Ask HN: People who use different emails everywhere, who sold you to spammers?
I've heard a lot about people who have catch-all email accounts and subscribe a different address to each service. So, these people may have a nice idea of who sold or leaked their email addresses based on the spam they are getting. Are you one of these people? Can you name your spammers?
As a side note, I have a friend from not-US who by mistake used a special address only for this country's IRS equivalent (he had something like "unit 12A" instead of just "unit 12"), and he would occasionally get physical spam to that address. I remembered that, then decided to ask this.
437 comments
[ 3.3 ms ] story [ 378 ms ] threadThen I got a response from the salesperson. I asked if he knew that I had started getting spam to the e-mail address that only they had, and he said there was no way that was possible.
I figured that his machine had some malware on it, and that harvested my address and sent it to the spammers. But the cynic in me wondered if they wanted to make money from selling the spammers my e-mail address AND from selling me a spam firewall.
Absolutely no one.
And I've been using this system for over 5 years now
…except for single email with a google docs link that got sent to cs@mydomain. I don’t know what I used cs@ for. I don’t have any other emails to that address. Very odd.
I very rarely receive spam on the email address I used to post on the Debian bugtracker, and on the generic address I give to individuals. Apart from that, none of the specific email addresses are spammed.
It's been almost 6 years now. I sometimes understand why I receive some infrequent broadcast mail thanks to the specific address I used to subscribe.
The most recent offender was my kid's tee-ball league.
https://considertheconsumer.com/data-breaches/parkmobile-dat...
they suck.
They were breached.
This is a phishing attack.
After a while I talked with one of those customers and they knew about it. It was "an email that got compromised".
Eg. one of their employees did fall for the phish and opened the email, clicked the link, opened the binary. Got infected and (a part of?) their inbox uploaded to the spammer. That is then used to send out new targeted phishing attacks where the name is spoofed, but send from another victim of theirs. Pretty effective phishing attack it seems. Took me a bit before I realized what I was looking at as the email seemed to come from that customer. It was only because it was a bit weird that I noticed things being off like that the email address itself was different.
Once a month or so I get unsolicited mail to my LinkedIn email address.
Other than that, I was surprised to find after a good 5 years of monitoring that I haven’t gotten spammed through unauthorized sharing of my email.
Fortunately (unfortunately?) my email has only been sold once, and it wasn’t as egregious as you might think.
Amplitude, the user analytics company, sold my address to at least 3 companies who simply started emailing me as if I’ve always been a subscriber to their newsletter.
I do use their free plan though so I’m not mad about it.
I get the odd one from the address I used when buying my ledger hardware wallet in 2017. Their address list was famously leaked a while ago, and this email address was on it - luckily not my address or phone number though.
Then occasionally I get one to my amazon-specific address. I figure via one of the vendors I've ordered from via Amazon? But who knows. Bezos didn't get his billions by not trying everything.
The worse constant spam I've ever seen, some of it use legit expensive mail services, and a lot of it doesn't land in my spam folder.
I have another email that's put publicly in a website and it gets crawled, and I get no spam from it, just legit emails that are probably automated from people that wanna do business.
Also not to say this is how all recruiters work. I've spent enough time in the industry to know in 2 minutes or less if I'm talking to a decent recruiter.
Can you describe what it is you need to keep track of ?
I imagine giving out servicename@domain.com and if you get spam on that pseudonym you just block it in procmail or smtpd.conf or (whatever you do in gmail).
Right ?
- https://recruitin.net/
- https://www.gitrecruit.co/
- https://amazinghiring.com/amazinghiring-chrome-extension/
Recruiters feel that email/phone have better response rates, so many of them try to bypass linkedin by looking up your details in such a service. The third of these in particular found my details from the gravatar leak, as best as I can tell, so I wouldn't expect high ethics from these companies.
The worst was when spammers got ahold of my email from a hotel chain and would add random letters to the username. So, for instance, the email address I provided to the hotel chain was something like hotelchain-jawns@example.com, and the spammers would send to aaahotelchain-jawnsaaa@example.com, bbbhotelchain-jawnsbbb@example.com, etc.
That forced me to stop using a catch-all and only accept usernames that conformed to a certain format.
In particular recruiters (including from 1 faang) have picked up the gravatar breach, and after some gdpr digging I've found a few of the unscrupulous vendors that laundered the breach data into the recruiter spam industry
I think the real worst offender is LinkedIn. I put one email on my resume and a different one for logging in to LinkedIn that should not be public. And yet I get direct recruiter spam there all the time.
