Ask HN: People who use different emails everywhere, who sold you to spammers?
source link: https://news.ycombinator.com/item?id=31116861
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Ask HN: People who use different emails everywhere, who sold you to spammers?
Ask HN: People who use different emails everywhere, who sold you to spammers? 170 points by dyingkneepad 9 hours ago | hide | past | favorite | 245 comments I've heard a lot about people who have catch-all email accounts and subscribe a different address to each service. So, these people may have a nice idea of who sold or leaked their email addresses based on the spam they are getting. Are you one of these people? Can you name your spammers?
As a side note, I have a friend from not-US who by mistake used a special address only for this country's IRS equivalent (he had something like "unit 12A" instead of just "unit 12"), and he would occasionally get physical spam to that address. I remembered that, then decided to ask this.
They give my address as if it belonged to them. Probably they created addresses like narag33@server and they believe that it's narag@server instead.
So not only I receive all the spam from dubious sites that they suscribed to, but also their legitimate mail from lists and friends.
My namesakes are idiots. But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.
(The last one of the above I replied to - it was an order for a rifle scope. I sent what I thought was an obvious joke email back asking whether it'd help me hit my neighbours' puppy at a mile range. The gun shop replied back suggesting an alternative scope... Moral: never apply UK style humour to US situations, especially not about guns...)
But in the last few years I started getting hotel reservations, golf course membership, bills, orders for liver supplements. I tracked down who it is ages ago and sent them an email (I was cordial - "Hey we have such similar names but I'm on the other side of the world, crazy huh?") and got no response. Eventually I replied to the liver pill people and said "Hey this isn't me and if you could let the actual person know that'd be great" and the emails stopped. Way to go liver pill people.
I had a similar experience, funnily enough golf course memberships too. Doing minimal OSI work on the numerous emails I found the guy on facebook and friended him (accepted due to same surname I assume). I remember saying something like:
"Hi, I noticed you just signed up for an Epic Games account, and you happened to use my email address <lastname>@gmail. Would you mind not doing that, please?"
He responded that I was a creep and that it was his email, and proceeded to block me. I mean he might've been right on the former, but patently wrong on the latter.
I sent a few emails to his family explaining this, they told me that I was wrong. I gave up and just ignore all of those emails.
It's on gmail and I don't use gmail for important things anyway...
I once got someone and their family's Disney World booking details sent to <theirname>@<mydomain>. It was a real thing, I could click the link and go view their booking at the official website. I have no idea what made that person to type out <mydomain> as their email, the domain is not even close to any publicly hosted email services or any company names. I kept getting more notifications of the upcoming Disney World trip so I ended up disabling that particular address so that those emails bounce.
I used to reply to misaddressed mail when it amused me. I used to string along a whole family of people that included me in group emails with racist Obama memes and pictures bragging of poaching.
I stopped replying to these when in another case I was asked to tell estranged and family member that their sister had cancer since I was the only one still in contact with her. I did inform them they had the wrong address at that point.
I’m still on a mailing list for senior members of a local police department and even was sent logon/passwords to some of their systems but I’ve learned not to try to correct these things, it’s just too much of a hassle. In the case of Venmo and Verizon I couldn’t get it fixed even with phone calls.
I mostly get signed up for newsletters but I do actually have the name and address of one of the people who uses my email address. I know its not exactly polite and didn't want to be mean and cancel any orders but I mayyy have logged in and changed her name on the delivery address to "stop using my email address please" and she's never done it again.
theres also a teenager at a school in the US using my email address on social media I get a lot of requests to send me freebies!
I also apparently have an espn account now, if I liked sports I'd be taking advantage of that one!
Even weirder was one time I had RSVP's to a wedding. The couples name was exactly the same as my partners and I's! I had to email the pastor and say I think you have the wrong email address!
I've had blood test results, graduation photos, I get emails from this girls doctors. I've contacted them so many times to say I'm not your patient but they don't listen. I also know what car she leases! At this point she must have realised!?
Imagine dealing with Comcast customer support. Then imagine not even being a customer anymore trying to get this resolved. Now imagine explaining how you're not the person on the account yet have the same name and how this is a huge privacy/security violation.
Took years to get rid of. One day I'm waiting for a silly collections bill or something to show up in "my" name for the other person.
* A Joe who runs a lego engineering team at his high school
* A Joe who goes to bible study in Utah
* A Joe who is building a house in Victoria Australia (I'm so familiar with him/others screwing up his email that I can forward it to him and his wife easily.
