Ask HN: People who use different emails everywhere, who sold you to spammers?

Ask HN: People who use different emails everywhere, who sold you to spammers? 170 points by dyingkneepad 9 hours ago | hide | past | favorite | 245 comments I've heard a lot about people who have catch-all email accounts and subscribe a different address to each service. So, these people may have a nice idea of who sold or leaked their email addresses based on the spam they are getting. Are you one of these people? Can you name your spammers?

As a side note, I have a friend from not-US who by mistake used a special address only for this country's IRS equivalent (he had something like "unit 12A" instead of just "unit 12"), and he would occasionally get physical spam to that address. I remembered that, then decided to ask this.

I mostly use one single address, but I can tell you exactly where all the spam comes from: idiots whose name is the same as mine.

They give my address as if it belonged to them. Probably they created addresses like narag33@server and they believe that it's narag@server instead.

So not only I receive all the spam from dubious sites that they suscribed to, but also their legitimate mail from lists and friends.

My namesakes are idiots. But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

Quite gratifying to read that I'm not alone in this. I was really early into Gmail so have first.last@ and get a lot of stuff emailed to me that is exactly as you describe - not spam, just mistaken address. Hotel reservations, golf clubs, Republican party bullshit, hilarious copies of order receipts from gun shops...

(The last one of the above I replied to - it was an order for a rifle scope. I sent what I thought was an obvious joke email back asking whether it'd help me hit my neighbours' puppy at a mile range. The gun shop replied back suggesting an alternative scope... Moral: never apply UK style humour to US situations, especially not about guns...)

I was getting some dude's email for about 7 years. Started with newsletters and discussion threads for a journalism guild and a teacher's union. I found that amusing and left it, but one day emailed whoever was in charge and let them know I'm not the intended recipient. Stopped for a while and then it started again and I ignored it.

But in the last few years I started getting hotel reservations, golf course membership, bills, orders for liver supplements. I tracked down who it is ages ago and sent them an email (I was cordial - "Hey we have such similar names but I'm on the other side of the world, crazy huh?") and got no response. Eventually I replied to the liver pill people and said "Hey this isn't me and if you could let the actual person know that'd be great" and the emails stopped. Way to go liver pill people.

> I was getting some dude's email for about 7 years. Started with newsletters and discussion threads for a journalism guild and a teacher's union. I found that amusing and left it, but one day emailed whoever was in charge and let them know I'm not the intended recipient. Stopped for a while and then it started again and I ignored it.

I had a similar experience, funnily enough golf course memberships too. Doing minimal OSI work on the numerous emails I found the guy on facebook and friended him (accepted due to same surname I assume). I remember saying something like:

"Hi, I noticed you just signed up for an Epic Games account, and you happened to use my email address <lastname>@gmail. Would you mind not doing that, please?"

He responded that I was a creep and that it was his email, and proceeded to block me. I mean he might've been right on the former, but patently wrong on the latter.

it has gotten so bad in usa, with creep calling. Seems whenever somebody is not happy with something their immediate response is you are a creep. I find those kind of people disturbing.

I have a similar experience, I received emails from his families with children photos, emails from his certification, notices about his internship, etc..

I sent a few emails to his family explaining this, they told me that I was wrong. I gave up and just ignore all of those emails.

It's on gmail and I don't use gmail for important things anyway...

I have my own domain that I used to use for hosting random stuff and my email (nowadays it's just for the email). The email is a catch-all box.

I once got someone and their family's Disney World booking details sent to <theirname>@<mydomain>. It was a real thing, I could click the link and go view their booking at the official website. I have no idea what made that person to type out <mydomain> as their email, the domain is not even close to any publicly hosted email services or any company names. I kept getting more notifications of the upcoming Disney World trip so I ended up disabling that particular address so that those emails bounce.

I have the same problem and at least once a week someone tries to recover the password to “their” email address. I’ve gotten unlimited spam which my provider usually deals with well but sometimes there are periods of days where 5+ per hour get through. I’ve gotten dick pics and all kinds of receipts. I have hotel logins with the wrong name assigned because I could only make accounts by recovering one someone else made (so my hotel receipts have the wrong name on them).

I used to reply to misaddressed mail when it amused me. I used to string along a whole family of people that included me in group emails with racist Obama memes and pictures bragging of poaching.

I stopped replying to these when in another case I was asked to tell estranged and family member that their sister had cancer since I was the only one still in contact with her. I did inform them they had the wrong address at that point.

I’m still on a mailing list for senior members of a local police department and even was sent logon/passwords to some of their systems but I’ve learned not to try to correct these things, it’s just too much of a hassle. In the case of Venmo and Verizon I couldn’t get it fixed even with phone calls.

yesss more people suffering from this - its so infuriating especially paypal.

I mostly get signed up for newsletters but I do actually have the name and address of one of the people who uses my email address. I know its not exactly polite and didn't want to be mean and cancel any orders but I mayyy have logged in and changed her name on the delivery address to "stop using my email address please" and she's never done it again.

theres also a teenager at a school in the US using my email address on social media I get a lot of requests to send me freebies!

I also apparently have an espn account now, if I liked sports I'd be taking advantage of that one!

Even weirder was one time I had RSVP's to a wedding. The couples name was exactly the same as my partners and I's! I had to email the pastor and say I think you have the wrong email address!

I've had blood test results, graduation photos, I get emails from this girls doctors. I've contacted them so many times to say I'm not your patient but they don't listen. I also know what car she leases! At this point she must have realised!?

I had an entire Comcast account registered to someone with the same name in another part of the state that took me years to get rid of. Could even login with my email address because he registered it to my account and somehow the email side stepped verification.

Imagine dealing with Comcast customer support. Then imagine not even being a customer anymore trying to get this resolved. Now imagine explaining how you're not the person on the account yet have the same name and how this is a huge privacy/security violation.

Took years to get rid of. One day I'm waiting for a silly collections bill or something to show up in "my" name for the other person.

I've had this with credit card accounts. It usually gets settled pretty quickly when I escalate it to fraud or security.

I deal with the same problem with fullname@gmail. My name is very common, surprisingly so if you're not Italian. I get emails for:

* A Joe who runs a lego engineering team at his high school

* A Joe who goes to bible study in Utah

* A Joe who is building a house in Victoria Australia (I'm so familiar with him/others screwing up his email that I can forward it to him and his wife easily.

In my personal metaverse, I'm really into falconry (I've ordered several leather falcon hoods), I have a commercial truckers license, I'm part of a pushy childrens' soccer league, and am eagerly planning a trip to the holy land. I did get an invite from one of them to play golf together in Wales.

> In my personal metaverse, I'm really into falconry (I've ordered several leather falcon hoods), I have a commercial truckers license, I'm part of a pushy childrens' soccer league, and am eagerly planning a trip to the holy land. I did get an invite from one of them to play golf together in Wales.

Your targetted ads must be really interesting :-)

The silver lining is, of course, that no one has yet built an accurate profile of you ...

For me, it's a Shawn in Colorado who goes to bible study, renovates houses, and signs (me!) up for every Republican newsletter he can find.

Also: When I use Facebook's feature "show data that others have uploaded about you" (or similar), it is full of this guy's stuff that was provided to facebook (and attributed to me) by businesses this guy has relationships with.

Nothing I can do to remove it.

There's a <starwind> in Australia so occasionally I get stuff for <starwind>@gmail.com. I got his golf club membership info sent to my email address. I've gotten his dinner reservation info sent to my email address. For like 2 months I got his paystub sent to my email address.

I really wish I could get his phone bill sent to my email address so I could call and tell him he could have gotten a larger raise

I have the exact same issue. My name is quite common and I registered my email address more than 15 years ago, so it looks something like <firstname>@<server>.

Now I get phone bills, internet bills, promo emails, subscription emails, two factor emails, and sometimes even bank related emails addressed to someone who shares their first name with me.

It's been years now. I've reported the emails, but neither the intended recipients, not the sending organizations seem to care.

I agree, my namesakes are idiots too and so are the companies who don't have a simple email verification system. :(

What I do is log into the billing account and change the email to [email protected]

Never heard from them again.

I got sent a ton of (quite private) PII from T-Mobile in Holland for some poor schmuck who can't understand that his email address is not [email protected], or alternatively isn't actually putting an email address and some other idiot is deciding, "This guy is called Adrian Byss, his email is probably [email protected]". I've had the email [email protected]* since not long after gmail became available to the public. If I had less scruples I could easily have stolen this man's identity with the amount of information they sent.

