either the orgs are dumb (wouldn't be a surprise) or people keep signing up again when they don't get them to their real address.

This is an "I'm dumb and can't remember my email address" issue, not a political one.

I also get the usual run of the mill receipts, reservations, etc.

(comment deleted)
Same situation. I've been enrolled in a Canadian girls hockey team, received a recommendation letter for Dayton university, and various tickets for events in Australia. Glad I'm not alone.
I have first{initial} so I get emails for everyone whose initial is the same as mine
In my most generic address I mostly receive email from a Bolivian government officer, a Mexican government officer, and a Texan guy who has changed jobs a lot since before the pandemic. I've found and contacted them about the wrong address, but they never fully stopped using it for new accounts. At least I tried.
I got sent a ton of (quite private) PII from T-Mobile in Holland for some poor schmuck who can't understand that his email address is not a.byss@gmail.com, or alternatively isn't actually putting an email address and some other idiot is deciding, "This guy is called Adrian Byss, his email is probably a.byss@gmail.com". I've had the email abyss@gmail.com* since not long after gmail became available to the public. If I had less scruples I could easily have stolen this man's identity with the amount of information they sent.

* obviously this is not my email address, but it demonstrates how the situation arose.

Facebook is the worst: https://imgur.com/jQj1EwE

I do not have a facebook account

Someone did the same thing with Facebook to a person I know. She finally went to Facebook, selected "forgot password", changed it and deleted the account. Problem solved.
yesss more people suffering from this - its so infuriating especially paypal.

I mostly get signed up for newsletters but I do actually have the name and address of one of the people who uses my email address. I know its not exactly polite and didn't want to be mean and cancel any orders but I mayyy have logged in and changed her name on the delivery address to "stop using my email address please" and she's never done it again.

theres also a teenager at a school in the US using my email address on social media I get a lot of requests to send me freebies!

I also apparently have an espn account now, if I liked sports I'd be taking advantage of that one!

Even weirder was one time I had RSVP's to a wedding. The couples name was exactly the same as my partners and I's! I had to email the pastor and say I think you have the wrong email address!

I've had blood test results, graduation photos, I get emails from this girls doctors. I've contacted them so many times to say I'm not your patient but they don't listen. I also know what car she leases! At this point she must have realised!?

Similar scenario for me... countless accounts throughout various services, newsletter subscriptions, paid services/subscriptions, tickets, loan requests and confirmations, house deeds & ...

I have tried finding the numerous people throughout the world with the same name and surname as me and notifying them and asking them kindly to update their contacts or to stop using mine (name.surname@gmail scenario), some work, some don't.

At some point I even started canceling their appointments/subscriptions/closing their accounts, hoping they'd stop but apparently no use. Not a month passes without a few of these emails popping up in my inbox. The most annoying are when I am stuck in a group email with multiple recipients that are replying all.

I have a statistically very uncommon name (there’s like 3 other people with my name who have showed up on the internet) and I’ve still run into this because I use first name.surname@gmail.com.

I can’t imagine what it’s like for whoever uses the same naming convention for a super common name.

I receive emails almost every day for various people with my same name in other parts of the US, the UK, and Australia. For ones that matter, like job interviews, I try to let people know they have the wrong email address.
I have firstname.lastname@gmail.com and my name seems to be the same as a beef farmer in Australia. It was mildly amusing to get Aberdeen Angus bull semen auction details, but when I started getting his loan details from a bank I had to reply and tell them.
I had this happen to me recently. It turns out there's a highschool somewhere named after someone with my same name. Instead of name50@gmail.com, they put name@gmail.com on some of their advertising for the event, and other people just typed it in wrong and forgot the 50. I got a fair few emails from that, even after telling their coordinator about the problem.
My idiot namesake signed up for his unemployment benefits with my email address. The unemployment agency in his state won’t let me change it or contact the person by mail to have them fix it.

He also is down for _any_ sweepstakes and has dubious dating preferences. He’s out there wondering why he never wins anything and no one swipes on his profile.

Then "forget password" and take the account over.
Even if you're getting misdirected emails, it's probably a bad idea to toe the line into "defrauding a state government" by taking over someone's unemployment login.
Someone in Australia has my name and I get an email every time he's late on some loan payment, which seems to be once every 4-5 months or so.
I get email from businesses for FirstLast@gmail.com but I use First.Last@gmail.com[0] and apparently someone thinks they own that email address. I can tell you what car they drive and where they get their hair cut.