Your targetted ads must be really interesting :-)
The silver lining is, of course, that no one has yet built an accurate profile of you ...
Also: When I use Facebook's feature "show data that others have uploaded about you" (or similar), it is full of this guy's stuff that was provided to facebook (and attributed to me) by businesses this guy has relationships with.
Nothing I can do to remove it.
I really wish I could get his phone bill sent to my email address so I could call and tell him he could have gotten a larger raise
Now I get phone bills, internet bills, promo emails, subscription emails, two factor emails, and sometimes even bank related emails addressed to someone who shares their first name with me.
It's been years now. I've reported the emails, but neither the intended recipients, not the sending organizations seem to care.
I agree, my namesakes are idiots too and so are the companies who don't have a simple email verification system. :(
Never heard from them again.
* obviously this is not my email address, but it demonstrates how the situation arose.
I don’t even use gmail anymore, but I keep looking into what kind of fun emails I get (and I report every opt-out-only newsletter, which includes Google Fiber and some US Democratic Party thing, as spam).
I haven't noticed many leaks/sales at all of my specific account addresses. I get almost all my spam on my regular gmail, and promotions for companies that my namesakes have signed up for, left my email at a store, etc.
I have identified several people from the variety of emails I get, including work/school/personal.
> But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.
This is my absolute biggest gripe. Someone signed up for AT&T using my email. I contacted their support on facebook, and even after explaining the whole issue they asked my for my phone number, and recommended I call their support. I'm not even in the country. They stopped responding when I pointed that out.
While I want to trash AT&T (deservedly), they're unfortunately not alone in that behavior.
This email is regarding: [].
Class: MATH 7 ADVANCED Prd: 2 Teacher: []
-----------------------------------------------
Good evening, please check [] for missing work, complete it and submit it. Let me know if you have questions or need any help or anything opened up or more tries. Remember the Ch. 3 test due today. Thank you, Mrs. []
I replied:
I think you've got the wrong email address.
Thanks, David
The teacher then replied:
My apologies. You are correct. Your son is crushing it :) and I failed to take him off the group email. Thank you so much for letting me know and keep up the great work! Again, I apologize for the inconvenience. Mrs. []
I then replied:
Thanks! Only one thing: I don't have a son.
The bills are in encrypted pdf-- but the encryption is trivial to remove. I looked at the bills, its someone with a name similar to mine, just one letter different. I emailed the real person, telling him he had used my email, but got no reply.
I just press spam now, and the emails have stopped coming to my inbox. But I still get the emails 6-7 years later. Its mind boggling as how a) Airtel never confirmed the email b) Havent stopped sending even though they've been going to spam for years now
A few years ago I tried to contact some of my other selfs to ask them to mind their email, but never got any response. I'm just ignoring them now or hitting the spam button (after all, the senders should have a process to check the address instead of taking erroneous email addresses written by hand on paper).
+1. My OG name email has been mistakenly registered for a PayPal account, but there's no way I can go about disavowing the account, or removing my email address from it.
They can make a new one with their own email if it’s important.
As someone who has done this too, I wouldn't be surprised if it violates some misuse of computers act - but I'd rather that than be responsible for the security of someone else's finances
Edit: there is one boost mobile customer who has done this to me and I can’t figure out the exact address they used (the thing where you can add periods gives a lot of possibilities), and I really wish I could password reset and close this account because approximately every other month for years I get late payment notices, then impending cutoff notices, then cutoff notices, then “thank you for your payment your service has been restored” notices. It’s both sad and annoying and I finally just black-holed everything from boost mobile and hope I never decide to be their customer in the future because troubleshooting mail delivery problems when I’ve forgotten about this will drive me insane.
I've never really been 100% sure if changing the password and logging in to delete the account would violate the CFAA. I mean nobody would have gone after me for a Twitch account anyway, and I'd definitely have felt moral deleting the thing, but the letter of the law...
- The account effectively belongs to you anyway.
- The person who created it isn't going to be able to recover it if they lose their password, better they know about this sooner than later by you locking them out.
My name is fairly popular in my part of the world and everyone who has it uses my email address as a throwaway since they actually authenticate using a phone number. I have matrimonials, visa applications, leave applications, uber accounts, SaaS subscriptions, porn subscriptions, random newsletters and what not. My gmail account is all but unusable now.
Sometimes I get so annoyed I do a password reset on their accounts. Gotta learn some how.