* obviously this is not my email address, but it demonstrates how the situation arose.

Yeah, I have [email protected] with an extremely common German name. I’m on some investor list for a biotech company, I’ve received patent applications and internal discussions, holiday pictures, quotes for everything from building houses to repairing things.

I don’t even use gmail anymore, but I keep looking into what kind of fun emails I get (and I report every opt-out-only newsletter, which includes Google Fiber and some US Democratic Party thing, as spam).

This has been my experience too. I have <lastname>@gmail since 2004, and have for the last decade at least used a separate domain for all my accounts.

I haven't noticed many leaks/sales at all of my specific account addresses. I get almost all my spam on my regular gmail, and promotions for companies that my namesakes have signed up for, left my email at a store, etc.

I have identified several people from the variety of emails I get, including work/school/personal.

> But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

This is my absolute biggest gripe. Someone signed up for AT&T using my email. I contacted their support on facebook, and even after explaining the whole issue they asked my for my phone number, and recommended I call their support. I'm not even in the country. They stopped responding when I pointed that out.

While I want to trash AT&T (deservedly), they're unfortunately not alone in that behavior.

This happens to me all the time. Perhaps the most amusing instance went as follows (quoted verbatim, with identifying information omitted):

This email is regarding: [].

Class: MATH 7 ADVANCED Prd: 2 Teacher: []

-----------------------------------------------

Good evening, please check [] for missing work, complete it and submit it. Let me know if you have questions or need any help or anything opened up or more tries. Remember the Ch. 3 test due today. Thank you, Mrs. []

I replied:

I think you've got the wrong email address.

Thanks, David

The teacher then replied:

My apologies. You are correct. Your son is crushing it :) and I failed to take him off the group email. Thank you so much for letting me know and keep up the great work! Again, I apologize for the inconvenience. Mrs. []

I then replied:

Thanks! Only one thing: I don't have a son.

Same with me-- someone used my email to register for Airtel India, and I started getting his bills. Airtel have a complaint/abuse email and I told them about the mistake-- there was a lot of "hoo-hah" but nothing happened.

The bills are in encrypted pdf-- but the encryption is trivial to remove. I looked at the bills, its someone with a name similar to mine, just one letter different. I emailed the real person, telling him he had used my email, but got no reply.

I just press spam now, and the emails have stopped coming to my inbox. But I still get the emails 6-7 years later. Its mind boggling as how a) Airtel never confirmed the email b) Havent stopped sending even though they've been going to spam for years now

Same here. My name is very common and I have an email similar to John Smith <[email protected]>, and I have around 10 people around the world named like me or similarly that use my email for everything. I receive, almost weekly, paid invoices, flight tickets, appointment reminders, a teen soccer club newsletter, new instagram accounts, etc anything you can imagine really.

A few years ago I tried to contact some of my other selfs to ask them to mind their email, but never got any response. I'm just ignoring them now or hitting the spam button (after all, the senders should have a process to check the address instead of taking erroneous email addresses written by hand on paper).

My real surname isn't a common one, so I went ahead and grabbed [email protected] in March 2004 when Evan Williams sent me a Gmail invite. But my surname is English and one that is predominately found in the UK, Canada, Ireland, South Africa, Australia, and New Zealand. So I sometimes get invoices, signups, verifications, and other junk from someplace in Australia and those other English-speaking countries. I've also found it's a waste of time to correct it. Once an address is "out there" in the wild, it's going to get passed around.

My wife has had the same problem for a long time. What finaly got through was to contact one of the travel agencies to point out that she got plane tickets in someone elses name and to please talk to this woman that she has the wrong idea about her email adress. Has been quiet for a few years now.

+1. My OG name email has been mistakenly registered for a PayPal account, but there's no way I can go about disavowing the account, or removing my email address from it.

I’ve had a few folks use my email. This is going to prove wildly unpopular but I just reset the password using the email, go in and delete the account (or submit a ticket with support to do so).

They can make a new one with their own email if it’s important.

> This is going to prove wildly unpopular but I just reset the password using the email

As someone who has done this too, I wouldn't be surprised if it violates some misuse of computers act - but I'd rather that than be responsible for the security of someone else's finances

Not wildly unpopular with me. I’ve canceled multiple Netflix accounts using my $firstInitial$lastName@gmail account. My excuse if they ever challenged me would be to say I thought it was fraudulent because I didn’t set it up and I didn’t want my email to be the only contact method.

Edit: there is one boost mobile customer who has done this to me and I can’t figure out the exact address they used (the thing where you can add periods gives a lot of possibilities), and I really wish I could password reset and close this account because approximately every other month for years I get late payment notices, then impending cutoff notices, then cutoff notices, then “thank you for your payment your service has been restored” notices. It’s both sad and annoying and I finally just black-holed everything from boost mobile and hope I never decide to be their customer in the future because troubleshooting mail delivery problems when I’ve forgotten about this will drive me insane.

I have had this happen to me as well. It was pretty annoying. Somebody used my name for a Twitch account. I wanted to do things the 'right way' so I didn't verify the email, didn't log in and change their password -- I contacted customer support instead (mostly just to see how it would work -- I have a very unusual name, so this is a kind of rare event for me). It took them, I think, years to delete the thing.

I've never really been 100% sure if changing the password and logging in to delete the account would violate the CFAA. I mean nobody would have gone after me for a Twitch account anyway, and I'd definitely have felt moral deleting the thing, but the letter of the law...

If the only identifier on the account is your email address then:

- The account effectively belongs to you anyway.

- The person who created it isn't going to be able to recover it if they lose their password, better they know about this sooner than later by you locking them out.

If you still get emails from them you can open the email source on GMail and see where the email was originally sent to (the full address) with all dots and +x addition in it.

I got my gmail account early and was able to get my first name at gmail.com.

My name is fairly popular in my part of the world and everyone who has it uses my email address as a throwaway since they actually authenticate using a phone number. I have matrimonials, visa applications, leave applications, uber accounts, SaaS subscriptions, porn subscriptions, random newsletters and what not. My gmail account is all but unusable now.

I have the same, but less volume than you. I've had VERY confidential mail sent to me, and one time someone even tried to send me 1500 bucks, but alas I didn't know the password for the transfer :)

Sometimes I get so annoyed I do a password reset on their accounts. Gotta learn some how.

> I got my gmail account early and was able to get my first name at gmail.com.

Same here. But my first name is so unusual that I have literally not found anyone else on the internet with my first name. Any and all searches for my first name (and nothing else) have results that point to me.

LOL. So, my name is a pretty standard Indian name and many a lot do not confirm their email addresses (Banks, Insurances, etc). India's default email provider is, of course, GMAIL (even government officials use it). I was one of the early distributor of Gmail invites (I invited a lot) and I own [email protected]

Now, I get Bank Statements, Credit Card, Health, Insurance and whatnot for over 5+ "Brajeshwar"s in India. I just ignore them as I use my GMAIL ID just for newsletter subscriptions and ramnants of the old Internet but I do check once a week during my weekly digital chores.

This is one hundred percent the problem. I got my address back when gmail was invite-only (so its super simple), so I get tons of emails meant for other people.

Someone decided to start a weed business in Spokane Washington using my gmail address as their business email contact for all of the greenery suppliers. Now I get tons and tons of marijuana-related spam. I guess they are too stoned to tell the difference between 20 and twenty? I don't know.

A lawyer in Texas has the same initials as I. Their domain is the same as mine + "law" at the end. Guess how many of her clients forget the "law"?

> where all the spam comes from

The problem is the word spam. What you describe, misdirected mail from completely legal businesses is not really spam, even if it is junk for you personally.

There is aggressive marketing of very vaguely related products you have actually registered for. There is marketing of illegal products mostly using harvested addresses. There is phishing often using stolen addresses.

If you want to understand the problem as the OP obviously does just speaking of spam is not helpful.

Spam has a legal definition:

Unsolicited commercial messages.

If the actual receiver didn’t solicit the message, it is spam. It doesn’t matter if the business is legitimate or not, if anything it makes it worse because the FTC occasionally does fine companies for sending spam.

Legally, you have to verify the email address before sending any further messages. If you don’t, you open yourself up to some serious fines if and when the FTC or whomever decides they want to make an example of you.

So phishing and Nigeria letters are not spam because it's not commercial but criminal activity? Not everybody would agree.