[0] dots are not significant so it's basically the same email address and it is mine, but they use it without the dots while I use it with.

All the time... I get about 4 different people trying to use my email address, mostly in the US but one in the UK as well. Thankfully the UK guy's wife also made the mistake so I just forward the emails to her now and she's stopped some of it.
I once got someone's COVID test results. I called their doctor immediately and when they acted confused, I quickly told them that they could get in a lot of trouble for HIPA violations because they sent me so much personal information.
I have the same issue. I do wonder if it's sometimes people who don't have an email address, or don't want to share it. A company insists so they give the obvious gmail address, which is actually mine.
The paypal thing sounds like a perfect use case for the CAN-SPAM act.
I once was on the other side of this. While opening a new bank account, I dictated my email (name.lastname.123@server) to the representative, she entered it and later printed out the agreement. I read the agreement and noticed she entered my email wrong (name.lastname@server). It can be easy to forget the numbers while saying the email out loud, or while entering an email someone else said out loud.
My name is something reasonably rare. There's one other person with the same name in the same industry niche. Occasionally we even have the same giant employer. Every once in a while some fraud detector or email auto complete gets us confused and hilarity ensues.
They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

This is my biggest issue with what you're talking about. I get annoyed at the clueless users who happen to share my initials and last name but I can forgive them for their ignorance.

But, IMHO, any company, in 2022, that uses email for authentication, or for any type of business/financial exchange of information, that doesn't bother to do a simple validation of "do you really own this email?" should not be allowed to continue to operate!

I sadly learned long ago that expressing this opinion to their support or security contacts is useless.

I've an Aussie namesake who has used my gmail address a few times on sites. I never use my gmail on anything. My spam folder for it is dominated by Australian targetted spam, to a degree I find mildly fascinating.

Recently, google/gmail decided to be too helpful. The namesake used my email address when they booked a stay at a hotel (helpfully the hotel made it impossible for me to unsubscribe!) The hotel has sent me a few emails related to the booking, reminders and the like. Google being Google, sees the email, and creates a calendar entry for me. I delete it. The next email comes in, and boom, there's the calendar entry again.

Same here. I have firstname.<digit>@gmail and I keep getting emails for the non-dot variant. And to add to the frustration, in order to unsubscribe some services require you to send an email from the same address. I've never hated Gmail's "convenience" feature of ignoring dots more. If they really wanted to offer it, they should have also given the option of adding/removing dots while sending emails too.

Someone even has a Paypal account on my dot-less email. It beats me how a payments company can let somebody add an email without verification and not offer an easy to way to remove it.

The opposite problem also exists.

I had first.last@gmail.com and indeed got a lot of email that isn't mine. A few years back I switched to token1.token2@gmail.com, where token1 = something vaguely similar but not my first name, and token2 = nonsense word. Basically an address that is something between random string and insider joke.

Of course I always include my correct real name in the From: field, fill it correctly in all the relevant fields on forms and have never suggested to anyone that my actual name is "Token1 Token2". Nevertheless it's not uncommon for people to assume that this is my name, and I get people writing to me "Hi Token1," or "Dear Ms. Token2". I even had an expensive electronic item shipped to my correct home address but addressed to Token1 Token2, and returned to sender, since such a person doesn't live here (and likely doesn't exists at all).

Some people just don't understand how email addresses work.

There seem to be three other guys who share my name who all think they share my email.

- One guy in London. I get monthly invoices from his daughters childcare centre and the odd email from his solicitor about his investment property. His wife replies to all of these CCing me in too.

- A Native American artist who gets a few emails to purchase his work. I don’t mind this one so much, I found his real email and forward everything on to him.

- Then there’s this other complete douche in the States. Emails about his car servicing reminders, all sorts of totally boring crap. One time I even got a flight booking for him. I though someone had stolen my credit card info and booked a flight in my name at first. I could click into it and change anything. I could have canceled it. I should have picked terrible seats or preordered the worst thing on the menu for him.