Same here. But my first name is so unusual that I have literally not found anyone else on the internet with my first name. Any and all searches for my first name (and nothing else) have results that point to me.
Now, I get Bank Statements, Credit Card, Health, Insurance and whatnot for over 5+ "Brajeshwar"s in India. I just ignore them as I use my GMAIL ID just for newsletter subscriptions and ramnants of the old Internet but I do check once a week during my weekly digital chores.
The problem is the word spam. What you describe, misdirected mail from completely legal businesses is not really spam, even if it is junk for you personally.
There is aggressive marketing of very vaguely related products you have actually registered for. There is marketing of illegal products mostly using harvested addresses. There is phishing often using stolen addresses.
If you want to understand the problem as the OP obviously does just speaking of spam is not helpful.
Unsolicited commercial messages.
If the actual receiver didn’t solicit the message, it is spam. It doesn’t matter if the business is legitimate or not, if anything it makes it worse because the FTC occasionally does fine companies for sending spam.
Legally, you have to verify the email address before sending any further messages. If you don’t, you open yourself up to some serious fines if and when the FTC or whomever decides they want to make an example of you.
What about selling fake products?
Instead use the reserved domain example.com.
Over a year ago, I noticed that somebody's paypal was set to my gmail account. They had also used my account for payments to Donald Trump (I was getting hilariously desperate and pleading messages for more donations) Banggood, and Amigo Loans (as guarantor)
I was able to get information about different addresses they have lived (Ireland - not sure how many Trump supporters live in Ireland, which was weird), what other email addresses they had, etc.
In the end, I logged into their paypal (surprisingly easy) and changed their email address to the correct email address, and emailed them their new password.
I still get the odd one-off email from other places, such as a damp report for a property in Hemel Hempstead, but at least I haven't had any more paypal messages. I sometimes wonder about the legality of what I did - obviously I did nothing malicious, but I suspect it contravenes the letter of at least one law. But the thought of being made in some way responsible for the security of someone else's finances filled me with dread.
Add Discord to the list.
Use an account with an unverified mail? Fine by us!
Go and try to actually verify the mail? Alarm bells go off and the acct locks up (sorry, not sorry for the owner of that acct)
waltr2@ wemo@ elara@ curse@ gizmodo@ lastfm@ macheist@ monster@ myspace@ skillshare@ dropbox@ meetup@ dribble@
And digitalocean because their unsubscribe page didn't work. If they won't stop sending, I will stop receiving.
Then I got a response from the salesperson. I asked if he knew that I had started getting spam to the e-mail address that only they had, and he said there was no way that was possible.
I figured that his machine had some malware on it, and that harvested my address and sent it to the spammers. But the cynic in me wondered if they wanted to make money from selling the spammers my e-mail address AND from selling me a spam firewall.
My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.
Do you think the spammers retired? I doubt it, there is only a shift towards trying to get more phone numbers instead of email.
I worked for a company who's mailing list ended up being leaked to spammers.
Our (otherwise seemingly legit) mailing service we used for our opt-in-only mailing list got breached.
We got lots of irate customers (there are surprisingly many people who use catch-alls), the mailing list provider put up a blog post saying "they were investigating" with no followup, and suddenly month later they redesigned their blog and the old post was gone...
1. Companies who use dark patterns to spam you even though they implied they wouldn't, and who continue to spam you even after you try and unsub from them. Even Google are bad at this... you can explicitly unsub from everything but dare to purchase another product and they'll yet again include some tiny checkbox somewhere that has resubbed you. These feel like Sisyphean subscriptions.
2. Individuals with similar names who cannot get their own email right and seem determined to never receive their travel documents, insurance policies and other things, and who leave you subscribed to obscure local mailing lists like the one for dog rescue in Florida which I am a BCC on and I can't get the list owner to effectively unsub me, or the school in North Carolina who keep telling about my namesakes child who needs to prep some piece of homework and they tell me this via a no-reply address.
There's not a lot of "leaked email address is used for spam" as one imagines... at least, it's almost zero.
We’ve gotten less spam than I expected and from fewer sources.
The big ones are dropbox (likely breach related), justworks, [email addresses listed in Whois records - note: Whois privacy features are absolutely worth it], and emails associated with open source projects and businesses that get listed in repos/project/business websites.
I have blacklisted 1 video game discussion forum whose owners sold it and all its data and 4-5 misc retailers (mostly in fashion/clothing) for either outright spam or having non-functional un-subscription features.