What about selling fake products?

You’re getting into fraud territory and leaving spam territory.

I get random invoices in languages I don't even speak due to something similar.

Any time I can I login to their accounts and update the email to [email protected] .

You’re probably joking, but in case you aren’t, don’t put in an address for a registered domain like void.com, as you’ll just be redirecting the spam to them.

Instead use the reserved domain example.com.

I just use the domain of the site the account belongs to. If I'm getting really naughty, I will put sales@<server>

Oooh, I hadn’t thought of sales. I always use support@server whenever a site asks if I want to join their newsletter.

I have a gmail account and a yahoo account. I consider these my spam accounts for anything that doesn't accept email with a + in the name.

Over a year ago, I noticed that somebody's paypal was set to my gmail account. They had also used my account for payments to Donald Trump (I was getting hilariously desperate and pleading messages for more donations) Banggood, and Amigo Loans (as guarantor)

I was able to get information about different addresses they have lived (Ireland - not sure how many Trump supporters live in Ireland, which was weird), what other email addresses they had, etc.

In the end, I logged into their paypal (surprisingly easy) and changed their email address to the correct email address, and emailed them their new password.

I still get the odd one-off email from other places, such as a damp report for a property in Hemel Hempstead, but at least I haven't had any more paypal messages. I sometimes wonder about the legality of what I did - obviously I did nothing malicious, but I suspect it contravenes the letter of at least one law. But the thought of being made in some way responsible for the security of someone else's finances filled me with dread.

Same here. I thought I was lucky when I snagged one of the first GMail invites and was able to pick a 5-letter user name. Oops: https://i.imgur.com/Y5c1iIt.png

Same. I even paid about $10 on eBay to snag an early invitation.

I thought Gmail didn't allow usernames shorter than 6 characters.

Ah, you're right, it's 6 (first initial + 5 character last name.) I can't count...

> They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

Add Discord to the list.

Use an account with an unverified mail? Fine by us!

Go and try to actually verify the mail? Alarm bells go off and the acct locks up (sorry, not sorry for the owner of that acct)

A few of my blacklisted recipients ..

waltr2@ wemo@ elara@ curse@ gizmodo@ lastfm@ macheist@ monster@ myspace@ skillshare@ dropbox@ meetup@ dribble@

And digitalocean because their unsubscribe page didn't work. If they won't stop sending, I will stop receiving.

This was years ago, but I once contacted Barracuda to inquire about buying one of their Spam Firewalls. I used "myname-barracuda@mydomain". Before I even got a response from the salesperson, I got a spam e-mail to that address.

Then I got a response from the salesperson. I asked if he knew that I had started getting spam to the e-mail address that only they had, and he said there was no way that was possible.

I figured that his machine had some malware on it, and that harvested my address and sent it to the spammers. But the cynic in me wondered if they wanted to make money from selling the spammers my e-mail address AND from selling me a spam firewall.

Sounds more like they were trying to convince you of the need for a spam firewall :)

Nice inbox you have there... be a shame if it filled up with spam...

When my kids were young, I set them up with two emails addresses: one for emailing friends, the other for emailing businesses. The assumption was this would protect their personal friend emails from spam. The reality was by the time they were older teens almost all the spam they received came in on their personal friend emails and almost none of it came on their commercial-use addresses.

My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.

This has been my experience also. Companies do pretty well, random forums get scraped and friends hit “upload my contacts” on every scketchy app they Download.

Could you give a rough time period for when you set up their accounts and how old the accounts are now? Just trying to get an idea of if this is still happening even now.

"Just trying to get an idea of if this is still happening even now."

Do you think the spammers retired? I doubt it, there is only a shift towards trying to get more phone numbers instead of email.

I get mere units of spam yearly both on my email and phone, and I don't really keep either secret. The weird thing is that I know someone whose work address gets lots of spam. Both our addresses are publicly available on the Web.

Sometimes your address isn't maliciously being sold but is just leaked through incompetence.

I worked for a company who's mailing list ended up being leaked to spammers.

Our (otherwise seemingly legit) mailing service we used for our opt-in-only mailing list got breached.

We got lots of irate customers (there are surprisingly many people who use catch-alls), the mailing list provider put up a blog post saying "they were investigating" with no followup, and suddenly month later they redesigned their blog and the old post was gone...

Two sources:

1. Companies who use dark patterns to spam you even though they implied they wouldn't, and who continue to spam you even after you try and unsub from them. Even Google are bad at this... you can explicitly unsub from everything but dare to purchase another product and they'll yet again include some tiny checkbox somewhere that has resubbed you. These feel like Sisyphean subscriptions.

2. Individuals with similar names who cannot get their own email right and seem determined to never receive their travel documents, insurance policies and other things, and who leave you subscribed to obscure local mailing lists like the one for dog rescue in Florida which I am a BCC on and I can't get the list owner to effectively unsub me, or the school in North Carolina who keep telling about my namesakes child who needs to prep some piece of homework and they tell me this via a no-reply address.

There's not a lot of "leaked email address is used for spam" as one imagines... at least, it's almost zero.

My wife and I have used a unique address for every company/service for 15 years or so (both online and physical stores).

We’ve gotten less spam than I expected and from fewer sources.

The big ones are dropbox (likely breach related), justworks, [email addresses listed in Whois records - note: Whois privacy features are absolutely worth it], and emails associated with open source projects and businesses that get listed in repos/project/business websites.

I have blacklisted 1 video game discussion forum whose owners sold it and all its data and 4-5 misc retailers (mostly in fashion/clothing) for either outright spam or having non-functional un-subscription features.

We continue to use this email strategy for a variety of reasons, not only spam management. I don’t think I would set such a system up if my only goal was spam reduction as breaches and publicly posted addresses account for the vast majority of the spam and those will get you either way. There is merit to having your main personal address be separate from the ones you publically post for business/open source purposes.

As an aside: the experience has led me to an anti-spam idea that I wonder if anyone has tried on a larger scale. I have multiple different addresses that were clearly involved in a breach or I post on public websites where they get scraped. However, I know that both addresses are unrelated to each other so I end up getting listed on some spam lists multiple times. In these cases, any message where you get separate copies to multiple different addresses is spam 100% of the time.

Same observation, similar timeframe. A few that have likely been breaches, one or two failed web game businesses sold for scrap.

My motivation of keeping it up is mostly habit, I wouldn't want shop mails on one of my public addresses anyways. A nice benefit is that phishing mails arriving at the wrong address are even easier to not fall for (but a deeper phishing attempt, with targeting based on a breach or something like that might become easier to fall for)

> However, I know that both addresses are unrelated to each other so I end up getting listed on some spam lists multiple times. In these cases, any message where you get separate copies to multiple different addresses is spam 100% of the time.

I think you just described a bloom filter.

Hostmonster (a Bluehost brand) have been the worst, since they were so blatant about it. I'd only had legitimate correspondence to that address, until the week I cancelled my account, and since then the spam has been relentless. So as part of my account cancellation, they clearly sold my email address on.

The most amusing was the UK Parliament petitions site, since you would have thought they were a bit more careful with the email addresses given to them.

But the strangest is the persistent use of specific email addresses that I've never used anywhere - about half a dozen common forenames, and one forename-plus-three-numbers. I've no idea where they originally came from - perhaps someone padding out their email lists for sale with semi-randomly generated ones? - but that set of addresses has been used and reused for over a decade. At least it makes it easy for me to train spam filters, since even novel emails are easy for the filters to spot when multiple copies arrive together.

I've been using my domain name for email for over ten years. The two surprising usernames that I got bad emails at, were turbotax@ which I used with TurboTax a long time ago, and andrewyang@ when I donated a dollar to his campaign near the start. I basically was getting borderline scam emails sent to both.

I second Intuit many years ago. And politicians. This former company wants, this year, to have full access to your bank account, history, statements and balances just to download a 1099. The latter seem to share email addresses with abandon.

Ticketmaster gave one of my email addresses to their parent company, Live Nation. They started spamming me with event stuff pretty much immediately. Their unsubscribe options don't work. I complained to their support and they told me to just not use it, and that the emails would go away? Screw that, I changed the email address I used for Ticketmaster and deleted the original one. No more spam since, thankfully, so it seems they didn't pass the new address along.

