Tell HN: Spammed by a Hacker News Enthusiast

281 points by ColinWright ↗ HN
Someone has scraped my contact information from my profile and is sending me an unsolicted "HackerNews" newsletter.

People ... don't do that.

Yes, you have an unsubscribe link, but that doesn't excuse the unsolicited sending of a screencap of your rendering of "top stories".

At the end you say:

"You're receiving this email because you signed up on HackerNews"

That is a lie, and a tactic used by utter scum.

Be better.

========

Edit: Note that this isn't random spam. It's specific to HN, showing a screencap/image of the HN front page. And then it lies about "signing up". If it were random spam I'd delete and move on. It's not, it's deliberately targetting the HN audience, and that's why I've mentioned it.

141 comments

[ 3.5 ms ] story [ 200 ms ] thread
Well name and shame.

Else you're just screaming into the void.

Sent by hackernews.newsletter@mailscarp.com
What do they gain by this? Do they have any affiliate links? Adverts? Just trying to understand what their motivation behind this is.
WAG: I think in general people think building any kind of email distribution list can be monetized, even if it's not being done immediately. Either sold off wholesale or directly monetized through adverts / affiliate links.
If they are particularly unscrupulous, there is an unsubscribe link: they capture use of this link to validate emails, then aggregate and sell that information onto other spammers.
Sounds like a university freshman’s lemonade business gone wrong
They are updating their CV right now - "Posts about my business were featured on the front page of HN"
If I was the person behind this, I would be tearing. You guys are brutal
Live by the hustle, die by the hustle
> Tired of getting spam emails from newsletters you never even signed up for? Mailscarp has you covered!

Ironic

It's literally racketeering.
Charging protection money
Maybe their masterplan is to sell beds :)
based on that website, it sounds like this whole thing is a marketing campaign for that mailscarp service. They don't actually want you to read their newsletter, they want you to go investigate and then sign up for their 'block spam' service.
Getting their URL put onto spam blocklists sounds like an unusually counterproductive way for a 'block spam' service to market...
Not only are they a terrible service that lies about their data scraping, their service also doesn't even work. I entered one of my random email addresses that can definitely receive email into their tryout screen and it got almost every detail wrong except for the "format" fields.

Onto the pihole blocklist it goes!

Anyone here with some influence over spam lists? Looks like a good entry...
Why is a spam message to a publicly listed email address considered worthy of sharing or even paying any attention to?
Because it's not just random spam sent to a list purchased from a dealer in scraped email addresses. This message is specific to HN ... it's a screenshot of a list of "top postings" on HN.

So as such it's different, and directly related to HN.

It’s no different from any other spam message. Nobody here can do anything about it but you by removing your email from public.
Or, the person who is sending them can read this message, feel ashamed and can stop sending them?
Do you really think they care? Why in hell would you put your email address in a public space in the first place if you care about spam?
Because you'd like to accept direct messages from other HN users? And the spam is usually so minimal it's not a problem?
> Do you really think they care? Why

I bet that they believe that they are hustling on their legitimate startup. That's what I think.

Maybe they don't. I don't see how it is a problem to try to reach for them this way.

> Why in hell would you put your email address in a public space in the first place if you care about spam?

I don't see how this is relevant to the question. The person who put their address unprotected up for spam can be foolish, and the person who is sending them the spam should stop.

Both of these can be true at the same time.

>Both of these can be true at the same time.

True but decades of this has shown that people and their elected gov don't give a damn about trying to curb this by law and policing so we both know given the current state we are on our own to protect us about that.

I care about spam. My email address, unobfuscated, has been publicly available for over 20 years. Why? So people can email me.
I wish I was as hopeful as you, for real :)
Because unsolicited mass mailing IS spam, and spam is BAD.
Yes, and that’s what the ”mark as spam” button is for.
Not everyone uses the mail service provided by TheBigG, and not everyone has a "mark as spam" button.

My email is sufficiently esoteric as to ensure that a sizeable percentage (when last measured between 20% and 25%) of legitimate email gets put in the spam bin, rendering commercial spam filtering effectively useless.