We continue to use this email strategy for a variety of reasons, not only spam management. I don’t think I would set such a system up if my only goal was spam reduction as breaches and publicly posted addresses account for the vast majority of the spam and those will get you either way. There is merit to having your main personal address be separate from the ones you publically post for business/open source purposes.
As an aside: the experience has led me to an anti-spam idea that I wonder if anyone has tried on a larger scale. I have multiple different addresses that were clearly involved in a breach or I post on public websites where they get scraped. However, I know that both addresses are unrelated to each other so I end up getting listed on some spam lists multiple times. In these cases, any message where you get separate copies to multiple different addresses is spam 100% of the time.
My motivation of keeping it up is mostly habit, I wouldn't want shop mails on one of my public addresses anyways. A nice benefit is that phishing mails arriving at the wrong address are even easier to not fall for (but a deeper phishing attempt, with targeting based on a breach or something like that might become easier to fall for)
I think you just described a bloom filter.
The most amusing was the UK Parliament petitions site, since you would have thought they were a bit more careful with the email addresses given to them.
But the strangest is the persistent use of specific email addresses that I've never used anywhere - about half a dozen common forenames, and one forename-plus-three-numbers. I've no idea where they originally came from - perhaps someone padding out their email lists for sale with semi-randomly generated ones? - but that set of addresses has been used and reused for over a decade. At least it makes it easy for me to train spam filters, since even novel emails are easy for the filters to spot when multiple copies arrive together.
The one that puzzles me is that some recruiting database got my personal email address, the one I only give out to people I care to keep in touch with. I've never, ever given that email address to a recruiter! I asked them how they got that email, and of course they just said "some AI-powered recruiting tool we use". It's sad because that email address is super fun and I had managed to keep it private for so long...
I'm quite sure the reason will be that this service emails others on "your behalf" and probably does something like placing your email address in the "From" field or in the body of correspondence. I assume they are concerned about phishing or catfishing emails purporting to be from the service.
This doesn't appear to be an adequate solution to the problem.
Though who knows, maybe hex addresses will look fake / malicious and trigger a ban anyway.
We will fix this in our TOS
The offenders that I remember:
- Men’s Health magazine
- local gym
- online flower shop
- agency that at the time handled visa applications for a local Indian consulate
- couple of infoproducts from Producthunt (think “free e-book of 10 most effective cloud practices” type of stuff) gave my email without consent to other sellers of infoproducts.
He's the type that also will string along the spam callers until they hang up on him, so he enjoys these conversations.
I tried to order a textbook online and my transaction got flagged as suspicious, so I had to call a support person, and he wasn't having it. - foreign credit card - address marked as non-residential area - sketchy email-address using their company name
Had to take the bus to a bookstore.
I get the odd one from the address I used when buying my ledger hardware wallet in 2017. Their address list was famously leaked a while ago, and this email address was on it - luckily not my address or phone number though.
Then occasionally I get one to my amazon-specific address. I figure via one of the vendors I've ordered from via Amazon? But who knows. Bezos didn't get his billions by not trying everything.
18 months later, they announced a major security breach that they had "just learned about". https://www.infosecurity-magazine.com/news/foodora-data-brea...
Also not to say this is how all recruiters work. I've spent enough time in the industry to know in 2 minutes or less if I'm talking to a decent recruiter.
Can you describe what it is you need to keep track of ?
I imagine giving out [email protected] and if you get spam on that pseudonym you just block it in procmail or smtpd.conf or (whatever you do in gmail).
Right ?
Mayhaps just having an email domain that isn't from a big webmail provider keeps out the spam? But then again, I get plenty of actual spam to my work email which I've never given to anyone.
I still get a lot of spam on my primary mail, I'm pretty sure it has been leaked by breaches and from friend's address books. My spam folder contains mail for these services: btc-e, bitcoinforum, Heroes of Newerth, hearthpwn, hifi-manuals.com, gcc-bugzilla. Most of these have been breached (for HoN I even recall it was during their early alpha/beta, and they did not acknowledge the breach when I informed them - they implied I must have used it somewhere else and that it got leaked from there). On the GCC bugzilla the address might be visible (at least to logged in users), so that's probably scraping. The hifi-manuals is pretty fresh, but IIRC they have been breached shortly after that.
