Ask HN: Just received spam to an address only used at Amazon?
Like many of us I have an email address for Amazon (.co.uk) which I don't use anywhere else.
A few minutes ago, I received a pretty nonsense spam mail to that address.
I contacted Amazon support who said 'we're investigating' in a way that made me think I might not be alone.. and advised I forward it on to stop-spoofing@amazon.com.
Just curious if anyone else has recently had similar?
(To head it off: no it shouldn't be third-party sellers - they don't get your email, any disputes etc. are through a unique-id@marketplace.amazon.co.uk address in my experience.)
81 comments
[ 0.24 ms ] story [ 43.5 ms ] threadIt's also possible that a browser extension accessed it.
I've had other spam to aliases that aren't anything I use, and it didn't follow a format similar to that. (For some reason I get a lot to archos@ for example, even though I'm pretty sure through bug tracker, AUR, etc. I have public Arch-related addresses that I do actually use! I'm not sure why that came about.)
But yes, some couriers do let you tie an email address to a physical address to get notifications.
Third-party sellers are typically given an address like <gibberish-hash>@marketplace.amazon.com to which they can reply, and correspondence is then forwarded by Amazon to the actual customer's email.
* there was no obvious way to do it. Closest thing was by reporting issue on product.
* there was no way to show the customer service agent a picture of the mail. Chat did not support sending pictures & they were unable to open imgur link.
* agent recommended me to leave a report it by leaving review to the seller page. I did that and next day review was deleted.
(I must admit I created them approx 100 USD/EUR turnover last year and 20 USD/EUR this year. Sometimes all alternatives are so much worse.)
All the info is being skimmed and sold at some point. It often mentions the parcel company it arrives through which confirms this to me.
Only potential issue is that if it's a real HMAC like HMAC-MD5[:16] the nonsense address might give spam middleboxen very bad indigestion.
Or maybe the crazy service addresses used in cloud infrastructure have actually inoculated everything to a reasonable extent and this might work?
It very much happens, I had a business owner lecture me that they owned their domain and I shouldn't be able to use in any part of their domain name in my email address.
It does...
I've had signups blocked using business@domain.tld, (some Samsung service is one I recall) and in one case I had legit sales queries completely ignored until I used an alternate email.
I have a catchall and it's interesting what type of rubbish appears.
I have gotten phishing that pretends to be an AWS support case ticket reply about how my instances in us-east-whatever are about to be terminated due to a host node going out of commission sent to aws-iam-root-user@domain - a domain that has never used or touched AWS and a left hand side mailbox that has never been used once. If it's anything obvious it's probably made it onto some type of dictionary list.
https://news.ycombinator.com/item?id=33020571
Further, customer support agents can pull up your details as well. At least when there is an active ticket. I was reached out by one of the support executives confronting me from his personal mobile number after I left poor feedback for a chat interaction.
Amazon has little or no respect for data privacy especially in regions where there are no strict regulations that can cause them monetary loss through fines.
Since you mention it's in UK, I am surprised this is the case.
Out of the loop, what's the purpose of having a separate email address for Amazon?
Do you use email aliasing to achieve that? (e.g. your.address+amazon@gmail.com)
yes, i run my own email server.
There are email providers that let you use your own domain (i.e. you don’t need to operate your own email server) with any number of localparts, i.e. a catch-all (without needing to use “+”), and which usually also allow you to set up filtering rules, and let you auto-forward to a different email address (e.g. GMail) if you like. You can then use whatever@yourdomain at your whim, without having to first register the localparts you use.
Remembering when I've put a custom email (amazon@mydomain) vs a plus (me+amazon@mydomain) not to mention remebering both that I've used something fancy and, how exactly I customized it has just caused a bunch of headaches. I have warranty purchases across multiple email addresses for sites, figuring out what to type into the "forgot my password" box is a pain...
I even have a Steam login that I can't for the life of me recall how to get into. I only know the username, but I don't know how to request the reset email associated with it. None of my guesses have worked. So ... I just made another Steam account.
... and ironically the email address I give to close friends is the one that's all over haveibeenpwned.com.
/facepalm
One of the most annoying is when contacting customer support by email and they reject andy@ at and now I have to find a way to send an email to them from ocado@ or whatever email address I chose.