The one that puzzles me is that some recruiting database got my personal email address, the one I only give out to people I care to keep in touch with. I've never, ever given that email address to a recruiter! I asked them how they got that email, and of course they just said "some AI-powered recruiting tool we use". It's sad because that email address is super fun and I had managed to keep it private for so long...

Just as a heads up, Zillow will ban your account if you use zillow@domain for violating their terms. Happened to me in March 2021.

Yikes, I use service@domain quite often. I didn't give thought to this possibility.

I'm quite sure the reason will be that this service emails others on "your behalf" and probably does something like placing your email address in the "From" field or in the body of correspondence. I assume they are concerned about phishing or catfishing emails purporting to be from the service.

This doesn't appear to be an adequate solution to the problem.

Something like $(hex(hmac(secret_key, service)))@domain could solve that. It would also mean service can't pretend to be another-service@domain when spamming you.

Though who knows, maybe hex addresses will look fake / malicious and trigger a ban anyway.

Related but nowhere near as severe, Samsung prevents you from creating an account with the email address samsung@domain. It showed a generic error message so I couldn't figure out why I couldn't create an account until I tried using a different email address.

let isAdmin = email.local_part === "zillow"

We will fix this in our TOS

I may not be getting the joke, but is that code actually real?

Did this happen instantly? I just now created an account. So far nothing happened. Maybe this is a ploy to get people to sign up.

Not OP, but the terms state this under sec. 5: "BY USING THE SERVICES, YOU AGREE NOT TO: [...] use any of the Zillow Companies’ trademarks as part of your screen name or email address on the Services;"

Yeah, that's what they quoted me when I contacted customer service to figure out what happened.

No, I had the account for ages, then was randomly banned.

Ah, finally, my time to shine. Amazingly - not too many, given that I use hundreds of unique emails. Tbh this confuses the hell out of people when I give a CSR at AcmeBoutique the address [email protected]

The offenders that I remember:

- Men’s Health magazine

- local gym

- online flower shop

- agency that at the time handled visa applications for a local Indian consulate

- couple of infoproducts from Producthunt (think “free e-book of 10 most effective cloud practices” type of stuff) gave my email without consent to other sellers of infoproducts.

A small biz owner that I used to contract with was having a disagreement with American Airlines over the phone because when he was asked to provide his email, he gave an obviously adversarial email taking advantage of his catch-all. I couldn't hear the other side of the conversation, but it was obvious they did not believe that the email was legit. I don't remember the exact address provided, but something along the lines of '[email protected]'. The conversation went on for over 10 minutes just over the legitimacy of the email address nevermind the actual issue the necessitated an actual phone call in the first place.

He's the type that also will string along the spam callers until they hang up on him, so he enjoys these conversations.

I once had a irate business owner call me after I placed an order, demanding to know why their business name was in my e-mail address. After I explained it: "That's pretty clever."

When I was studying abroad, I lived in a temporary student dorm that was placed in an industrial district with a special permit from the government.

I tried to order a textbook online and my transaction got flagged as suspicious, so I had to call a support person, and he wasn't having it. - foreign credit card - address marked as non-residential area - sketchy email-address using their company name

Had to take the bus to a bookstore.

HAHAHA Same but it was in the store of Sixt (a european car renting firm)

This has happened to me too, though not at Sixt. "Do you work for our company?"

Its to the point now that unless the email address is @hotmail or @yahoo, almost everybody assumes that there is some company named domain.com that that said owner of the email works for that company.

I gave my email to a gym once to go in as a guest with a friend/coworker. I fully regret it because every time I get spam, it's from blink@[mydomain].

U.S. political campaigns are by far the worst offender. If you give your real email and phone number to one candidate, twenty unrelated candidates will contact you next cycle.

You don't even have to give it to a campaign. When I moved in 2020, I updated by address and phone number with the Secretary of State to transfer to a voting precinct in my new town. Unfortunately that information is available to anyone willing to spend something like $20 for a quarterly DVD. It started off as relentless SMS spam from not just campaigns, but also activists groups. Not long after, the spam for penis enlargement pills, hair loss creams, and horny women looking for a man just like me started. Then came the robocalls. None of these were a problem before I updated my address and phone number. Really wish I had only updated my address but that would simply make whoever has my old phone number a victim of that same trash.

This is likely because they use the same one or two CRMs. There’s one from the Democratic Party and one independent one, from what I tecall

With SMS, you can reply with STOP and it should take you off that list. Repeat for a few campaigns and hopefully you are done for that election cycle and get less/none in the next cycle.

Where I live, the political spam appears to be crowd sourced. Rarely is the same number used more than a couple of times. Most of it is of the form "Hi, this is Robyn from the Justice Democrats. Can we rely on your vote on Tuesday for candidate so-and-so?". Asking them to stop only stops that one person from spamming. As an aside, it's interesting to see the large difference in SMS campaigning between parties. I get very little of it from Republicans but lots of it from Democrats. No idea if this is due to a certain demographic profile I match or that the two have different advertising philosophies (I get far more physical campaign mail from Republicans than from Democrats).

Most spam comes to me via email addresses I post publically, e.g. on my website. I used to get spam from an address I had created for SourceForge, but it has tapered off.

Mostly cryptocurrency stuff in my case. Over the past 5 years, almost all of my spam (a measurable but manageable amount) has come via my old btc-e address. I've probably been getting this shit for more like 7 or 8 years in total, long since before they got shut down, and I mailed their support when it first started. They said there was definitely no hack and definitely no breach. Not sure whether that makes this worse or better ;)

I get the odd one from the address I used when buying my ledger hardware wallet in 2017. Their address list was famously leaked a while ago, and this email address was on it - luckily not my address or phone number though.

Then occasionally I get one to my amazon-specific address. I figure via one of the vendors I've ordered from via Amazon? But who knows. Bezos didn't get his billions by not trying everything.

For me, it was Foodora Germany (before they merged with / were sold to whoever owns the brand now). I pointed this out to their support as soon as I started getting spam on my foodora-exclusive email. They politely told me to go tf away.

18 months later, they announced a major security breach that they had "just learned about". https://www.infosecurity-magazine.com/news/foodora-data-brea...

The most surprising was the local public transit system. Somehow the local Democratic Party office got the email address I used for signing up for my transit card. Over time, that email address got into the databases of lots of other left leaning groups, some fund raising, some pushing activism. My guess is that the transit system didn't actually sell the email address to the local Democrats but someone working for the agency passed it along. Having worked for many government agencies, my experience is that access control to PII is very loose.

I used to. Stopped doing it as it was too much hassle to keep track of, but the biggest spammers were tech recruiters. I think some of them post fake jobs just so they can harvest your email address when you apply. Then that email address gets passed around on various lists for years.

There's a recruiting firm in Dallas, TX that requires you to come into their office in order to apply for a position at one of their customers. What does this meeting consist of? A literal list of PII-based questions - nothing pertaining to the role. When I called them out on this they insisted that this is how, "their process and culture" works.

Also not to say this is how all recruiters work. I've spent enough time in the industry to know in 2 minutes or less if I'm talking to a decent recruiter.

I've experienced similar. It's so they can tell their clients they've met with each candidate in person. Decidedly less of a selling point these days.

Hasn't LinkedIn pretty much replaced this? I get recruiters on LinkedIn all the time, but very few if any on my personal email.

"I used to. Stopped doing it as it was too much hassle to keep track of ..."

Can you describe what it is you need to keep track of ?

I imagine giving out [email protected] and if you get spam on that pseudonym you just block it in procmail or smtpd.conf or (whatever you do in gmail).

Right ?

I always laugh to myself about the "too much hassle" lines. My password manager has 0 issues managing the unique usernames and strong passwords for each account, therefore, it is not a hassle for me. If they want to be a glutton for punishment and an easy target for being pwnd, then so be it.

On a related vein, I managed to identify the source of a leak via the scammer emailing me with the password I used only on LiveJournal: https://kitsunesoftware.wordpress.com/2018/08/09/anatomy-of-...

The sad thing is, ever since I started using unique addresses years ago, they've caught exactly no one. I get buckets upon buckets of spam, but only from the first party companies I actually have a relationship with, and zero from 'partners'.

Mayhaps just having an email domain that isn't from a big webmail provider keeps out the spam? But then again, I get plenty of actual spam to my work email which I've never given to anyone.

I started getting recruiter emails coming into my work inbox. I have never given out my work email to anyone. I don't use it other than for internal company communications. They likely took my first.lastname from Linkedin and just appended @companyname.com and there you have it. Is your work email something simple like that?