A lot of businesses know both business@catchall and paypal1234@catchall, but I'm happy to say that I have not yet noticed 3rd party spam on these. Same for real life encounters for which I used the catchall (though the look on sales people is often priceless). However, aliexpress is pretty annoying with their own spam, as are some other retailers.
if you use the [email protected] trick to tag the business or website where your are using that email
can't a scraper remove all +tag portions using a regex and send spam email directly to plain email address
you won't know the source of the leak if that happens
businesses can themselves do this if they deliberately want to sell or misuse your info
I usually go about this now by having a dedicated domain for only EMail with a catch-all configured (Fastmail, Protonmail at least for Pro users allow this). That's great because everytime I'm required to provide an email for no reason at all for example hotel checkins i can just come up with a new one on the fly: [email protected]
Bonus points for also preventing credential stuffing in case they get their badly secured passwords compromised too.
I don't have the numbers to back this up right now, but 90% of my spam comes from scraping my email from public documents, Github or one-off webshop purchases.
More than 15 years ago the addresses I had used for Financial Times and Finnair started to get Viagra etc spam. At least one of them was after a big leak at an online marketing firm that made headlines. I closed the addresses so I have no idea whether the flood has ever stopped.
Maybe 10 years ago I booked a cruise to Saint Petersburg using a coupon from Groupon. After that I started to get spam in Russian. I don't read Russian but online gambling was obviously a topic. I contacted Groupon and asked about their sharing. Talked to their head of don't remember and he claimed it's simple: They don't share the address with anyone. It was obviously not true befause I never had any contact with Russia before or after and the timing was very evident. I closed the address.
Another address is in the Linux source / LKML. It gets Nigeria letters all the time, but with low frequency. Less than 1 a week on average. Maybe 1 or 2 in German and French over the years.
Those are the biggest cases. Maybe some other odd one over 20 years. It's worse with completely stupid tech marketing on my work address (which has been the same for 4 years).
Edit: And there has always been spam to my gmail address. I have shared/stored my gmail address in extremely few locations just for forwarding and it's of form [email protected]. There are only 3-5 people on the planet with the same name. The spam comes without dot so I guess it's not from a list of email addresses, but generated from a list of names. My name has been on the Internet e.g. in Usenet and in scientific papers many times long before gmail existed. Volume is not too bad, a couple of them every month. It was worse years ago.
- web.de
- gmx.de/net/com
I reproduced this with a new domain, a nowhere occuring email on an email server that does not list its accounts via imap, and a single email from those services to the new email was enough to receive spam afterwards; even when the email wasn't listed anywhere on the web.
On a couple other addresses they receive spam mostly from Ghana, Botswana, or rural Delhi, so they're easy to identify. I keep the reddit-trained reply NLP bot active to reply to spammers and keep em busy.
At some point I might go the offensive route, cause they always seem to use standard software on outdated Windows machines, with couple of aliases of Western sounding names (well, at least in their own imagination).
My opsec mandates that I split up email addresses by security level and purpose, and the emails aren't related anyhow, don't use the same name and are basically random emails that cannot be correlated. I'd also encourage everyone to use a password manager and use only random passwords everywhere to prevent account stuffing or stupid script kiddies trying to compromise your accounts.
If there's one thing the BreachCompilation has taught me it's that every humanly chosen password is based on patterns and/or easily gathered social structures that surround them on a daily basis.
Google is very successful in rejecting spam before acknowledging its reception via SMTP (probably mostly via IP blacklist) so I don't see it, the amount of spam shrank drastically. For a very long time a lot of spam came via icq@mydomain (yes, it has been a while), but nowadays almost all spam that I see comes via the @web.de address where Google cannot apply its IP blacklist because its received via web.de's servers. I know because the mydomain email server also used to forward received mails to Google, resulting in said 30k entries in the spam folder. The transition to put Google itself in the DNS record made all the difference.
I am kind-of surprised I don't see more spam coming via the catchall address. Sometimes spammers use mydomain with random local part as sender address, so I get bounces.
auction.com - absolutely resells your email for years to come, thanks whoever subscribed to that.
The RNC is way worse than the DNC, but both resell their lists quite a bit for political purposes. Voter registration similar, but I think that's just open records stuff.
But a lot of failed double-opt-in. Massive amounts of it.
This is a phishing attack.
After a while I talked with one of those customers and they knew about it. It was "an email that got compromised".
Eg. one of their employees did fall for the phish and opened the email, clicked the link, opened the binary. Got infected and (a part of?) their inbox uploaded to the spammer. That is then used to send out new targeted phishing attacks where the name is spoofed, but send from another victim of theirs. Pretty effective phishing attack it seems. Took me a bit before I realized what I was looking at as the email seemed to come from that customer. It was only because it was a bit weird that I noticed things being off like that the email address itself was different.