I have firstinitiallastname@gmail.com and I get all sorts of interesting stuff from other people. Someone even signed up for their bank account using my address and I got all of the emails for that without any sort of verification.
Somebody signed up for a dating service with my email address. The website allowed me to log in without entering or resetting the password. So, naturally, I changed their gender preferences.
GitHub, linkedin, couple of smaller stores, who were hacked.
I get some scam/phishing/malware emails sometimes from an account I've only ever used to sign up for comcast.
This has been my pattern ever since switching to ProtonMail. The biggest surprise for me was how little purpose it serves for spam prevention.

Coming from GMail, I expected an untenable amount of spam - but that seems to only be a GMail problem? I’ve only had two incidents of unsolicited spam from a vendor sharing my email address since moving to ProtonMail.

One I don’t remember the details but I gave a yoga accessories company my email address, like a year later I got an email addressed to that email address from a cannabis company.

The other time TicketMaster shared my email address with Warner Bros.

However my public email addresses (like the ones I use on GitHub, npm, git commits, etc) receive a lot of spam - but those are harvested, not shared.

Now my email address actually serves another purpose: limiting the ability for leaked user databases to connect my identity across providers. I’m starting to use a different username, email address, and password for every service I use that isn’t linked to my professional identity.

https://www.ordersnapp.com/, who do order processing for a local pizza place.

They got hacked and didn't even reset customer passwords, very glad I use unique passwords and limited the blast radius to them.

The worst, by far, is Camping World / Good Sam. It’s just amazing how they are willing to sell my email to anyone and everyone. My local branch has a good service department though so I just setup a filter and keep going back.
Amazon vendors, several times.
When my kids were young, I set them up with two emails addresses: one for emailing friends, the other for emailing businesses. The assumption was this would protect their personal friend emails from spam. The reality was by the time they were older teens almost all the spam they received came in on their personal friend emails and almost none of it came on their commercial-use addresses.

My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.

This has been my experience also. Companies do pretty well, random forums get scraped and friends hit “upload my contacts” on every scketchy app they Download.
Feels like there are parallels to the big corporation vs. small business discussions that pop up every time labor abuse is discussed here.
Could you give a rough time period for when you set up their accounts and how old the accounts are now? Just trying to get an idea of if this is still happening even now.
"Just trying to get an idea of if this is still happening even now."

Do you think the spammers retired? I doubt it, there is only a shift towards trying to get more phone numbers instead of email.

I get mere units of spam yearly both on my email and phone, and I don't really keep either secret. The weird thing is that I know someone whose work address gets lots of spam. Both our addresses are publicly available on the Web.
I figured that our phones would have had better security principles to prevent this from happening now but I guess I was mistaken.
Phone OS software is pretty blantently negligent in this regard.
Pretty much vast majority of apps in Play Store have permissions to see the contacts—they vacuum up the whole address book and sell it to companies doing correlation with data from other services. This only became worse as ‘big data’ was popularized and the value of this personal info dawned on more people.
> their friends' machines had malicious android apps harvesting contact addresses

Basically the majority of apps in the Play Store have permissions to see the contacts, then they vacuum up the whole address book and sell it to companies doing correlation with data from other services—and pretty much compiling giant stores of identifying info and contacts. I guess it's a given that tons of that info also falls into spammers' hands, and since almost no one in the public ever heard of these particular companies, they face zero consequences for what they're doing.

Could you set up a separate app for contacts (and other stuff that you want to isolate) that others cannot see, in order to prevent it?
I heard that there is indeed an option to do that, with help of some apps. You keep your real contacts list in these apps. Presumably this also means that you have special dialer and sms apps integrated with this contact list app, since otherwise you can't just tap a contact to dial or message, and would have to copy-paste phone numbers around.

Dunno what to do about messengers and such, which integrate with the contact system to show their correspondents in e.g. the ‘share’ menu. Not sure if these contacts are available to other apps—but if they are, it seems impossible to hide them.

Also there's e.g. a plugin for the (non open-source) Xposed ‘framework’, to feed fake data to apps that want to access the location and other such info. Seems to be able to fake the contacts, too, but afaiu requires a rooted phone: https://github.com/M66B/XPrivacyLua

I have been receiving tons of lame sellers from @gmail.com email addresses trying to sell things like toenail clippers. Emails were sent to the email address I used to sign up for hired.com.
I get the same thing, along with spam for t-shirts. Lots of spam coming directly from GCP.
Last I checked, you cannot send email from GCP IPs, as outbound mail traffic is dropped at their border. Did they change this?