Where is this “mark as spam” button? I can’t find it.
In the Fastmail web client it's under the "More" menu item above the e-mail contents, and you can set up an IMAP folder to act as a spam sink for other clients, but it depends on your email provider.
This is either the Stack Overflowiest answer or just the Hacker Newsiest.
(comment deleted)
Because it's a SPAM sent to our community; and directly relevant to us.
People are assholes and you can't expect them to do what you see as the right thing. Welcome to the Internet!
I've also received it and reported it as spam. To the person who is running this: What were you thinking?
(comment deleted)
Move fast and break things.

Fear is the disease. Hustle is the antidote.

Disrupt

Today's creepy is tomorrow's necessity.

By any means necessary

Ask for forgiveness, not permission

Crush it

Rise and grind
Hiring a growth engineer.
Looking for a real rock star. Someone who will snort a line during stand-up to give them the energy needed to produce.
Probably thinking: "Gotta be on that sigma grindset, move fast break things"
Just mark it as spam, put it on blacklists and move on. If one decides to put their business domain into the abyss of undeliverability it's a costly mistake they make once.

On a different note, it might be a worthwhile idea to put profiles behind extra protection. An extra click to see contact info verified by a smart captcha might be the least breaking change. @dang

(comment deleted)
(comment deleted)
HN doesn't publish emails on their profiles unless you do it explicitly and the vast majority of people don't do that.
Yes, and it seems GP is requesting a feature where we can publish our emails but behind a layer protective verification. We could still also do various obfuscation behind that, but it would still be an improvement, and reduce friction to creating contacts here.
maybe they didn't do it. if it's easy to sign up maybe somebody put your email address in the service.
That's an interesting thought, but no, it's being sent to two different email addresses that are in my profile, so it's not an accident.
I once got enrolled into a newsletter from here, I'm fairly sure and... it's pretty good. I read it from time to time.

I don't like spam but the atomized ethos of no-one-talk-to-me isn't great. Someone chatting you up or sending something you might like is fine.

> I don't like spam but the atomized ethos of no-one-talk-to-me isn't great. Someone chatting you up or sending something you might like is fine.

I'm sure most people that put their email address in their profile are fine if a human person wants to talk to them. Companies scraping profiles and sending automated bulk mail on the other hand, not so much. Pretty sure that in the EU this is also a violation of GDPR.

I don't mind it if someone writes me an email - it costs them time, and I am happy to spend my time to read it.

But I do mind if someone uses a script to scrape my address and opts me into a recurring distraction without my consent. It's all about having an overly low barrier to entry, yet demanding attention and manual opt-out from thousands / millions of people. It's just greedy and arrogant.

If someone pulls my email from my profile and messages me personally. No harm no foul. A mass distribution list is not that.
That is the excuse I heard back when spam was novel. What's the harm? The recipient might want it. That sounded almost reasonable 25 years ago.

Now estimates vary widely, saying that 50% to 85% of mail is spam. Extensive spam filtering is a must. Actually relevant mail regularly gets lost because those filters aren't perfect. And deliverability is, at least for me, a constant worry.

A person with no pecuniary motive chatting me up where the behavior costs us the same amount of time? That's fine. Somebody paid to chat people up in high volume because they hope to get more money out of me? Not fine. Somebody using automated tools to do that such that recipients spend far more time than the sender? Not fucking fine at all.

For example, consider the gaping assholes, perhaps as few as 3 people, who were behind the literal billions of robocalls for extended car warranties. Did some people like that, grateful to have their worries about their car solved for them? Maybe, but I don't care. I would like to be left alone until I reach out, thanks. And if you don't like that ethos, please go talk to the people behind the thousands of robocalls and literal millions of spam emails I've had to deal with over the years. Because you're wasting your day telling me I should be nicer to people who value their money more than my time.

You're the reason spam works.
My new anti-spam tactic is to duplicate Gmail's 'bounce/address not found' response and respond with that. Believing that your email address isn't valid, they'll stop spamming you (bounces affect deliverability) and also probably not sell your data. If you just hit unsubscribe, now they've validated your email so they can sell it
Probably better to just "Mark as spam" if you have Gmail. If enough people do that Google will start marking those emails as spam by default

Helps everyone else too

(comment deleted)
To build on what culi said, marking as spam actually sends information out to various validators, and will increased the chance at that sender will be automatically marked as spam for everybody else, and so is absolutely worth doing (though it will also send an unsubscribe, if you're worried about that)
Doesn't gmail offer the choice of "marking as spam" or "marking as spam and unsubscribing"? I always just choose "mark as spam".
I have the old UI maybe? Or the new one? I can't keep up...