Another is the mail used in domain registries but it’s low volume
The worst offenders are mailing lists I subscribed that fail to respect unsubscribing. I find the smaller they are the worse they are. So many just re-add the mail six months later. There I have a rather fun mail rule.
Any mail from their domain gets an auto reply with an explanation that this isn’t cool, with every support, admin, sales mail I could think of in cc. It includes a list of all the times they mailed me and all the times I asked them to unsubscribe in a list, handily auto generated my a node-red flow.
Yes, it’s pedantic, No I feel no shame.
For instance;
- I have something like [email protected], which is the free Netflix account that I got from my Jio Fiber connection. I gave that to the In-laws.
- [email protected] because Indian Passport Office won't allow more than 5 Passport (I think 5 was max, last time I checked) applications from an account. I'm usually the person dealing with the Internet and digital stuffs for our family, and most of the relatives. The limit gets hit pretty easily.
I used to sign up for almost every Startups that pops up from friends, acquaintances, and people whom I had even interacted once in the hope that I'm helping them with one more account. Unfortunately, especially Startups in India, will bombard and spam relentlessly (emails and phones) that I have totally stopped signing up for anything. I either use a throwaway or the "+" method when I really have to -- [email protected]
A few years ago, I started logging the ones that specifically spammed my phone number. I visited a Startup and agreed to give them my number for the visitor log entry. I trusted them because I helped them with their product during the MVP to pitch Investors. They started spamming me after I left and before I reached home.
I stopped the logging and now I have declared SMS/Text Bankruptcy. https://drive.google.com/drive/u/0/folders/1jI0DxmZ586cBmyu1...
Wow, what a strange limit! I wonder what their rationale is for having it?
I suspect that most of the entries on the list got hacked. There are a few exceptions where companies do not honor unsubscribe requests and keep sending you emails or flat out sell your email address.
Here's a list that was collected over many years:
- Cory Doctorow's mailing list (twice)
- bitcard
- Achatzi, CSV direct, easynotebooks, foto-erhard, hivilux - (german online shops)
- dcemu, gbadev
- Dropbox
- funcom
- gawker
- Kimsufi and OVH
- GoodLuckBuy
- Mails listed in WHOIS
- Mails used in Yahoo groups (RIP)
- MiniInTheBox
- monster.com
- moneybookers
- pianostreet
- Usenet (duh)
- Typepad
- UnternHammer
The worst was when spammers got ahold of my email from a hotel chain and would add random letters to the username. So, for instance, the email address I provided to the hotel chain was something like [email protected], and the spammers would send to [email protected], [email protected], etc.
That forced me to stop using a catch-all and only accept usernames that conformed to a certain format.
[email protected]
It took me a while, but I realized that these were Message-ID headers that were being used as email-addresses, I just assumed there were some badly written scrapers out there, treating "blah@blah" as an email address and harvesting all such matches.
I never give out my raw email address, I use: - [email protected] for twitter - [email protected] for amazon - [email protected] for HN etc
Makes it very easy to track down who sold out me email -- and filter on it.
Back in 2018 I bought a plane ticket from Eurowings and I gave them an email address with that pattern, and while they were happy to accept the email address on the booking page and take my money, the ticket and login systems didn’t, and I had to get a refund and a much more expensive last-minute ticket at the airport.
(The customer support person also managed to spell my name wrong when I contacted them).
If I want to see who leaked my address I just search my email archive to see where I first used it. Also of course this means using a password manager. I opt for keepassxc.
195 x+kickstarter@xxx
57148 x+newrelic@xxx
The rest doesn't even register.
Scammers on the other hand contact me on all my emails that have leaked/compromised. Latest being xfinity.
I have an email address that I've only used for official things, and it was used by an employer as my contact email for pension savings with Santander.
I've had the address for 10+ years and never gotten spam. The same day I got an email from Santander about being signed up for pension there I started getting lots of spam emails.
My spam comes from a few sources:
- data breaches that leaked an email address (Adobe, Dropbox, LinkedIn, GoDaddy etc)
- family that used to forward all kinds of crap using the TO: field instead of BCC:
- some companies sold my email which then started to propagate more and more
- some just figured it out. If you own a domain firstlast.com you'll get spammed at [email protected]
- dns records
There are more I'm sure. These are the sources I'm certain of.