I use an email client that lets me specify an arbitrary From address, and also that automatically derives the From address either from the recipient of the message or from the To of the message being replied to, so it generally fills in the correct From address by default.
They just iterate over every dictionary word and bolt on numbers and extra letters, or you'll see stuff like genewitci@gmail.com henewitch@gmail.com, etc. I haven't paid attention to gmail in a couple of years since i now use my own domain and fastmail (for $5 a year, even), so i have no idea if the mailing lists are more refined now or not.
Nearly everyone on earth knows about the dot separators and the +whatever that gmail allows, and will just trim that before they sell your email address, nullifying the usefulness. having someuniqueID@example.com is much nicer. you cut down on spam a lot, however it does open you up to a lot of spam to admin@ and webmaster@.
The primary reason is because Amazon has a huge security hole by way of chat and call center reps.
There used to be a way to hack into someone's Amazon account that went like this:
1. Call Amazon and say I'm 300 bps and my email is 300bps@gmail.com
2. Tell the rep you want to add a credit card on your account and give them the credit card
3. Do a forgot my password. One of the MFA questions was "What are the last 4 digits of any credit card on your account?"
So to hedge against this particular exploit and any unknown ones that come up caused by Amazon's giant target and their accommodative customer service, I just use a unique email address on their site.
(It could theoretically capture the historically seen addresses, store those, and list those back out I suppose... I'm pretty sure there's no reason for that to be the case though. It's SES if you want to check.)
If it is not, then are you sure that you trust every ISP between Amazon and your mail server?
Have you ever ordered anything heavy, or international?
I also think that the kind of hoops tech-savvy folks go through to protect their main email account from spam are more time and effort than dealing with spam in the first place.
I'm personally not going to register for things with a thousand different + addresses just to try and find out what company leaked my email. Even if I manage that with a password manager it just seems like an extra chore.
Spammer's got me email address? I don't really care. The spam is going to the spam box.
Am I opening myself up to a larger attack vector? I guess so, maybe. There are more important things in life than locking down my online life like it's fort knox.
Like, think about it, OP. You got a piece of spam mail and you contacted Amazon, and then made a post on HN about it. Is this really worth your time and headspace? I get hundreds of pieces of spam email a month and I don't notice or care.
I don't really think email addresses were designed to be private pieces of information in the first place. Enabling two-factor authentication is the effective protection against account seizure.
Which by the way, for me is more than just dealing with spam. It's more about dealing with a breach of trust. If my info got leaked or sold by a company, I might want to review what kind of business I would like to have with them. I mean, I even got spam on an email I gave to a company I was contracting with. After some research, it seems like it was for a company owned by a high exec's son. Keep in mind that this is was post GDPR and the company did business in Europe.
https://www.wired.com/story/amazon-failed-to-protect-your-da...
I have received 2 emails from an Amazon seller's personal email to my personal email asking me to remove a review about a cartridge of printer ink. The review was written by my father but using my account.
They did also email me 3 times through Amazon's email forwarding. But the 4th and 5th time was directly to my personal email which the Amazon account is registered under. They offered me a full refund and a $20 gift card.
He signed his review with his first name, and in the email they address him by that name. Yet my personal email is MY name plus some numbers.
I never responded to their messages or anything that would give them access to my real email. The only acknowledgement of their emails I gave them was changing it to 1-star and adding in that they are offering to pay people for 5 star reviews.
P.S. don't buy any printer ink from JARBO. Aside from the email spam, the cartridges run dry after a couple dozen pages.
Here is the first direct email
> Dear Customer, This is Lexi from Jarbo. I apologize for my delay contact. In order to match your order ID, I have searched it within thousands of orders.
> We received your review that the toner cartridges are not working properly and have caused you so much trouble. I understand your feelings, and hope that you can give me a chance to rectify this.
> Therefore, we'd love to compensate $20 to make up your loss. Will that be okay?
> Because I am only an after-sales service staff, in order to better apply for a refund to the finance department, Could you remove the review first? I will get the refund back to you within 72 hours.
> Here is the link to your review for your convenience:
> [ link to review they want removed ]
edit: I'm in the USA, amazon.com domain
It also works with 1Password. Neat stuff.
[1] https://bitwarden.com/blog/use-bitwarden-to-generate-email-a...