I have a primary mail ([email protected]) I use for normal communication and as a fallback in case the catch-all subdomain is rejected (some companies don't like them; or are inconsistent for which form/account they allow it and for which not - I'm looking at you, Deutsche Post/DHL!). The remainder goes to *@subdomain.myotherdomain.tld.

I still get a lot of spam on my primary mail, I'm pretty sure it has been leaked by breaches and from friend's address books. My spam folder contains mail for these services: btc-e, bitcoinforum, Heroes of Newerth, hearthpwn, hifi-manuals.com, gcc-bugzilla. Most of these have been breached (for HoN I even recall it was during their early alpha/beta, and they did not acknowledge the breach when I informed them - they implied I must have used it somewhere else and that it got leaked from there). On the GCC bugzilla the address might be visible (at least to logged in users), so that's probably scraping. The hifi-manuals is pretty fresh, but IIRC they have been breached shortly after that.

A lot of businesses know both business@catchall and paypal1234@catchall, but I'm happy to say that I have not yet noticed 3rd party spam on these. Same for real life encounters for which I used the catchall (though the look on sales people is often priceless). However, aliexpress is pretty annoying with their own spam, as are some other retailers.

Some of it is from friends. I lost count of how many mates I signed up to gay porn sites, nazi news letters and furry forums. And they did the same to me. It’s fun messing with friends.

side question:

if you use the [email protected] trick to tag the business or website where your are using that email

can't a scraper remove all +tag portions using a regex and send spam email directly to plain email address

you won't know the source of the leak if that happens

businesses can themselves do this if they deliberately want to sell or misuse your info

Yeah, since it's common knowledge now, spammers know about this too and at least darknet resellers might also be incentivized to hide the true origin of the dump that they are selling.

I usually go about this now by having a dedicated domain for only EMail with a catch-all configured (Fastmail, Protonmail at least for Pro users allow this). That's great because everytime I'm required to provide an email for no reason at all for example hotel checkins i can just come up with a new one on the fly: [email protected]

Bonus points for also preventing credential stuffing in case they get their badly secured passwords compromised too.

I don't have the numbers to back this up right now, but 90% of my spam comes from scraping my email from public documents, Github or one-off webshop purchases.

I have used different email addresses for ever recipient/registration for 20 years. There have been very few incidents.

More than 15 years ago the addresses I had used for Financial Times and Finnair started to get Viagra etc spam. At least one of them was after a big leak at an online marketing firm that made headlines. I closed the addresses so I have no idea whether the flood has ever stopped.

Maybe 10 years ago I booked a cruise to Saint Petersburg using a coupon from Groupon. After that I started to get spam in Russian. I don't read Russian but online gambling was obviously a topic. I contacted Groupon and asked about their sharing. Talked to their head of don't remember and he claimed it's simple: They don't share the address with anyone. It was obviously not true befause I never had any contact with Russia before or after and the timing was very evident. I closed the address.

Another address is in the Linux source / LKML. It gets Nigeria letters all the time, but with low frequency. Less than 1 a week on average. Maybe 1 or 2 in German and French over the years.

Those are the biggest cases. Maybe some other odd one over 20 years. It's worse with completely stupid tech marketing on my work address (which has been the same for 4 years).

There is one more: I have one address shared with about 100 private users in Germany. Many of them not technical at all. It gets German phishing attempts all the time, maybe 1-2 per month. I assume a user was infected by malware.

Edit: And there has always been spam to my gmail address. I have shared/stored my gmail address in extremely few locations just for forwarding and it's of form [email protected]. There are only 3-5 people on the planet with the same name. The spam comes without dot so I guess it's not from a list of email addresses, but generated from a list of names. My name has been on the Internet e.g. in Usenet and in scientific papers many times long before gmail existed. Volume is not too bad, a couple of them every month. It was worse years ago.

In Germany there are lots of freemail providers. Some of them sell all the contact data to spammers:

- web.de

- gmx.de/net/com

I reproduced this with a new domain, a nowhere occuring email on an email server that does not list its accounts via imap, and a single email from those services to the new email was enough to receive spam afterwards; even when the email wasn't listed anywhere on the web.

On a couple other addresses they receive spam mostly from Ghana, Botswana, or rural Delhi, so they're easy to identify. I keep the reddit-trained reply NLP bot active to reply to spammers and keep em busy.

At some point I might go the offensive route, cause they always seem to use standard software on outdated Windows machines, with couple of aliases of Western sounding names (well, at least in their own imagination).

My opsec mandates that I split up email addresses by security level and purpose, and the emails aren't related anyhow, don't use the same name and are basically random emails that cannot be correlated. I'd also encourage everyone to use a password manager and use only random passwords everywhere to prevent account stuffing or stupid script kiddies trying to compromise your accounts.

If there's one thing the BreachCompilation has taught me it's that every humanly chosen password is based on patterns and/or easily gathered social structures that surround them on a daily basis.

I personally cannot confirm this for web.de For years I had been using their email service without receiving a single spam mail. Now, I do get occasionally spam but only few a month but only for the account I use a lot. For the newly created ones again no spam.

I do have a [email protected] and a *@mydomain catchall email addressed. Years ago I had my own email server on mydomain, but I got up to 30k spam per month which pushed me into abandoning my own email server and instead let Google be my MX, and forwarding the web.de mails to it.

Google is very successful in rejecting spam before acknowledging its reception via SMTP (probably mostly via IP blacklist) so I don't see it, the amount of spam shrank drastically. For a very long time a lot of spam came via icq@mydomain (yes, it has been a while), but nowadays almost all spam that I see comes via the @web.de address where Google cannot apply its IP blacklist because its received via web.de's servers. I know because the mydomain email server also used to forward received mails to Google, resulting in said 30k entries in the spam folder. The transition to put Google itself in the DNS record made all the difference.

I am kind-of surprised I don't see more spam coming via the catchall address. Sometimes spammers use mydomain with random local part as sender address, so I get bounces.

Failed to double-opt-in, many (wildcard, v. short domain based on a finger-roll on the keyboard) - budget being my favorite because it let me cancel peoples reservations without authentication for a long time.

auction.com - absolutely resells your email for years to come, thanks whoever subscribed to that.

The RNC is way worse than the DNC, but both resell their lists quite a bit for political purposes. Voter registration similar, but I think that's just open records stuff.

But a lot of failed double-opt-in. Massive amounts of it.

Most recently I got an email that was clearly spam (had a link to a website with a .zip file that was clearly malware) that was a reply from an order I placed with a supplier a few months ago ($8,800 worth of 105Ah rackmount SLA batteries) - the entire email I had previously sent was quoted. It's pretty sad when your legitimate suppliers are getting compromised and leaking data like a sieve.

Had this same thing, but then with a couple of my customers.

This is a phishing attack.

After a while I talked with one of those customers and they knew about it. It was "an email that got compromised".

Eg. one of their employees did fall for the phish and opened the email, clicked the link, opened the binary. Got infected and (a part of?) their inbox uploaded to the spammer. That is then used to send out new targeted phishing attacks where the name is spoofed, but send from another victim of theirs. Pretty effective phishing attack it seems. Took me a bit before I realized what I was looking at as the email seemed to come from that customer. It was only because it was a bit weird that I noticed things being off like that the email address itself was different.

I get a ton of spam on my Amazon email. I assume this is via some sellers getting it as part of the return process. I just rotate the mail every six month and drop the old ones into a auto delete rule.

Another is the mail used in domain registries but it’s low volume

The worst offenders are mailing lists I subscribed that fail to respect unsubscribing. I find the smaller they are the worse they are. So many just re-add the mail six months later. There I have a rather fun mail rule.

Any mail from their domain gets an auto reply with an explanation that this isn’t cool, with every support, admin, sales mail I could think of in cc. It includes a list of all the times they mailed me and all the times I asked them to unsubscribe in a list, handily auto generated my a node-red flow.

Yes, it’s pedantic, No I feel no shame.

I would say you are a hero – finally imposing a “cost“ on people who are not prioritizing unsubscribe functionality. As someone who just quietly blocks, I am happy to free ride on your crusade :-)

I'm not very pedantic about it but I do create a few ones. I don't do catchall as my domain has been on the Internet for a very long time and the catchall usually gets pretty badly spammed (I tried).

For instance;

- I have something like [email protected], which is the free Netflix account that I got from my Jio Fiber connection. I gave that to the In-laws.