Your email is only as secure as the weakest link that has that address.
I made some noise on Reddit about the Splunk one and I didn't receive anything else after a quick exchange with them, I reported the SublimeText one but a couple of years later I got other spam to this address, and I didn't bother doing anything with the Canva one.
For the large sites like fb, linkedin, twitter, etc I do use unique emails. Not so much for spam, just to compartmentalize them away from my primary email so they don't have it.
One that sticks out is Kohl. I never signed up for them and they spammed the shit out of me 15 years ago. I've never shopped there and from the spam I never will.
Otherwise, a conference running company in Japan spams me and they use a new email address on their end for every new conference.
Absolutely no one.
And I've been using this system for over 5 years now
I very rarely receive spam on the email address I used to post on the Debian bugtracker, and on the generic address I give to individuals. Apart from that, none of the specific email addresses are spammed.
It's been almost 6 years now. I sometimes understand why I receive some infrequent broadcast mail thanks to the specific address I used to subscribe.
…except for single email with a google docs link that got sent to cs@mydomain. I don’t know what I used cs@ for. I don’t have any other emails to that address. Very odd.
I had always intended to do some analysis of my catch-all address spam, but there's just so little of it that it isn't that interesting. A quick glance through my spam folder shows these have been hacked or sold emails:
Dropbox, Canada Computers, Last.fm
I've also seen a couple forum accounts in the past, but nothing else noteworthy.
The most recent offender was my kid's tee-ball league.
Fortunately (unfortunately?) my email has only been sold once, and it wasn’t as egregious as you might think.
Amplitude, the user analytics company, sold my address to at least 3 companies who simply started emailing me as if I’ve always been a subscriber to their newsletter.
I do use their free plan though so I’m not mad about it.
And the great people who think it’s okay to use the most natural sounding email address as per their name while filing forms (including banks and cards) and moron corporations like banks, telcos, Amazon Business etc who think it’s perfectly fine to not verify emails.
And my personal@my-domain that I use to communicate with friends etc. So apparently my friends aren’t lesser idiots - they think their phone and gmail contacts are to be shared with the world. So maybe use a unique email for every friend and personal contact? :D
This isn't really so bad an idea. When it comes to your contact info, your friends/family are probably the big adversarial vector to your info. Their ignorance is your worst security.
knowledge is power
Coming from GMail, I expected an untenable amount of spam - but that seems to only be a GMail problem? I’ve only had two incidents of unsolicited spam from a vendor sharing my email address since moving to ProtonMail.
One I don’t remember the details but I gave a yoga accessories company my email address, like a year later I got an email addressed to that email address from a cannabis company.
The other time TicketMaster shared my email address with Warner Bros.
However my public email addresses (like the ones I use on GitHub, npm, git commits, etc) receive a lot of spam - but those are harvested, not shared.
Now my email address actually serves another purpose: limiting the ability for leaked user databases to connect my identity across providers. I’m starting to use a different username, email address, and password for every service I use that isn’t linked to my professional identity.
I get a few others to an apartment building I once got on a mailing list to, and other random stuff like that. Probably folks that use Windows and got worms.
In short, I don't think anyone sold me out... but I could be wrong.
I do get a lot of business spam to other email addresses I have on LinkedIn but that's all vaguely relevant (no I don't want a website building, nor am I interested in video marketing).
In practice it's hard to differentiate between the sale of an address and a data breach, especially for smaller sites where the breach may not be publicized at all.
I'd love it if the tags were available in SSO as well, as the more stuff that logs in using SSO just reveals the main email. So I definitely got into some sales databases that way for $work email that had a constant flood of cold outreach.
The largest spam problem I have, is the email domain I use is a typo away from another company. So I sometimes get quotes, or emails destined for people at that company that don't hit the spam filters. One time, someone signed up for their online banking under my domain. Recently, I get all the service advisories for someone's Honda car.
Historically though my intention was to track who sold my email address and combat spam. It worked great.
The most notable one was the address I registered with ISC2 when signing up to take (and pass) the CISSP in 2002. The unique address I gave ISC2 and only ISC2 in 2002 was used to send spam and scam email not long after.
It was a fairly common occurance in the early/mid-2000's to receive spam where I registered addresses. These days it seems to happen much less.
Bell Canada (got hacked a few times, notoriously)
So. Many. ATS. (Applicant Tracking Systems)
Several small time online stores.