I just have a "Report Spam" icon, with no choice to differentiate between the two.

It's an interactive prompt once you press the spam button. Whether it appears depends on whether the system identifies an unsubscribe link in the mail.
I'm always worried that the spammer just uses "unsubscribe" as a sign that the email actually got through the spam filter and a human saw it?

Aside, I've been having a TON of very similar spam emails getting through Google's spam filter, and even marking them as spam doesn't seem to do anything. It's been going on for months at this point. I'm close to just closing that Gmail account because I have no idea what to do about getting close to 10 spam emails per day straight into my inbox in a way Google seemingly can't fix.

It's super obvious spam too. "tHe IRs hs a REFUND for u" level stuff.

Wouldn't it be better for Google to have a "mark as spam and delete future emails" option? That way, your inbox stays clean, spammers have wasted some credit for whatever email marketing service they use on an email that will never be read, and eventually spamming would become futile since emails will be deleted on reception.
I'm pretty sure they don't care if your address is valid or not, they will sell it anyway.

My grandfather has been dead for over thirty years now, he still gets junk mail, his data is still on all the people finder sites.

That's not what valid means in this context.
Is that you Transunion?
That depends, what's your DOB, last 4 and mother's maiden name?
This is what mailinabox does (https://mailinabox.email/) to combat spam and it has worked remarkably well. In the few years I've been running my own mail server I have received ZERO spam in my inbox.

For more info, the technique is called greylisting https://postgrey.schweikert.ch/

Ehh, but this is not greylisting? Greylisting temporarily rejects an email and requests the sender try again after a while.
greylisting is not the same.

greylisting is responding with a temp error under the assumption that most spam won't retry on temp errors, which isn't the case for most spam anymore.

real bounces are permanent errors.

Greylisting is one of those techniques I always loved, as it was so simple and logical.

As you say these days spammers will retry, but its an approach that still has value, because in the period between the initial delivery-attempt (which is rejected) and the final one (where it would be attempted) it is more likely that the sender has already appeared on DNS-based blocklists.

But there is also the problem that some people don’t want to wait multiple minutes or hours for an email, like password reset emails. I see too many disadvantages.
I'm not sure e-mail selling is as rife as it used to be.

Starting in 2003 and up until 2016, I used a catch-all e-mail address and would sign up for everything using a custom e-mail address. I wouldn't even do in the form of "sohcahtoa82+service@mydomain.com", I'd just do "amazon@mydomain.com".

The only spam e-mails I got that were e-mail addresses I used were from a couple shady cryptocurrency mining pools, a forum that got hacked, and the e-mail address I used on USENET. I also got spam sent to <random hex digits>@mydomain and lots of <two random dictionary words>@mydomain.

Knowing how much spam came from my USENET e-mail address (which I eventually changed and black-holed), I wonder how many spammers are scraping usernames from reddit and just spamming username@gmail.com.

there was a thread the other day that people felt that wasn't a good indicator. Because people might take the list from say adobe, and filter out anything with adobe in the email
Hello, my name is Adobe Meta Apple Netflix Amazon Microsoft. How may I help you?
If they filtered out "adobe" then all that would be left is "@mydomain.com", which isn't a valid e-mail address.
This was already discussed here: https://news.ycombinator.com/item?id=32605574
Weird that the thread is flagged.
The "mystery" was solved and the thread buried ;)
In that case the poster originally thought that the email address used was the private one used to connect with HN. They didn't realise, and hadn't intended, that it be accessible via their public profile. If their suspicions had been correct then there would somehow have been a breach in HNs security.

But they had, inadvertently, made their intended-to-be-private email available in their profile, so everyone thought it was all a misunderstanding.

Hence the flagging.

Yes, I’m sure that someone who does something like that will be stopped by your “please don’t do that”
You might be surprised. More than once I've seen someone copy something because they thought it was a clever idea, then when pointed out that it was a scammy/scummy practice, re-thought it all and did change their mind.

OK, not often, but it has happened. In this case it's unlikely, but if it is someone in the HN community, perhaps they will stop and re-think.

Most people don't want to be an asshole but it's easy to convince oneself it's not a big deal if you only think of yourself.

Once you know people have a problem with it you lose your justification, you can continue sure but now you know you'r the asshole. It's harder to knowingly be an asshole than it is to be an asshole and lie to yourself you aren't.

You signed up with a real email address?

Laughs in 1secmail.com

From your provided information and the current comments I would guess it is a spam campaign that targets the audience of the website it scraped. One could flag it as spam or if so inclined, create a free account on SpamCop [1] and submit the headers. Some smaller sites directly use SpamCop, UceProtect and Spamhaus and many commercial products us some of their data feeds behind the scenes to assign spam scores.

It may be useful to create a throw-away email alias for their public profile and further obfuscate it in a manor that much of the HN crowd could easily decipher. e.g.

    echo -n 'email base64: ';echo -n 'some.hn-specific.address@some.tld' | base64 -w0;echo
    email base64: c29tZS5obi1zcGVjaWZpYy5hZGRyZXNzQHNvbWUudGxk
[1] - https://www.spamcop.net/anonsignup.shtml
Scraping email addresses into a "subscribers" list, sending unsolicited spam, and claiming to be associated with the official site - this is scummy behavior.

Unfortunately such disrespectful behavior to online communities has become the norm, with companies like Facebook leading the onslaught of legally and ethically questionable practices to exploit and abuse the public trust. On the hierarchy of scum, they're top-level scum that demonstrates to everyone, "This is how we do business now."

It's likely an "entrepreneur" trying to get traction, maybe make a little money on advertising. In their need for hustle, they crossed a line.

Hustling the law or regulations is all cool, as long as you don't spam HN :)
I got it too, the sender is mailscarp.com which, ironically has this blurb on their homepage:

"Tired of getting spam emails from newsletters you never even signed up for? Mailscarp has you covered!"

To whoever did this: you're an asshole.

Hello everyone. I am the founder of Mailscarp.

Mailscarp is an email platform that has been opened in BETA version recently and has been tested for a while with a few of our members.

We apologize for the inconvenience caused by spam emails sent by a member of our Mailscarp project.

The account of this member, the newsletters he owns and the subscriber emails he has uploaded to his account have been deleted immediately, and necessary measures have been taken to prevent this member from creating a newsletter again. You can be sure that we will do everything in our power to avoid such a problem again in the future.

Mailscarp is already a project designed to protect you from spam emails. It was developed for this purpose, and we are very sorry to be accused for this reason. I hope you will accept our apologies for this matter and try to give Mailscarp a chance to protect you from spam in the future.

Thank you!

> and necessary measures have been taken to prevent this member from creating a newsletter again

leave the gun, take the cannoli

Thanks for responding. Could you say who it is? Because unfortunately, a common response of corporate wrongdoers is to blame the problem on someone who has now definitely been taken care of.
And while I'm asking questions, jaquesm says, "the sender is mailscarp.com". Was it actually sent through your servers? It looks like mailscarp is only inbound, so I don't understand how one of your beta users could have spammed a bunch of people on your behalf.
Yes, it was, I checked the headers.
Thanks. Then maydemir's explanation doesn't hold up for me. The Mailscarp page doesn't say anything about the features he describes. It seems like the simpler explanation is that they just tried spamming people and got caught. I hope that's not the case, and I hope they'll respond to questions to straighten things out.
(comment deleted)
(comment deleted)
Hard to argue with these:

ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mailscarp.com header.s=api header.b=DnugwplP; spf=pass (google.com: domain of hackernews.newsletter@mailscarp.com designates 104.243.65.3 as permitted sender) smtp.mailfrom=hackernews.newsletter@mailscarp.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mailscarp.com Return-Path: <hackernews.newsletter@mailscarp.com>

Bing being Bing (via DuckDuckGo), when I searched for mailscarp I got mailscrap.com. Which is basically a diametrically opposed service.

> With Mailscarp, you can subscribe to newsletters with a separate email address, so your personal inbox stays clean.

> MailScrap: this email verification tool actually connects to the mail server and checks whether the mailbox exists or not, wipeout disposable email addresses from your email list.

Same deal with Google, plus a bunch of ads for spammy tools.
Just curious how they did this, your whole shtick is that you don’t send emails, and is read are a repository for newsletters and other spam… how does that translate to scraping emails addresses and sending newsletters to personal inboxes?
>sent by a member of our Mailscarp project.

With a history of 'surprises' like this: https://news.ycombinator.com/item?id=24255179

Also, the only developer listed at devro labs: https://github.com/kesarawimal (bunch of email scraper repos in there too)

Also, https://news.ycombinator.com/item?id=24158498 (lol)

Also, their HN submission history [1] is fascinating: exclusively Github repositories, all submitted exactly on the hour (± a few seconds)!

I wonder if they are running a scraper that automatically cross-posts trending repos...

[1] https://news.ycombinator.com/submitted?id=maydemir

This user and his ghost account “screpy” talk to each other on HN if you look at the comments. Very suspicious considering this behavior of also posting and then commenting and acting. How do we know OP’s comment about Mailscarp now isn’t also fake? The user’s reputation is not very strong
You're spamming this post, that complains about spam from your product.
Makes me wonder if this "member of their project" is just some made up scapegoat.
So TL;DR: you produce a mailing list software, and someone used it to spam 88 HN users
Protip: it would probably be a good idea to spin off the spam-sending service (you call this “Creator”) into a new company, separate from the anti-spam service (you call this “Inbox”). I would guess the two userbases (spammers vs spammees) have a fairly small intersection.
> You are one of these 88 people

This thread is getting enough attention that I'm highly doubtful this message was only sent to 88 people. I saw the email, thought "I haven't subscribed to any HN digests lately", and deleted it.

If the project is intended to protect people from spam emails, shouldn't it follow best practices like an explicit opt-in?
(comment deleted)
Automatically signing you up for a newsletter is lame, but I've emailed people here in the past asking for opinions on new projects - I don't consider that spam. I'm talking like 20-30 emails maybe - no scraping involved.
Unsolicited mass emails = spam
How do you define mass emails though? I don't think the people who are sending out a hundred emails are really a problem as far as spam is concerned. On my other account here I have my email listed, and I expect to be contacted every now and then about random HN projects, and I am. I don't consider those spam.
Ha, I got this this morning and deleted it before taking more than a glance. Agree, totally scummy.
Wow I got it too. I thought it was the HNDigest or something I subscribed long time ago.
> "You're receiving this email because you signed up on HackerNews" > That is a lie, and a tactic used by utter scum.

I think 'utter scum' is an extreme reaction. And it's not necessary to make your point.

So you're saying if I start spamming you, you wouldn't think I'm scummy? Send me your email address and I'll sign you up for a bunch of unsolicited newletters.
There's a difference between thinking someone has done something wrong and thinking they're 'utter scum'. And I do think there's a difference between someone sending me an unsolicited newsletter summarizing stories from a platform they know I'm on vs. random mailing lists that are wholly irrelevant to me (so signing me up 'for a bunch of unsolicited newletters' would be worse than equivalent for me). I don't think what this person did is right, but I do think the reaction to it seems overblown.
Please, lets be specific here. Is this an altruistic act: Signing up unwilling participants to a mailing list.

Is this ever a mistake? Can you accidentally scrape email addresses off of a website and accidentally create a mailing list to spam them?

Everything points to this being a malicious action. We don't need to give a spammer the benefit of the doubt.

Scraping emails and sending spam is passive aggressive and wrong. It is much more disruptive and hostile than calling someone a name, and nitpicking the use of "utter scum" here is drawing attention away from the real offender, the spammer.

If calling someone utter scum might get them to rethink how they are exploiting others, I will have no issue using it. OP did nothing wrong here.

Wonder how many people are harvesting emails for general marketing spam
Report the mailscarp/mailscrap/etc domains to spam trackers everywhere