- [email protected] because Indian Passport Office won't allow more than 5 Passport (I think 5 was max, last time I checked) applications from an account. I'm usually the person dealing with the Internet and digital stuffs for our family, and most of the relatives. The limit gets hit pretty easily.

I used to sign up for almost every Startups that pops up from friends, acquaintances, and people whom I had even interacted once in the hope that I'm helping them with one more account. Unfortunately, especially Startups in India, will bombard and spam relentlessly (emails and phones) that I have totally stopped signing up for anything. I either use a throwaway or the "+" method when I really have to -- [email protected]

A few years ago, I started logging the ones that specifically spammed my phone number. I visited a Startup and agreed to give them my number for the visitor log entry. I trusted them because I helped them with their product during the MVP to pitch Investors. They started spamming me after I left and before I reached home.

I stopped the logging and now I have declared SMS/Text Bankruptcy. https://drive.google.com/drive/u/0/folders/1jI0DxmZ586cBmyu1...

> Indian Passport Office won't allow more than 5 Passport applications from an account

Wow, what a strange limit! I wonder what their rationale is for having it?

There are a bunch like AliExpress, eBay, Paypal and kickstarter where 3rd parties get your email address too (or used to), so you don't know which one leaked them. I tend to change the email address every few years when it gets too much and block the old ones after a while.

I suspect that most of the entries on the list got hacked. There are a few exceptions where companies do not honor unsubscribe requests and keep sending you emails or flat out sell your email address.

Here's a list that was collected over many years:

- Cory Doctorow's mailing list (twice)

- bitcard

- Achatzi, CSV direct, easynotebooks, foto-erhard, hivilux - (german online shops)

- dcemu, gbadev

- Dropbox

- funcom

- gawker

- Kimsufi and OVH

- GoodLuckBuy

- Mails listed in WHOIS

- Mails used in Yahoo groups (RIP)

- MiniInTheBox

- monster.com

- moneybookers

- pianostreet

- Usenet (duh)

- Typepad

- UnternHammer

It happens about once a year for the 15 years I've had my emails set up that way, and as far as I can tell, 90% of it has been hacked systems rather than sales.

The worst was when spammers got ahold of my email from a hotel chain and would add random letters to the username. So, for instance, the email address I provided to the hotel chain was something like [email protected], and the spammers would send to [email protected], [email protected], etc.

That forced me to stop using a catch-all and only accept usernames that conformed to a certain format.

That's interesting, I wonder why they decided adding random letters? It reminds me that I used to get a bunch of spam to completely bogus addresses for example:

     [email protected]

It took me a while, but I realized that these were Message-ID headers that were being used as email-addresses, I just assumed there were some badly written scrapers out there, treating "blah@blah" as an email address and harvesting all such matches.

Sounds like pattern based blocking would have been a nice feature in that case.

The SMTP standard allows you to add a "suffix" to part of your email address that is ignored when delivering the message.

I never give out my raw email address, I use: - [email protected] for twitter - [email protected] for amazon - [email protected] for HN etc

Makes it very easy to track down who sold out me email -- and filter on it.

Frustratingly, this is not as universally supported as it should be.

Back in 2018 I bought a plane ticket from Eurowings and I gave them an email address with that pattern, and while they were happy to accept the email address on the booking page and take my money, the ticket and login systems didn’t, and I had to get a refund and a much more expensive last-minute ticket at the airport.

(The customer support person also managed to spell my name wrong when I contacted them).

I just have a shell alias "email" that randomly generates me one. It generates completely random base64 strings, no "name" part or such. Together with an addon for thunderbird to always answer with the sender address that was used to receive a mail, this makes for a very seamless experience.

If I want to see who leaked my address I just search my email archive to see where I first used it. Also of course this means using a password manager. I opt for keepassxc.

I know this "trick" made the rounds several years ago. I figured it seems like a temporary solution only; once companies selling your data or hackers harvesting it get the memo they'd just remove the +xxxx part and then what?

    195 x+kickstarter@xxx
  57148 x+newrelic@xxx

The rest doesn't even register.

wow. is that New Relic monitoring alerts or is that...spam?!

You don’t get a lot of spam when you give a different email address to different companies. They can’t correlate with other data to tie your accounts together. The value of spam marketing is being able to cross sell taking advantage of the one unconsented email they can send.

Scammers on the other hand contact me on all my emails that have leaked/compromised. Latest being xfinity.

Santander.

I have an email address that I've only used for official things, and it was used by an employer as my contact email for pension savings with Santander.

I've had the address for 10+ years and never gotten spam. The same day I got an email from Santander about being signed up for pension there I started getting lots of spam emails.

I use different email addresses for everyone, and have a catchall on my domain. Been using this setup since the late 90's.

My spam comes from a few sources:

- data breaches that leaked an email address (Adobe, Dropbox, LinkedIn, GoDaddy etc)

- family that used to forward all kinds of crap using the TO: field instead of BCC:

- some companies sold my email which then started to propagate more and more

- some just figured it out. If you own a domain firstlast.com you'll get spammed at [email protected]

- dns records

There are more I'm sure. These are the sources I'm certain of.

Your email is only as secure as the weakest link that has that address.

In my list I have: Canva, Splunk and SublimeText.

I made some noise on Reddit about the Splunk one and I didn't receive anything else after a quick exchange with them, I reported the SublimeText one but a couple of years later I got other spam to this address, and I didn't bother doing anything with the Canva one.

I used to use individual email addresses for every site (I run my own email infrastructure, so it's easy). To be honest, didn't really see much of any spam to the site-specific accounts so after a few years I got bored of doing it and mostly use my primary address everywhere these days.

For the large sites like fb, linkedin, twitter, etc I do use unique emails. Not so much for spam, just to compartmentalize them away from my primary email so they don't have it.

Honestly, not very many. I've signed up for 300+ companies, maybe more, everyone with a different email. Many of them signed me up to their mailing lists that I didn't ask for and didn't want but they usually made it one click to unsubscribe.

One that sticks out is Kohl. I never signed up for them and they spammed the shit out of me 15 years ago. I've never shopped there and from the spam I never will.

Otherwise, a conference running company in Japan spams me and they use a new email address on their end for every new conference.

I use a different email for everything so I have been waiting very patiently for this and guess what… so far no one.

Absolutely no one.

And I've been using this system for over 5 years now

Same.

I very rarely receive spam on the email address I used to post on the Debian bugtracker, and on the generic address I give to individuals. Apart from that, none of the specific email addresses are spammed.

It's been almost 6 years now. I sometimes understand why I receive some infrequent broadcast mail thanks to the specific address I used to subscribe.

Same here. I’ve used a separate email for everything for the past 3 years, and so far no spam has been sent to any of the addresses.

…except for single email with a google docs link that got sent to cs@mydomain. I don’t know what I used cs@ for. I don’t have any other emails to that address. Very odd.

I get most spam coming to my main personal email address. I've signed up for exactly nothing using it - but other people have sent me ecards (remember those?), shared things from random apps, and/or presumably had their contact lists stolen.

I had always intended to do some analysis of my catch-all address spam, but there's just so little of it that it isn't that interesting. A quick glance through my spam folder shows these have been hacked or sold emails:

Dropbox, Canada Computers, Last.fm

I've also seen a couple forum accounts in the past, but nothing else noteworthy.

It actually happens extremely rarely, perhaps less than once a year. Though that may just be an artifact of my already heightened discretion in who I give an email address to at all.

The most recent offender was my kid's tee-ball league.

I actually do this for every service I put my email down for. It’s been about 2 years since I started.

Fortunately (unfortunately?) my email has only been sold once, and it wasn’t as egregious as you might think.

Amplitude, the user analytics company, sold my address to at least 3 companies who simply started emailing me as if I’ve always been a subscriber to their newsletter.

I do use their free plan though so I’m not mad about it.

Netflix, Uber, Airtel, Reliance Jio, Paytm, Swiggy, almost every bank and neo bank (India) I’ve tried, hospitals and diagnostic centres (I’ll be shocked and devastated if they’re not selling my health data to everybody who’s willing to pay a paisa or more), insurance provider, Coinbase, PayPal, TrueCaller, Facebook, Dell, Amazon, LinkedIn, Amex etc are few I remember.

And the great people who think it’s okay to use the most natural sounding email address as per their name while filing forms (including banks and cards) and moron corporations like banks, telcos, Amazon Business etc who think it’s perfectly fine to not verify emails.

And my personal@my-domain that I use to communicate with friends etc. So apparently my friends aren’t lesser idiots - they think their phone and gmail contacts are to be shared with the world. So maybe use a unique email for every friend and personal contact? :D

>So maybe use a unique email for every friend and personal contact? :D

This isn't really so bad an idea. When it comes to your contact info, your friends/family are probably the big adversarial vector to your info. Their ignorance is your worst security.

> apparently my friends aren’t lesser idiots

knowledge is power

This has been my pattern ever since switching to ProtonMail. The biggest surprise for me was how little purpose it serves for spam prevention.

Coming from GMail, I expected an untenable amount of spam - but that seems to only be a GMail problem? I’ve only had two incidents of unsolicited spam from a vendor sharing my email address since moving to ProtonMail.

One I don’t remember the details but I gave a yoga accessories company my email address, like a year later I got an email addressed to that email address from a cannabis company.

The other time TicketMaster shared my email address with Warner Bros.

However my public email addresses (like the ones I use on GitHub, npm, git commits, etc) receive a lot of spam - but those are harvested, not shared.

Now my email address actually serves another purpose: limiting the ability for leaked user databases to connect my identity across providers. I’m starting to use a different username, email address, and password for every service I use that isn’t linked to my professional identity.

I don't get a lot of spam but those that I do are to ye olde addresses. Think monster, orkut, and myspace. The vast majority come to a postgres mailing list address I sent one mail to, about ten years ago. A few to whois contacts on domains, before I signed up for the anonymous service. Guessing all those were allowed to be scraped by spammers.

I get a few others to an apartment building I once got on a mailing list to, and other random stuff like that. Probably folks that use Windows and got worms.

In short, I don't think anyone sold me out... but I could be wrong.

My "[email protected]" email gets a LOT of traffic at the moment - I suspect that was a breach rather than being sold on (but that's being charitable).

LinkedIn sells all your data via their sales navigator tool. The more you pay, the more data you can get.

Most of what I'm getting is pure spam stuff - nowhere near related to anything business.

I do get a lot of business spam to other email addresses I have on LinkedIn but that's all vaguely relevant (no I don't want a website building, nor am I interested in video marketing).

I also get heaps of crap like that. Mostly I get people trying to sell me "leads" and "lists" which I imagine half of them are from breaches or just passed on a zillion times so their open/bounce rate must be atrocious.

In my case it's been from sites that got hacked or were discontinued. I don't investigate every single item of spam to see where it's addressed to, but some of the major data breaches like LinkedIn and Dropbox feature prominently. There's also an address I used as admin for a long-defunct domain.

In practice it's hard to differentiate between the sale of an address and a data breach, especially for smaller sites where the breach may not be publicized at all.

I've done this for a very long time. Practically all my spam is sent to my CPAN (Perl module archive) address. Which indicates that it's just the thing that's most easily harvested.

I personally was really annoyed trying to change/rotate emails. So I created this one here - feel free to give it a try and let me know what you think.

https://non-public.email/

Question: can you recommend any service to quickly create new accounts, but redirect them to my main one?

Apple iCloud+ (if you use Apple devices)

I do this for most services for a number of years, and so far have actually failed to detect an email getting sold. It might also be that gmails spam filters and the like are tuned enough that I don't notice.

I'd love it if the tags were available in SSO as well, as the more stuff that logs in using SSO just reveals the main email. So I definitely got into some sales databases that way for $work email that had a constant flood of cold outreach.

The largest spam problem I have, is the email domain I use is a typo away from another company. So I sometimes get quotes, or emails destined for people at that company that don't hit the spam filters. One time, someone signed up for their online banking under my domain. Recently, I get all the service advisories for someone's Honda car.

For me the biggest "dog that did not bark" was real estate agents. I used both a separate email and VoIP number to my main one, which was handy as it meant I could switch them off at times when I didn't want to deal. I got plenty of calls and emails during the process, but as soon as I made a transaction, crickets. To the extent that I think they must share a negative list. I guess they value their own time and know that once you made a transaction, you're not going to be making another soon. Surprisingly this continues to hold, no "are you thinking of moving again" now it's been a while

These days I mostly use unique addresses, unique passwords, and where possible MFA to secure my accounts. Reduces the risk of brute force attacks and other weak account compromises.

Historically though my intention was to track who sold my email address and combat spam. It worked great.

The most notable one was the address I registered with ISC2 when signing up to take (and pass) the CISSP in 2002. The unique address I gave ISC2 and only ISC2 in 2002 was used to send spam and scam email not long after.

It was a fairly common occurance in the early/mid-2000's to receive spam where I registered addresses. These days it seems to happen much less.

I should curate a list. Most recently: Venmo. I expect news about a data breach soon. Before that: epik.

For my part:

Bell Canada (got hacked a few times, notoriously)

So. Many. ATS. (Applicant Tracking Systems)

Several small time online stores.

The first two probably got breached and the emails stolen (although I have never ever received any disclosure of being breached from any ATS ever. Small time stores they probably sold it for actual money, they weren’t exactly trustworthy in the first place.

I use spam gourmet so I know exactly where any email address was first used and thus who leaked it.

An online drinks shop here in Switzerland. I sent them an email asking WTF, but no answer. Still not sure if it was malicious by them or someone else. Haven't used them since.

Aside from that, I'm guessing it's mostly my Git commits on GitHub being the source.

About 70% of my current spam is to a throwaway email I listed here on HN. Seems obvious (public addresses are easy to scrape), but it didn't occur to me when I listed it.

The list is long and I'm on my phone. Several were from breaches like Adobe.com and Park mobile. MyFitnessPal. Cadillac (used email for a free brochure).

I think the real worst offender is LinkedIn. I put one email on my resume and a different one for logging in to LinkedIn that should not be public. And yet I get direct recruiter spam there all the time.

Linkedin in forwards a recruiter messages to your email. Are you really getting emails without a message in your linkedin inbox? I get quite some recruiter spam, but always via a LinkedIn message.

Not the person you responded to, but I've had the same problem. Recruiters will email me directly with shallow compliments on my LinkedIn profile.

It might not be directly through LinkedIn- about once a year, random recruiters will call my personal cell phone, even though I have no how they possibly got it. By now it's on a list that gets sold, I'm sure, but where it started, I'm clueless.

The most infuriating are recruiters who cold-email me at my work email. There's something about contacting me via my official capacity as an employee to take a different job that really gets under my skin. Might just be that I am very, very much not a "bring your whole self to work" kind of guy and more of a "keep a hard divide between my work and personal life" one.

The worst offender in recent memory was Walt Disney World. Starting about nine months after a physical trip to WDW, my Disney hotel reservation email address received spam from the following Disney-related enterprises before I finally black-holed the address:

- Walt Disney Studios Home Entertainment

- FX Networks

- shopDisney | Disney store

- ABC News

- Freeform

- National Geographic ("Now streaming on Disney+")

- Walt Disney Pictures

- Storyliving by Disney

You could argue that this wasn't a "sell out" since it was all Disney, but not a single one of those enterprises had much to do with a trip to Orlando. :-)

Years ago (> 10) I used [email protected] registering for Hertz.

I started getting spam on it. Tried contacting them to let them know someone was selling customer email addresses and of course they just responded that obviously I had a virus or something.

Mostly unrelated, but just before I responded I was modifying a custom milter to filter messages based on the byte string "Copyrights =C2=A9 Xsolo All Rights Reserved" because this particular spammer likes to copyright his gmail spam. Weird but convenient.

ledger hardware wallet, invisionapp.com and my public github email

Submitting a resume on a job board is the fastest way to disclose an email address to every recruiter with an Internet connection.

https://www.ordersnapp.com/, who do order processing for a local pizza place.

They got hacked and didn't even reset customer passwords, very glad I use unique passwords and limited the blast radius to them.

Just took a quick look through the spam folder and found spam (real spam, like fake fedex invoices or whatever) from:

pretty much anything vaguely related to crypto

edaboard.com

lastfm.com

pcbway.com

asus.com

Reposting from https://news.ycombinator.com/context?id=30980625

tl;dr: Used a burner email signing up for Comcast Xfinity and have been constantly receiving phishing emails on that address. (Last one was this morning.)

Second this, I have a unique address I used only for Xfinity actively receiving spam.

My wife and I use an e-mail pattern of someprefix-(.*)@ourdomain.com and give each site a different "alias". It keeps out the trash, but lets us filter nicely, and also catch data leaks. So far we caught one.

After using this technique for 4 years, only Reddit so far!

I use a pattern of [email protected] for everyone I deal with.

Never made any effort to determine if they were leaks or sold, but here are the ones I've had to send to /dev/null over the years due to obvious spam.

adobe, godaddy, ebay, sirius, vonage, dzone, snapfish, walgreens, US postal service;they just continued their model of selling physical address data into the online space. Seems to have been sold to typical catalog vendors, JC penny, crate and barrel, etc.

Nothing, NOTHING relates to the time I sent an inquiry on Alibaba.

Nearly 10 years later I still get sent random quotes for custom USB drives.

I can relate to this. I too also get the "Dear Friend" emails from Chinese businesses wanting to semm me custom USB drives. Someone has to tell them to stop using "Dear Friend", as when I see it, I just hit delete.

So far, the one that sticks out in my spam bin is Nordstrom

https://i.imgur.com/DA8njVs.png

(I changed the numbers around, but the point stands)

Dropbox stands out as 1) a company I didn’t expect would sell my email, and 2) some of the worst spammers in terms of phishing/scam attempts.

Dropbox didn't sell, they got hacked. But, yes, my Dropbox mail gets a ridiculous amount of spam.

I sent a couple messages to representative Jackie Speier (the IRS id.me shitshow and whatnot) and never got a reply till they started sending campaign advertisements my way. The address doesn't seem to have been sold though.

I once had the admin of a MUD sign my email up for spam because I pissed them off.

I also had a friend "helpfully" sign me up for information for some insurance company.

I use unique, long random-character addresses, and the biggest company and sold my address was IBM. I've followed them up, but their excuse was that it was leaked from when they were hacked. I don't know who to believe.

The worse spam I've seen in when a crypto hardware device company got hacked and my email got leaked.

The worse constant spam I've ever seen, some of it use legit expensive mail services, and a lot of it doesn't land in my spam folder.

I have another email that's put publicly in a website and it gets crawled, and I get no spam from it, just legit emails that are probably automated from people that wanna do business.

Public libraries, who provided patron email addresses (supposedly collected to send overdue and renewal notices, etc.) to municipality "newsletter" spam lists.

I assume they'd also happily hand over a list of all the books you've checked out and whether any of them were overdue.

I don't disagree that some library systems are pretty tech illiterate and might share email addresses without understanding the consequences.

However, I feel the need to assert my opinion that librarians are generally pretty fierce defenders of privacy in the specific context of lending/reading history, so your assumption does not ring true at all to me. Libraries/librarians have been consistent defenders of lending history privacy in the face of the Patriot Act[1][2] and I would be shocked to see a pattern of libraries anywhere in the US giving out lending history data in the context of anything but the most direct of legal requirements.

I was employed by a public library once upon a time and received specific training on when to share lending data ("never, and if asked, lock the computer and go get the Director, even if the person asking has a badge").

[1] https://www.aclu.org/press-releases/librarians-speak-out-fir... [2] https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...

I had the same experience but technically they didn't sell our email

Avery (the brand that makes those label stickers you get at Staples) spammed me even though I explicitly declined their marketing list.

Once a month or so I get unsolicited mail to my LinkedIn email address.

Other than that, I was surprised to find after a good 5 years of monitoring that I haven’t gotten spammed through unauthorized sharing of my email.

one of my single use emails that gets consistent spam from various places for some years now, was only used to sign up for a hostgator hosting account.

Now I can't be 100% sure - but I am 99.9% sure that was the only place that addy was used.

I have several that get spammed heavy that were used to sign up at various forums some years ago as well.

I just starting sorting these into folders more last week, trying to remember the ones I didn't have ti mess with that were already going to folders - but that's on a different system.

Since 2016 I’ve given out 422 unique addresses in the form <hash of recipient name>@example.com, and so far zero messages have come in from an unexpected sender. I don’t know whether to feel reassured, or just lucky.

The worst, by far, is Camping World / Good Sam. It’s just amazing how they are willing to sell my email to anyone and everyone. My local branch has a good service department though so I just setup a filter and keep going back.

Mostly email addresses from forums that got hacked. Or addresses used while my domain was owned by someone else (I didn't renew it, but then they didn't renew it and I got it back)

123rf.com was 100% hacked or breached.

Received SPAM on a really old account which I do not use, unique email address and from one day to another it was daily SPAM.

After doing this for years most of my catchall email spam is from breaches.

I have been receiving tons of lame sellers from @gmail.com email addresses trying to sell things like toenail clippers. Emails were sent to the email address I used to sign up for hired.com.

I get the same thing, along with spam for t-shirts. Lots of spam coming directly from GCP.

I always use unique email. So far this problem only happened once with Zenni Optical.

No one has sold me out in the 2 years. I think they know and scan for it before sales.

The most common thing I see is companies emailing me after I've asked them not to. In that case I just disable that site specific email and move on.

Just this year, Angi (formerly Angie's List) did. I requested contact from a few providers for a specific home repair job. Not only did I get emails from other providers, but a few weeks later, I was on mailing lists for completely unrelated types of contractors.

A coffee-shop where I applied for a job. A freaking coffee shop? Really?

Amazon sold me out, because I bought a flight ticket using Amazon India once. Amazon's partner was cleartrip, so I started getting spam from ClearTrip on my amazon@ email address. I complained loudly to Amazon, which didn't care much.

No idea because I use Trashmail everywhere :D

I get some scam/phishing/malware emails sometimes from an account I've only ever used to sign up for comcast.

In India, it's majorly job portals like Naukri, monster etc

Contentful was hacked and leaked my email.

I started getting satellite radio spam to the address I used at the car dealership/service.

I’ve done this for about 30 years. USPS is by far the worst offender.

GitHub, linkedin, couple of smaller stores, who were hacked.

Robinhood, Comcast, TicketMaster, Linkedin

Dropbox and gravatar breaches.

In particular recruiters (including from 1 faang) have picked up the gravatar breach, and after some gdpr digging I've found a few of the unscrupulous vendors that laundered the breach data into the recruiter spam industry

It's not so much sold as "got hacked". Often the spam for an address starts shortly after an announcement of some sort of breach. Pandora is the one that springs to mind.

Kickstarter regularly sells my address, even soon after changing it. I don't think any other entity did that, which is mildly surprising.

Are you sure it's not one of the campaigns you pledged for at Kickstarter? They most likely get access to your kickstarter email address.

I haven't pledged to anything since I changed the address.

After doing this for nearly 20 years I can say I’ve been pleasantly surprised at how rare it is to get spam unrelated to the company I gave my address to. What it’s been very useful for, in the other hand, is filtering email from companies that don’t honor their unsubscribe links or unchecking their “please send me marketing emails” boxes during signup. The common pattern is for them to invent a new kind of junk mail category and then act as though your opt-out obviously doesn’t apply to this totally new category.

Yeah, this is obviously illegal but that's what quite a few companies end up doing.

I have no idea but I'm super annoyed my main email that I've used for almost 20 years has suddenly attracted a ton of spam.

I have a separate email account for all the trivial and unimportant website sign-ups (which I can mostly ignore since it's nothing critical), but my mail account was only used for "higher risk" accounts. I assume it was a leak of some sort (insurance or utilities).

If the spammers knew about FOIA requests they could harvest a gold mine. Our attorney general was conducting a training session about FOIA compliance--I worked at a community college. I raised my hand and asked if I had to respond to requests for the email addresses for all of our students. The answer was the same, comply as quickly as possible.

IANAL but pretty sure that protecting personally identifying information almost always trumps FOI.

Thanks for sharing such great information, I highly appreciate your hard-working skills as the post you published have some great information which is quite beneficial for me, I hope you will post more like that in the future https://www.mycfavisit.vip/

Recommend

Shopify正就收购科技初创公司Deliverr进行谈判！寻求物流扩张！

用bottle+mongodb写的blog程序支持mysql啦

Disposable email accounts for DotNET core 6

今天的大跌，论坛竟然这么平静？

Gödel's System T in TypeScript

你蹭过WiFi吗？央视315揭密免费WiFi App中的陷阱

AppArmor引起的无法启动Evince

笔记: The baby Whisperer Solves All Your Problems (实用程序育儿法)

Python 内存泄露实战分析

IDEA破解

About Joyk