It might not be directly through LinkedIn- about once a year, random recruiters will call my personal cell phone, even though I have no how they possibly got it. By now it's on a list that gets sold, I'm sure, but where it started, I'm clueless.
The most infuriating are recruiters who cold-email me at my work email. There's something about contacting me via my official capacity as an employee to take a different job that really gets under my skin. Might just be that I am very, very much not a "bring your whole self to work" kind of guy and more of a "keep a hard divide between my work and personal life" one.
They give my address as if it belonged to them. Probably they created addresses like narag33@server and they believe that it's narag@server instead.
So not only I receive all the spam from dubious sites that they suscribed to, but also their legitimate mail from lists and friends.
My namesakes are idiots. But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.
Now I get phone bills, internet bills, promo emails, subscription emails, two factor emails, and sometimes even bank related emails addressed to someone who shares their first name with me.
It's been years now. I've reported the emails, but neither the intended recipients, not the sending organizations seem to care.
I agree, my namesakes are idiots too and so are the companies who don't have a simple email verification system. :(
Never heard from them again.
Instead use the reserved domain example.com.
* A Joe who runs a lego engineering team at his high school
* A Joe who goes to bible study in Utah
* A Joe who is building a house in Victoria Australia (I'm so familiar with him/others screwing up his email that I can forward it to him and his wife easily.
Your targetted ads must be really interesting :-)
The silver lining is, of course, that no one has yet built an accurate profile of you ...
Also: When I use Facebook's feature "show data that others have uploaded about you" (or similar), it is full of this guy's stuff that was provided to facebook (and attributed to me) by businesses this guy has relationships with.
Nothing I can do to remove it.
Now, I get Bank Statements, Credit Card, Health, Insurance and whatnot for over 5+ "Brajeshwar"s in India. I just ignore them as I use my GMAIL ID just for newsletter subscriptions and ramnants of the old Internet but I do check once a week during my weekly digital chores.
OT, but I’m going to start using “digital chores”. When my partner asks what I’m doing and I answer “paperwork” it doesn’t sound quite right.
I used to reply to misaddressed mail when it amused me. I used to string along a whole family of people that included me in group emails with racist Obama memes and pictures bragging of poaching.
I stopped replying to these when in another case I was asked to tell estranged and family member that their sister had cancer since I was the only one still in contact with her. I did inform them they had the wrong address at that point.
I’m still on a mailing list for senior members of a local police department and even was sent logon/passwords to some of their systems but I’ve learned not to try to correct these things, it’s just too much of a hassle. In the case of Venmo and Verizon I couldn’t get it fixed even with phone calls.
Imagine dealing with Comcast customer support. Then imagine not even being a customer anymore trying to get this resolved. Now imagine explaining how you're not the person on the account yet have the same name and how this is a huge privacy/security violation.
Took years to get rid of. One day I'm waiting for a silly collections bill or something to show up in "my" name for the other person.
I really wish I could get his phone bill sent to my email address so I could call and tell him he could have gotten a larger raise
+1. My OG name email has been mistakenly registered for a PayPal account, but there's no way I can go about disavowing the account, or removing my email address from it.
They can make a new one with their own email if it’s important.
Edit: there is one boost mobile customer who has done this to me and I can’t figure out the exact address they used (the thing where you can add periods gives a lot of possibilities), and I really wish I could password reset and close this account because approximately every other month for years I get late payment notices, then impending cutoff notices, then cutoff notices, then “thank you for your payment your service has been restored” notices. It’s both sad and annoying and I finally just black-holed everything from boost mobile and hope I never decide to be their customer in the future because troubleshooting mail delivery problems when I’ve forgotten about this will drive me insane.
I've never really been 100% sure if changing the password and logging in to delete the account would violate the CFAA. I mean nobody would have gone after me for a Twitch account anyway, and I'd definitely have felt moral deleting the thing, but the letter of the law...
- The account effectively belongs to you anyway.
- The person who created it isn't going to be able to recover it if they lose their password, better they know about this sooner than later by you locking them out.
I mean this is essentially silly, because almost certainly what has happened (given my weird name that nobody would normally stumble across) is that my email address has become listed in some database and somebody has decided to use it to sign up for services for shady reasons. So I'm not arguing that I couldn't have gotten away with it. Definitely I could have. But I think it is an interesting reflection on these signup systems and how they might interact with the CFAA, that this weird situation can occur.
Obviously, inquiries to boost mobile support haven’t been helpful either. It’s a mystery.
As someone who has done this too, I wouldn't be surprised if it violates some misuse of computers act - but I'd rather that than be responsible for the security of someone else's finances
I don’t even use gmail anymore, but I keep looking into what kind of fun emails I get (and I report every opt-out-only newsletter, which includes Google Fiber and some US Democratic Party thing, as spam).
But in the last few years I started getting hotel reservations, golf course membership, bills, orders for liver supplements. I tracked down who it is ages ago and sent them an email (I was cordial - "Hey we have such similar names but I'm on the other side of the world, crazy huh?") and got no response. Eventually I replied to the liver pill people and said "Hey this isn't me and if you could let the actual person know that'd be great" and the emails stopped. Way to go liver pill people.
I once got someone and their family's Disney World booking details sent to <theirname>@<mydomain>. It was a real thing, I could click the link and go view their booking at the official website. I have no idea what made that person to type out <mydomain> as their email, the domain is not even close to any publicly hosted email services or any company names. I kept getting more notifications of the upcoming Disney World trip so I ended up disabling that particular address so that those emails bounce.
I had a similar experience, funnily enough golf course memberships too. Doing minimal OSI work on the numerous emails I found the guy on facebook and friended him (accepted due to same surname I assume). I remember saying something like:
"Hi, I noticed you just signed up for an Epic Games account, and you happened to use my email address <lastname>@gmail. Would you mind not doing that, please?"
He responded that I was a creep and that it was his email, and proceeded to block me. I mean he might've been right on the former, but patently wrong on the latter.
The creep creep creep ;-)
In retrospect, I probably should have printed the emails and then sent those too. That may have been taking the bit too far, but it would have been much funnier from my POV.
I sent a few emails to his family explaining this, they told me that I was wrong. I gave up and just ignore all of those emails.
It's on gmail and I don't use gmail for important things anyway...
What a bizarre response... somebody who isn't the person you intended to email has replied to you from the address you sent the message to. What could possibly make someone think that the person replying is the one who was wrong?
In their minds, they did email their brother, and the weird guy who replied is wrong. It might be possible, with enough investment of time, to help them understand how/why it went wrong, but as nicolas_t experienced, it is sometimes easier just to block them and move on.
I was lucky, I was a Hotmail early adopter and I regularly receive emails for two namesakes. I was able to figure out their correct email addresses over the years and they are both tech savvy enough to understand the issue. I forward on messages when they come through, and I actually met up with one of them at a house party he was invited to.
When I forwarded the invitation, he suggested coming along as well and I figured why the hell not. It was a fun ice breaker in a room full of strangers.
A few years ago I tried to contact some of my other selfs to ask them to mind their email, but never got any response. I'm just ignoring them now or hitting the spam button (after all, the senders should have a process to check the address instead of taking erroneous email addresses written by hand on paper).
Add Discord to the list.
Use an account with an unverified mail? Fine by us!
Go and try to actually verify the mail? Alarm bells go off and the acct locks up (sorry, not sorry for the owner of that acct)
This email is regarding: [].
Class: MATH 7 ADVANCED Prd: 2 Teacher: []
-----------------------------------------------
Good evening, please check [] for missing work, complete it and submit it. Let me know if you have questions or need any help or anything opened up or more tries. Remember the Ch. 3 test due today. Thank you, Mrs. []
I replied:
I think you've got the wrong email address.
Thanks, David
The teacher then replied:
My apologies. You are correct. Your son is crushing it :) and I failed to take him off the group email. Thank you so much for letting me know and keep up the great work! Again, I apologize for the inconvenience. Mrs. []
I then replied:
Thanks! Only one thing: I don't have a son.
The problem is the word spam. What you describe, misdirected mail from completely legal businesses is not really spam, even if it is junk for you personally.
There is aggressive marketing of very vaguely related products you have actually registered for. There is marketing of illegal products mostly using harvested addresses. There is phishing often using stolen addresses.
If you want to understand the problem as the OP obviously does just speaking of spam is not helpful.
Unsolicited commercial messages.
If the actual receiver didn’t solicit the message, it is spam. It doesn’t matter if the business is legitimate or not, if anything it makes it worse because the FTC occasionally does fine companies for sending spam.
Legally, you have to verify the email address before sending any further messages. If you don’t, you open yourself up to some serious fines if and when the FTC or whomever decides they want to make an example of you.
What about selling fake products?
Those persons give my address all over the place. Don't you understand the implication?
Also using unverified addresses by Paypal and other assholes is irresponsible and honestly I can't see why it isn't spam.
Edit: Add Netflix to the assholes list. I've just reset the password for another idiot.
Over a year ago, I noticed that somebody's paypal was set to my gmail account. They had also used my account for payments to Donald Trump (I was getting hilariously desperate and pleading messages for more donations) Banggood, and Amigo Loans (as guarantor)
I was able to get information about different addresses they have lived (Ireland - not sure how many Trump supporters live in Ireland, which was weird), what other email addresses they had, etc.
In the end, I logged into their paypal (surprisingly easy) and changed their email address to the correct email address, and emailed them their new password.
I still get the odd one-off email from other places, such as a damp report for a property in Hemel Hempstead, but at least I haven't had any more paypal messages. I sometimes wonder about the legality of what I did - obviously I did nothing malicious, but I suspect it contravenes the letter of at least one law. But the thought of being made in some way responsible for the security of someone else's finances filled me with dread.
I haven't noticed many leaks/sales at all of my specific account addresses. I get almost all my spam on my regular gmail, and promotions for companies that my namesakes have signed up for, left my email at a store, etc.
I have identified several people from the variety of emails I get, including work/school/personal.
> But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.
This is my absolute biggest gripe. Someone signed up for AT&T using my email. I contacted their support on facebook, and even after explaining the whole issue they asked my for my phone number, and recommended I call their support. I'm not even in the country. They stopped responding when I pointed that out.
While I want to trash AT&T (deservedly), they're unfortunately not alone in that behavior.
The bills are in encrypted pdf-- but the encryption is trivial to remove. I looked at the bills, its someone with a name similar to mine, just one letter different. I emailed the real person, telling him he had used my email, but got no reply.
I just press spam now, and the emails have stopped coming to my inbox. But I still get the emails 6-7 years later. Its mind boggling as how a) Airtel never confirmed the email b) Havent stopped sending even though they've been going to spam for years now
(The last one of the above I replied to - it was an order for a rifle scope. I sent what I thought was an obvious joke email back asking whether it'd help me hit my neighbours' puppy at a mile range. The gun shop replied back suggesting an alternative scope... Moral: never apply UK style humour to US situations, especially not about guns...)
Most of the organizations and individuals sending the emails are accommodating. Then there are the likes of Discord, that require you to confirm that you would like to delete "your" account, when it's not even yours. Nevermind that I have no desire to delete someone else's account. They also refuse to write you in English when you tell them you prefer it over Spanish. Luckily; I speak that too.
At least it listed "my" address. :)
https://xkcd.com/1279/
Oh, no; this was direct from Peet's website. Doctor's office had a recurring shipment.
I have lastname@gmail.com and keep receiving various e-mails intended for people with my surname. Insurance documents and other semi-confidential stuff included.
I have similar problem, from trump watch newsletters to random local republican party emails, also received few invitations to parties, medical results, private photos from trips and the list continues. Also when the covid started I was cced on some action group that was solving the covid problem in their area. The worst thing is the spam from dating sites that I get.
I think the problem in my case is that the person uses exactly the same handler but at yahoo instead of gmail.
This is an "I'm dumb and can't remember my email address" issue, not a political one.
I also get the usual run of the mill receipts, reservations, etc.
* obviously this is not my email address, but it demonstrates how the situation arose.
I do not have a facebook account
I mostly get signed up for newsletters but I do actually have the name and address of one of the people who uses my email address. I know its not exactly polite and didn't want to be mean and cancel any orders but I mayyy have logged in and changed her name on the delivery address to "stop using my email address please" and she's never done it again.
theres also a teenager at a school in the US using my email address on social media I get a lot of requests to send me freebies!
I also apparently have an espn account now, if I liked sports I'd be taking advantage of that one!
Even weirder was one time I had RSVP's to a wedding. The couples name was exactly the same as my partners and I's! I had to email the pastor and say I think you have the wrong email address!
I've had blood test results, graduation photos, I get emails from this girls doctors. I've contacted them so many times to say I'm not your patient but they don't listen. I also know what car she leases! At this point she must have realised!?
I have tried finding the numerous people throughout the world with the same name and surname as me and notifying them and asking them kindly to update their contacts or to stop using mine (name.surname@gmail scenario), some work, some don't.
At some point I even started canceling their appointments/subscriptions/closing their accounts, hoping they'd stop but apparently no use. Not a month passes without a few of these emails popping up in my inbox. The most annoying are when I am stuck in a group email with multiple recipients that are replying all.
I can’t imagine what it’s like for whoever uses the same naming convention for a super common name.
He also is down for _any_ sweepstakes and has dubious dating preferences. He’s out there wondering why he never wins anything and no one swipes on his profile.
[0] dots are not significant so it's basically the same email address and it is mine, but they use it without the dots while I use it with.
This is my biggest issue with what you're talking about. I get annoyed at the clueless users who happen to share my initials and last name but I can forgive them for their ignorance.
But, IMHO, any company, in 2022, that uses email for authentication, or for any type of business/financial exchange of information, that doesn't bother to do a simple validation of "do you really own this email?" should not be allowed to continue to operate!
I sadly learned long ago that expressing this opinion to their support or security contacts is useless.
Recently, google/gmail decided to be too helpful. The namesake used my email address when they booked a stay at a hotel (helpfully the hotel made it impossible for me to unsubscribe!) The hotel has sent me a few emails related to the booking, reminders and the like. Google being Google, sees the email, and creates a calendar entry for me. I delete it. The next email comes in, and boom, there's the calendar entry again.
Someone even has a Paypal account on my dot-less email. It beats me how a payments company can let somebody add an email without verification and not offer an easy to way to remove it.
I had first.last@gmail.com and indeed got a lot of email that isn't mine. A few years back I switched to token1.token2@gmail.com, where token1 = something vaguely similar but not my first name, and token2 = nonsense word. Basically an address that is something between random string and insider joke.
Of course I always include my correct real name in the From: field, fill it correctly in all the relevant fields on forms and have never suggested to anyone that my actual name is "Token1 Token2". Nevertheless it's not uncommon for people to assume that this is my name, and I get people writing to me "Hi Token1," or "Dear Ms. Token2". I even had an expensive electronic item shipped to my correct home address but addressed to Token1 Token2, and returned to sender, since such a person doesn't live here (and likely doesn't exists at all).
Some people just don't understand how email addresses work.
- One guy in London. I get monthly invoices from his daughters childcare centre and the odd email from his solicitor about his investment property. His wife replies to all of these CCing me in too.
- A Native American artist who gets a few emails to purchase his work. I don’t mind this one so much, I found his real email and forward everything on to him.
- Then there’s this other complete douche in the States. Emails about his car servicing reminders, all sorts of totally boring crap. One time I even got a flight booking for him. I though someone had stolen my credit card info and booked a flight in my name at first. I could click into it and change anything. I could have canceled it. I should have picked terrible seats or preordered the worst thing on the menu for him.
Coming from GMail, I expected an untenable amount of spam - but that seems to only be a GMail problem? I’ve only had two incidents of unsolicited spam from a vendor sharing my email address since moving to ProtonMail.
One I don’t remember the details but I gave a yoga accessories company my email address, like a year later I got an email addressed to that email address from a cannabis company.
The other time TicketMaster shared my email address with Warner Bros.
However my public email addresses (like the ones I use on GitHub, npm, git commits, etc) receive a lot of spam - but those are harvested, not shared.
Now my email address actually serves another purpose: limiting the ability for leaked user databases to connect my identity across providers. I’m starting to use a different username, email address, and password for every service I use that isn’t linked to my professional identity.
They got hacked and didn't even reset customer passwords, very glad I use unique passwords and limited the blast radius to them.
My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.
Do you think the spammers retired? I doubt it, there is only a shift towards trying to get more phone numbers instead of email.
Basically the majority of apps in the Play Store have permissions to see the contacts, then they vacuum up the whole address book and sell it to companies doing correlation with data from other services—and pretty much compiling giant stores of identifying info and contacts. I guess it's a given that tons of that info also falls into spammers' hands, and since almost no one in the public ever heard of these particular companies, they face zero consequences for what they're doing.
Dunno what to do about messengers and such, which integrate with the contact system to show their correspondents in e.g. the ‘share’ menu. Not sure if these contacts are available to other apps—but if they are, it seems impossible to hide them.
Also there's e.g. a plugin for the (non open-source) Xposed ‘framework’, to feed fake data to apps that want to access the location and other such info. Seems to be able to fake the contacts, too, but afaiu requires a rooted phone: https://github.com/M66B/XPrivacyLua