The first two probably got breached and the emails stolen (although I have never ever received any disclosure of being breached from any ATS ever. Small time stores they probably sold it for actual money, they weren’t exactly trustworthy in the first place.
I use spam gourmet so I know exactly where any email address was first used and thus who leaked it.
Aside from that, I'm guessing it's mostly my Git commits on GitHub being the source.
I think the real worst offender is LinkedIn. I put one email on my resume and a different one for logging in to LinkedIn that should not be public. And yet I get direct recruiter spam there all the time.
It might not be directly through LinkedIn- about once a year, random recruiters will call my personal cell phone, even though I have no how they possibly got it. By now it's on a list that gets sold, I'm sure, but where it started, I'm clueless.
The most infuriating are recruiters who cold-email me at my work email. There's something about contacting me via my official capacity as an employee to take a different job that really gets under my skin. Might just be that I am very, very much not a "bring your whole self to work" kind of guy and more of a "keep a hard divide between my work and personal life" one.
- Walt Disney Studios Home Entertainment
- FX Networks
- shopDisney | Disney store
- ABC News
- Freeform
- National Geographic ("Now streaming on Disney+")
- Walt Disney Pictures
- Storyliving by Disney
You could argue that this wasn't a "sell out" since it was all Disney, but not a single one of those enterprises had much to do with a trip to Orlando. :-)
I started getting spam on it. Tried contacting them to let them know someone was selling customer email addresses and of course they just responded that obviously I had a virus or something.
Mostly unrelated, but just before I responded I was modifying a custom milter to filter messages based on the byte string "Copyrights =C2=A9 Xsolo All Rights Reserved" because this particular spammer likes to copyright his gmail spam. Weird but convenient.
They got hacked and didn't even reset customer passwords, very glad I use unique passwords and limited the blast radius to them.
pretty much anything vaguely related to crypto
edaboard.com
lastfm.com
pcbway.com
asus.com
tl;dr: Used a burner email signing up for Comcast Xfinity and have been constantly receiving phishing emails on that address. (Last one was this morning.)
Never made any effort to determine if they were leaks or sold, but here are the ones I've had to send to /dev/null over the years due to obvious spam.
adobe, godaddy, ebay, sirius, vonage, dzone, snapfish, walgreens, US postal service;they just continued their model of selling physical address data into the online space. Seems to have been sold to typical catalog vendors, JC penny, crate and barrel, etc.
Nearly 10 years later I still get sent random quotes for custom USB drives.
https://i.imgur.com/DA8njVs.png
(I changed the numbers around, but the point stands)
I also had a friend "helpfully" sign me up for information for some insurance company.
The worse constant spam I've ever seen, some of it use legit expensive mail services, and a lot of it doesn't land in my spam folder.
I have another email that's put publicly in a website and it gets crawled, and I get no spam from it, just legit emails that are probably automated from people that wanna do business.
I assume they'd also happily hand over a list of all the books you've checked out and whether any of them were overdue.
However, I feel the need to assert my opinion that librarians are generally pretty fierce defenders of privacy in the specific context of lending/reading history, so your assumption does not ring true at all to me. Libraries/librarians have been consistent defenders of lending history privacy in the face of the Patriot Act[1][2] and I would be shocked to see a pattern of libraries anywhere in the US giving out lending history data in the context of anything but the most direct of legal requirements.
I was employed by a public library once upon a time and received specific training on when to share lending data ("never, and if asked, lock the computer and go get the Director, even if the person asking has a badge").
[1] https://www.aclu.org/press-releases/librarians-speak-out-fir... [2] https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...
Once a month or so I get unsolicited mail to my LinkedIn email address.
Other than that, I was surprised to find after a good 5 years of monitoring that I haven’t gotten spammed through unauthorized sharing of my email.
Now I can't be 100% sure - but I am 99.9% sure that was the only place that addy was used.
I have several that get spammed heavy that were used to sign up at various forums some years ago as well.
I just starting sorting these into folders more last week, trying to remember the ones I didn't have ti mess with that were already going to folders - but that's on a different system.
Received SPAM on a really old account which I do not use, unique email address and from one day to another it was daily SPAM.
In particular recruiters (including from 1 faang) have picked up the gravatar breach, and after some gdpr digging I've found a few of the unscrupulous vendors that laundered the breach data into the recruiter spam industry
I have a separate email account for all the trivial and unimportant website sign-ups (which I can mostly ignore since it's nothing critical), but my mail account was only used for "higher risk" accounts. I assume it was a leak of some sort (insurance or utilities).
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK