My wife owns an email address in Gmail and you wouldn't think it was a very popular email address. Until of course someone's account information at numerous shopping sites began showing up. My wife contacted this person by phone and it turned out to be an elderly woman. The elderly woman was not having it and began arguing with my wife about whose email address it was. The elderly woman ranted on and on about HOW DARE MY WIFE TAKE HER EMAIL ADDRESS!?*@4@~!
She just didn't get it and more and more new accounts began showing up.
When that didn't work, I tracked down one of her relatives on Facebook, who happened to be younger so she got the whole Internet thing, and explained that her elderly grandmother (it turns out) was using an address that didn't belong to her. Her granddaughter told me she would talk to her grandma and tell her how silly she was being and promised to explain how her grandma could keep herself safe while shopping online.
No new accounts in the grandma's name have shown up since...
I shared a story in another thread recently (https://news.ycombinator.com/item?id=24307375) about my relatively benign Gmail being misused, but I had forgotten about the really weird encounter I had a couple of years ago.
A woman texted me via iMessage that she was calling out sick to her job at a local public school. I replied that I hoped she felt better, but clearly had a wrong number.
She insisted that I was Joanna, an Occupational Therapist at this school. (Emma gave me this number!). Clearly I was not, and did not know Emma, or any of the other things that were going on. Then she accused me of stealing Joanna's phone number.
Turns out -- if you send an iMessage to someone in your Contacts, it does the first lookup by email, NOT by phone number. By assuming Joanna had my email address -- something lots of people seem to think is theirs -- I ended up also getting their iMessages.
I've had a similar experience quite recently. I started getting legit automated emails for someone named "John", some emails regarding an effort to buy a house, others from a doctor's office. Some of the emails looked rather important, such as doctor appointment details, so I engaged in some Internet sleuthing, and in a few days I found the person. They were an elderly gent who had the same Gmail handle as me, but his with a numeral suffix.
I tried emailing the gent to explain, but received no reply. So I've just been forwarding those emails to the fellow's real address when they arrive. Perhaps he never checks email, hence his lack of reply to my earlier note, but I forward just in case.
Ugh, this is my life. Yes, including accusations of “hacking” when someone signed up for Facebook with my email.
On the plus side, this personal experience made me very adamant about protecting mistakenly-registered users at my employer. When we were planning to add logged in accounts to our service, the sales team (understandably!) wanted the signup process to be as frictionless as possible, and thought that new users should be able to start putting data into their account as soon as they registered. I insisted that we require email verification before allowing users to enter personal data. When I got resistance to my plan, I logged into my webmail and showed the team all the crazy email I got from people who’d mis-entered my address, and suddenly they understood. I wasn’t just inventing some bizarre, unlikely edge case: these things really happen, and often.
Edit: And as you might guess if you squint at my username, my name isn’t super common. It’s not unique on the planet, but it’s certainly not “Smith”. If I have to deal with all this, I bet the Smiths of the world find it nightmarish.
My main email address is <myreallastname>@gmail.com. My surname is not a very common one, yet I still experience many of the side effects described here. I've had this account since the first day Gmail was available to the public, April 1st 2004—I was invited by a friend who worked for Google at the time.
Back then, I never considered this address an "OG" address, but then around 2012 I noticed something funny. I volunteered to do some charity work and everyone was asked to sign in to a log book and write down their email address with a pen. Several people who worked for this charity said to me "How did you get that email address?" and seemed to think it was unusual that I had a Gmail address that was simply my last name. When I asked them what their email address was, they'd say something like "fluffybunny32428@hotmail.com" or something like that. Hard to believe people use those kinds of addresses for official business and applying for jobs, but they do.
My name is also very English. So when I get missent email, almost everybody using my address is from the UK, Canada, Australia, or NZ.
I have a firstname.lastname Gmail account. Neither frst or last are particularly common. There are various people around the planet who hand out my address as there own, I get invoices on a regular basis but also correspondence from real estate agents and legal correspondence. Most recently I spam listed a Canadian telco because some gentleman in Canada is joyfully handing out my address. On the other hand I very rarely get someone else's snail mail and if I do it is for a neighbour I know a house or two away and never someone in another country :-)
Not quite as I learned, for connected services. If you registered originally as johndoe@gmail.com and use john.doe@gmail.com it works fine for mail. For Log-in-with-Google, it goes back to johndoe@gmail.com and many websites treat that as a distinct account. Now you end up with two distinct accounts on the "same" gmail. Not great.
It can also be that instead of people giving your Gmail address as their own, the receiver ignores the domain and just assumes that it's @gmail.com. I've had that happen a couple times.
People also get very confused about + in addresses.
I get loads of invoices, too, from all over the Commonwealth. The more I think about it, the more I suspect the author is right: there are a lot of people out there who think you can just type someone's last name into webmail and it's just going to magically go to the person they intended.
Well that is how Gmail works if it finds a contact in your address book... type the name and it autocompletes. You could be on the receiving end of autocomplete failures that go unnoticed by the sender.
I considered that, but then I checked and saw that almost all of them are coming from other domains, and often non-webmail domains. Of course, whatever email management software or app they're using on their end could be doing that, too.
I have the same format for my gmail account, with a second that has a middle initial, and neither account ever really gets that sort of traffic.
Literally the only time I've gotten something that was for another person is when someone else with my exact name purchased something medical and they emailed the receipt to "firstnamelastname@gmail.com". It turns out that if gmail receives an email in that format and all they find is "firstname.lastname@gmail.com", they'll go ahead and stuff it into that inbox.
I was able to track the person down, call them, explain what happened, forward the email to them, and delete it.
My name isn't super uncommon, but for whatever reason I don't get those sorts of emails.
One of my Gmail addresses is <my first name>@gmail.com and I never get interesting titbits intended for other people.
Mind you, it probably helps that my first name and surname are pretty unusual. I've also got <my first name>@yandex.com, <my surname>@yandex.com, plus the <my first name>.net and <my surname>.net domain names. So I've pretty much cornered the market in being uniquely identifiable online, for anyone who knows me.
Hmmm... maybe I should se if <my surname>@gmail.com is available, just to really tie up the loose ends!
UPDATE: Hmmm... <my surname>@gmail.com has already been taken, so I can't complete the set. Chances are I actually set it up myself a long while back and then never bothered to use it, but I'm buggered if I can remember the password.
I have {Hacker News Username} back when Gmail started. Consequently I get a lot of emails in Japanese and airline travel itineraries. I had to add an extra U on the end to meet the six character minimum.(Technically it's Washū in Hepburn, but uu is accepted.) I also get a bunch of Washington State University junk.
Most people with average computer literacy has no choice but to use the fluffybunny32428 style email addresses.
To get a good email address these days you either have to be very early at jumping on a new email service or you have to be skilled enough to use your own domain.
Most 'FluffyBunny...' style addresses and usernames I see tend to end in a 2 digit number which is obviously the user's birth year, which they added when told that plain old 'FluffyBunny' wasn't available.
Not a very sensible idea, given how many sites have "What year where you born?" as one of their security questions.
Anecdata from me: I've never seen this as a security question,
I'm willing to concede that I didn't notice it because I just pick a security question at random and record it in my password database with a made up answer so that I can satisfy their test later on without using a real, guessable answer.
I've mentioned before on here; it did come back to bite me once when I had to ring my insurance company and confirm that my mother's maiden name was... er... "Hitler"!
I personally think those sorts of "security" questions are stupid and I have a standard answer to all of the security questions so I don't have to remember what I put.
I too have lastname @ gmail, and I find that many people with the same surname as me, and who have firstname.lastname @gmail don't know the difference between a period and a space in an email address.
I'm lucky. I have <firstname>.<lastname>@gmail.com, I haven't had a single case of misuse.
On the other hand, it appears my name is unique in the world. The only things I've ever found under my name that weren't written by me appear to be people scraping for content and trashing the format--I've found plenty of examples of words attributed to me that were really quotes.
Same here. Unfortunately my distant cousins of more advanced age, and my mother, and even my brothers (all of whom have emails only one character off from my own) sometimes mistype. I suspect some groups incorrectly transcribe signups from paper forms as well.
I occasionally try to remedy the issues, but I have yet to convince my mother to fix the email on her bank account.
I have two such gmail accounts! I got one early on—around 2005 or 2006 which receives a gross ton of spam, so eventually replaced it with one that uses my initials and then my last name which is way less trouble. I got my brother on board around the same time. He just uses our last name at gmail. I'm sure he gets his share of crap.
Yup, I feel your pain. One of my emails is <onechar>@<3chars>.com. This fails verification on so many websites it's just comical. I then figured on making a <6chars>@<3chars>.com. Turns out folks mostly validate <3chars>.com in my experience, which I assume is because of good old mail.com. It's frustrating.
I gave up using mail@<nickname>.network because of the significant percentage of sites that refuse the .network TLD.
One large financial services provider even told me that their "policy" was to allow 3, 4, or 5 characters as the last part of the domain. So .ninja is A-OK. I pointed out how ludicrous this was, and they told me it was their "policy" again, and that's why Australian Super doesn't have any of my money.
I would bet on a number of sites this is because they all copied and pasted the same email validation regrex they found online when googling, which was made before TLDs could be that long, and they don't know how to fix it.
There's probably a "misconceptions people have about e-mail addresses" post out there somewhere; the tl;dr is that so much is or will be allowed, for validation you should really only check if there's an @ in the address, for the rest just try to send an email and see if it bounces.
But don't activate an account without e-mail verification. I got a random account on Deezer because someone signed up with my e-mail address; they probably got it off a spam list. But it kind of implies that Deezer didn't do e-mail verification before letting people use their platform.
I have something similar when I used contact@<firstname>.<lastname>.name
There were various ways in which that failed.
1. ".name" was pretty new by then, so some frontends did not accept it
2. some frontends objected to the third level of my domain part, accepting third levels only in such cases as the well know. ".co.uk" for example
3. some frontends let me sign up, but something in the backend failed, I can only suspect if it was the ".name" tld or my third level, but I never got any mails after signing up
> 2. some frontends objected to the third level of my domain part, accepting third levels only in such cases as the well know. ".co.uk" for example
This is actually not such a rare edge case. My university, for example, uses <name>@students.<university>.de . So there's really not much excuse for not handling this.
The number of sites that send mail to "foo@bar.com" when you give them "foo@sub.bar.com" is staggering, too. It's a mystery to me why they would ever want to do that, but it happens a lot.
I mean I legit wish I owned cik.com, that'd be awesome :p. Seriously though tonnes of folks fail the +. You know what's especially awesome? Ever try shot non-UTF8 domains. Those are fun.
This one actually almost makes sense because of RFC 2606 [1]. It reserves the .example TLD as well as example.com, example.org, and example.net as only example domains that cannot/should not be used. Back when .com/.net/.org were "the only TLDs that matter" a blanket check for example in the second level made some sense, and/or to just assume that RFC 2606 would apply to future TLDs (despite it being quite specific in which domains it reserved).
Similar experience with IDN domains. Most places altogether reject them, but those which accept them, only a subset accept IDN recipient in the mail address.
The SMTPUTF8 RFC to support non-ASCII local parts is from February 2012 and thus fairly new [1]. Postfix supports it since July 2014 [2] and to the best of my knowledge Dovecot still does not yet support SMTPUTF8 for LMTP.
Personally I did not enable SMTPUTF8 support in my Postfix due to the lack of Dovecot support.
I was once directed to appear at a Las Vegas hotel lobby at 7 AM sharp. I was to drive various poker celebrities from shoot to shoot around the city for a movie. Included was a detailed itinerary. I recognized the names from various TV poker shows.
I wonder what happened when I didn't show up (I did let them know that I wouldn't be there), and I wonder if it was ever finished and released.
Yes, I also get the bills (mostly from electricians in Australia for some reason) the porn/game signups, the notes from Grampa, etc.
I happened to be online the moment outlook.com launched and registered a <very popular first name (it's even the name of a disciple and/or one of The Beatles)>@outlook.com email address and walked away from it exactly because of this.
Over a decade ago, I was added to a Sri Lanken family tree thing on Ancestry - because they invited my email address, as we have the same last name (my last name though is Norwegian, and the same as this sri lanken family.
I still get updates in my email from this family and even had bank statement updates sent to me. and birthday wishes mean for the other sstave...
I have told them multiple times - but I am still on their family tree - for a DECADE
I have Firstname.Lastname@gmail but I never get any mistaken mail there.
Now text messages on the other hand... I get all sorts, at one point I was getting some for a Black Gun group. Now I am getting them from the DNC but they are address to the wrong name.
The scarier thing is two factor authorization text messages, I remember getting some for Facebook and Instagram. I never did anything with them but if not set up right I suppose I could get into someone else's account.
I love getting unknown sender random texts. I play a game with myself to see how long I can keep them responding.
One time I got a wrong number and over the next few days coached a lady who was calling her friend for advice on her upcoming job interview, as she wasnt sure she wanted to make that career change.
I did the best I could to advise on the matter (sincerely) - but I never got a reply on the matter.
I always delete the message immediately after so the thread isnt there so I have no way of initiating a connection.
I was once the (proud) owner of `ozzy@ibm.net` at some point in the mid-late nighties.
I was living in Istanbul for awhile and IBM had just entered the market to bring us all Internet, and decided to use their `ibm.net` domain to give all their customers free email.
Hah - not as bad but similar, but hey it’s my name-ish. I get a fairly high amount of password reset attempts on it too. (guess my Gmail address, I got gmail back when it was invite only beta)
Really like your approach at work though, I am apparently signed up to so many various services that I have never heard of, and could probably access lots of PII if I wanted to.
My email account got 'hacked' by the Chinese (not really hacked, just reused the same password). From there they broke into multiple other accounts by password recovery. I got control of the account back. But few years later, someone used my email to register at some Singaporean university. Since then I keep receiving emails from multiple departments telling me about exams and my lack of attendance.
I have <name><number>@gmail.com. Despite the number, I still get emails about other people’s bank accounts, parcels being shipped to them, the occasional missent scan…
I have one of these accounts (it's a dictionary word), and I can confirm everything the author has said is true. I receive constant onboarding emails I can't opt out of, "so and so thinks you're cute" dating profile notifications, weekly account recovery notifications, all kinds of random crap that was meant for someone else but due to slight misspellings come to me, such as important contracts from lawyers, endless spam and newsletters I will never be able to escape. I've long given up trying to help others deal with mistakenly using my email. It sucks massively and has made my email unusable. Had I known this when I registered my email, I probably would have thought twice about being cute and registering it. These days, I mostly use my own domain for email and carry on.
Sorry to hear that. As a fellow 'OG' gmail user, I feel your pain, but between the constant 2-3 daily unsubscribe hits and many many Gmail filters it is actually manageable and usable.
Google's "targeted-journalist-level" Advanced Protection Program means I don't have to worry about password resets or account recovery stuff on the account.
Though I have lost track of the number of services I didn't have immediate access to since someone signed up using my email address, and reclaiming it can be a battle sometimes. The Apple ID was interesting - but luckily everyone's "first pet's name" was "Fido"... (Seriously... Please validate your emails everyone!!!)
Often, whenever a real mailing address is included I print out the email and send it in a real letter with a friendly (if just a tad passive-aggressive) note inside. But overall I try to do the right thing for important documents and correspondence.
I do shudder to think how many random accounts are just an email-password-reset away from having access though...
I got on Google's APP a while ago. Google is great for this specific purpose - if there's one thing you can count on Google for, it's never ever listening to their customers, no matter what.
I don't have the same degree of problems with first initial + family name @ gmail (with an uncommon family name), but I've had someone use it for something related to car insurance (which has resulted in a _ton_ of spam), to enter a university run, and had company internal documents forwarded to me (turns out the CEO shares my name).
I have name.wifename@gmail.com and I have not gotten many subscriptions but I got quite a few random emails meant for other people.
I did get a subscription for a Diners credit card, and I am torn about contacting the guy; I don't look at the emails but I probably could find the owner relatively easily. I contacted Diners and they didn't believe me. (Who the heck is using Diners these days?)
My wife and I have "OG" name based gmail addresses. We only get about 5 emails a week not to us nowadays, but we have also given up trying to route the stuff to people. Somehow we've made it onto government distro lists, business travel itinerary lists and the normal distros.
The worst was when my wife began receiving outage alerts from a Fortune 100 company's NOC. Not just simple Nagios alerts, but detailed technical information accompanying the alert. When we attempted to notify their security team they threatened us for having "hacked" their system. Turns out they realized a former employee added their personal address to the distro when they left so they could help with the transition.
I've got [first initial][last initial]@[my email provider] and have come to find much of the mail I receive seems to be addressed to people with the same initials as myself. It's incredibly frustrating to find the same culprits over and over again. Do they not know their own email address? Or do they just not care? (I suspect the latter)
Indeed. Mine is firstnamelastname, and I've gotten many emails I shouldn't. The worst was an excel spreadsheet with login details for several dozen midlevel managers at a small banking chain.
Yeah, I have the same type of email, and I received legal and medical documents, letters from schools about students, tons of personal notes, and daily signups for services.
OMG some guy has signed me up for EVERYTHING from Home Depot to every dating site, to porn sites to cheating sites. It's absurd. I get daily emails from these services still even with unsubscribes and blocks. They're insessant.
I had to set up a filter to automatically reject anything from any of their domains, they're an absolute plague that Moses would be proud of.
I don't really like email alerts for social media as a concept anyway, if I want to hear what LinkedIn has to say I'll look at LinkedIn itself, it has no business injecting itself into the rest of my life via out-of-band methods like email.
Same. People signing up for various services, apparently not understanding that they will never be able to read anything sent to this email address.
I get emails from middle schools, online shopping of course, but also emails for at least a couple Trump supporters (not trying to profile; simply getting Trump campaign's constant barrage of emails demanding more money; nothing from Joe's side yet)
What I find particularly annoying is when parents use this account to register for a kid's school alerts. All sort of important stuff like "Do not send your kid to school this week!" or "Where did your kid go?" and because the school itself is also not super savvy, there is nowhere for me to send a reply saying "You need to fix this!"
Due to a bug, for a few months I received email addressed to google@gmail.com. This was years ago, when Gmail was still newish.
I couldn't send mail from that address, but I sure did receive it. An endless torrent of weird junk, and a surprising amount of personal data, business secrets, and passwords. If I was maliciously minded I could have done a lot of damage.
I spent those months trying to find any way to get a message into Google to fix it, and only eventually succeeded when I learned a friend-of-a-friend actually worked there, and they helped un-scramble my account.
Am a Googler who doesn't write Javascript, opinions are my own etc etc...
I don't know how many there are, but are you saying that 3 would be a lot? There's probably hundreds of internal libraries for other languages like Java, C++, Go, etc. 3 really doesn't seem excessive.
Story time: I never considered my email to be OG as it contains at least two digits after firstLast but I've experienced the same thing. A man very well off man from Texas has assumed my email as his own, shared it with his entire extended family and booked hotels and flights using it.
At some point both his wife has asked me what I thought about a forwarded message from their mortgage broker and his brother in-law asked me my input on buying a 30ft yacht and what to name it.
I always ignore the serious ones for obvious ethical reasons but can't help myself with the more innocent cases. I've found I quite enjoy giving non-commital responses to these emails that won't give up the gig but also don't help them either, things like: "that seems pricey" or "cool! What are you going to name her?", and "she's a beaut!".
Oh god yes. I have a 6 character pronouncable gmail address as my main email address. Some highlights:
* Several people from (I think) Mexico City have sent me requests in Spanish asking for medical prescriptions, including photos of their current medication.
* I started receiving receipts for an Italian parking fee app. After I contacted their support about the problem, I received an email addressed to their user asking them to confirm the email address.
* Someone signed up for Comcast DSL and there was no way to opt out of those emails, support didn't react and logging into the account would have required additional information not in the emails. I finally made a complaint to the FTC under the CAN SPAM act - that got their attention and they managed to fix the issue.
* Someone signed up for some rewards program and proceeded to collect points by signing up for about 10 different newsletters.
I have my 6 letter surname at gmail as well, and I've had this issue for decades. Everything from wedding invitations to banking to schools etc.
I have answered some helpfully if I had the time, but mostly ignored them and put them in a folder as "mail for others".
One in particular, some kid in Arizona who shares my last name has signed up for everything from golf to Epic Games. I found him on facebook and friended (since we shared our last name) and politely asked him if he could try to not use my email for things. He told me it was his, called me a creep and blocked me.
It's kind of hilarious how many people insist the email I (or Google I suppose) own is also theirs, despite the technical impossibility of that scenario. The same has happened with my phone number.
Fun fact: Facebook logs people in if they click on a link in their transactional emails. Don't forward your transactional Facebook emails to other people.
There's also no feature to verify or disavow email addresses.
I wonder if they change this policy now that more people know about it.
I own the domain name for my last name, so that I have the email address [firstname]@[lastname].com. But when signing up for services I like to use my domain as a catchall so I can have unique email addresses for each service. Of course that means I receive all emails sent to anything at [lastname].com. Even though my last name is not that common, there’s apparently a ton of people with my last name who sign up for services using their first name @[lastname].com, even though they obviously don’t have access to that email address and haven’t for at least the 8 years that I’ve owned the domain name. I’ve never understood what compels a person to type in an email address for service if they don’t actually have access to that email. And yes, I see plenty of bank accounts and other important accounts as mentioned in the article. It’s mind-boggling. I also get plenty of personal email as well, intended for people with that first name and last name. In those cases I usually reply to tell them they have the wrong email address, and more than once someone has responded back again asking me if I could pass the message along to that person as if I’m supposed to know them.
You might want to set up a DMARC policy for your domain. Since I set mine to "p=reject" I haven't had any such issues. DMARC extends DKIM and SPF, and you (typically) need to pass at least one of those to pass DMARC.
I'm not sure if you're using "example" as a metasyntactic variable, or you're actually the owner of example.com. If it's the latter, I do use your domain for forms that require an email but I don't actually want feedback from. In my defense, your web page says "You may use this domain in literature without prior coordination or asking for permission." This isn't literature, but I didn't think I needed permission or coordination for other users either.
They own "example.<something-else-thats-not-com>". Which is basically asking for trouble given that "example.com" is explicitly set aside for this kind of demo/throwaway purpose.
I was so happy when I was able to get my (exceedingly common) full name as my gmail address.
1.x decades later, I regret it. I get people's medical information, legal documentation, all of it. It is stunning to me the quantity of PII that flows into my inbox daily. Back when it was a trickle, I used to try and contact the people involved to let them know of the issue. It almost never worked out, and I got tired of getting yelled at.
At this point, I keep my account simply because if I were to close it, I don't trust whomever might have it next. It is what it is.
I share a name with a famous person and my first and last name are also my email address (@ a certain mail service) and I often get receipts for things he’s purchased as well as personal correspondence. When it’s a person I always respond and say that unfortunately I’m not the person they’re looking for just so they know.
I feel like you could simply stop using it, set up a vacation auto-responder, and log in once in a while to keep it from expiring and reverting to someone unseemly.
This whole thread is the reason I started requiring extra email verification when members signed up at our hackerspace/makerspace. A surprising number of otherwise-bright people don't know their own email address.
Honestly, I'm not far from doing exactly that. It's just frustrating to be forced from one's own name by nothing more than legions of derppelgängers, you know?
Yep, I secured a firstnamelastname.gmail (both common) for my wife early in gmail's life- and its very useful for ease in sharing.
I have a similar .mac/.me/.icloud email.
Unfortunately the innumerable 1,2,3 ended users of the same email get wearying to deal with for both of us. We both have persistent UK versions of ourselves, lots of offers for free tickets to football games in the UK that I have to regretfully pass up; as well as a variety of other people that we've managed to classify by geography.
The PII stuff is really the hard part- real estate documents, job offers, legal communications, x-rays, etc. You want to help but often it just generates a lot of heat without helping.
My email address most recently was used for some online courses at a .mil address. They took me off their list when I asked, the amount of notifications was pretty incredible. It’s been used for dental records in Oklahoma and to buy heavy machinery in Germany. It’s still obscure enough not to be a real problem, so it’s mostly amusing.
I have my not-so-common name as my gmail address and I still get a ton of crap. The most frustrating is from a power company in Ohio that sends me billing statements every month. I contacted them to ask them to stop emailing me because I'm not the intended recipient. They said they can't stop emailing me because only the account holder is allowed to change the email preferences. Apparently my only recourse is to reset the password on the account and claim it as my own... for the last few years I've just been deleting the monthly emails.
I also get fun things like family photos from people I've never met before
I have the same issue. I never waste time trying to find a way to forwards these emails to the right people, because I am extremely suspicious, so I often assume there is a phishing attempt behind these emails. I mean, often, money is mentioned in the email (like booking a hotel, a bill, a car insurance, Internet subscription, etc.). It might be legit, but it is not worth the hassle for me, and it is none of my business anyway.
...for now, yes. I just don't trust them to keep that policy, you know? Microsoft & Yahoo already recycle, and I am willing to bet that Google will eventually, too.
I was recently in an Xbox party with 3 char anime/Japanese theme tags. I asked them why there weren't any numbers after their tags and they went on for two hours teaching me about OG tags and that his $750 tag was a steal as it wasn't just random letters, but an actual word. The other guy paid $1,500 and at one time paid $12,000! They explained you can buy them on IG or a site called ogusers, but that you should always use an intermediary who holds the account and your bitcoin, and acts as a security check middle man for a small fee.
They also told me about an MS website hack, where you could enter spaces into your name by changing the client-side javascript and entering about 500 spaces between each character and then filling the field with spaces until maxchar.
For three years in a row I received an amazon gift card on father's day. Always intended for as far as I can tell the same person who has the same first initial and last name as me.
I contacted Amazon about it the first time and they wouldn't cancel it or issue a refund because I was the recipient, not the purchaser. I worry that someone has been written out of their Dad's will because he thinks they have forgotten father's day 3 years running.
I have lastname[initial]@gmail.com and it’s not a terribly common name, but I’ve gotten Interac payments (Canada) sent to me for little league practice (emailed back and they apologized).
Most recently I’ve been getting a cell phone bill for a South African person. It had their address so I looked it up on gMaps and it was a small home in a shantytown. I just received an email telling me the service was being cut off for non-payment. No email for me to reply to.
I had another person with the same name as me put my email address in his resume. I started getting a heap of emails to come in for interviews, in a small town in Northern Ireland that my family emigrated to Australia from 150 years ago.
Fortunately his phone number was in the emails, so I called him and had a great chat, he got his Nan on the phone and we spent ages walking through our family tree finding connections.
I've got one of these. I've been invited to golf tournaments, received medical records, been included in family reunions for many years running. I've had power bills sent my way. I've seen tons of SS#'s and bank account routing numbers. Countless password reset attempts. A long time ago I decided I'd never interact, reply or respond to any mail I received apart from opening.
Tangentially related -- catch-all email accounts also get a ton of mail when the domain name they're tied to is close to something that many people send messages to. If you own a domain one keystroke away from a high volume domain - you'll get access to all sorts of things you shouldn't be seeing.
I own a four char gmail account that is a common word. (I was employed at G in 2004.) I get _everything_. If I don't have an account on a service, I try a password reset and it usually works. I have bank info, hundreds of AT&T cell phone contracts, pro baseball player contracts, mortgages, taxes, paypal, investment accounts. You name it. I get thousands of spam messages a day that are correctly filtered and I mark dozens as spam on top of it. I can tell you about tons of companies that don't do email validation. I was once offered 5BTC for it but it is much more valuable to me (also I didn't know just how high BTC would go).
It's annoying but I'm still striving for inbox zero. :)
Yeah I've got a 6 digit semi-common name Gmail account (from the invite-only days) and the amount of junk I get to it is mind blowing. Not "spam", that gets filtered pretty well by Google these days, but emails specifically sent to me but not for "me" personally like TFA talks about.
100+ emails a week in my primary inbox that are from people signing up to random stuff in my name, basically any/every service you can imagine where I don't already have my own account (large social networks and sites in countries other than me own, online shopping sites, etc).
The other interesting thing is I seem to get a LOT of email for addresses that "almost" match mine, as though Gmail is doing fuzzy-search for addresses? Eg lets say my email is "david@gmail.com", I get dozens of emails a week for "david.17@gmail.com" and "davidab@gmail.com" and stuff like that. I can't explain this one, and everyone I bring it up with says it shouldn't be possible.
It's gotten to the point where I've created a more normal fullname@gmail.com and then do some filters/forwarding on the old one for the more important emails, then just check the old one every couple weeks to see if I missed anything, because it's just not usable anymore with notifications on.
Same here. My GF at the time received a couple of the earliest GMail invites from someone she worked with, and I remember thinking, "Wow, this'll be great, nobody will ever forget my email address."
Almost none of that is actually spam. Mostly list/membership subscriptions, reminders that my $(VEHICLE) is due for service at $(DEALERSHIP), and misdirected personal emails ranging from amusing to upsetting.
I am really glad that I do not have one of these email accounts. While I cannot speak firsthand of some of the shenanigans that are mentioned in the article, I have worked in the web hosting industry for 20 years. I have seen some of the horrible security practices in use by customers and, surprisingly, people in the industry.
I've seen many people locked out of their hosting accounts because they have their primary account email address as one of the hosted email addresses on their accounts, and suddenly they've lost access to their web hosting control panel because their domain expired or their email was otherwise taken offline.
I think what all of this boils down to is that people don't receive any actual training about how these things work. They pick up a phone and start using it and figure it out along the way, or they buy a computer and set it up the way Microsoft says and never think twice about anything else. The amount of training that people receive is dismal at best and most the time it's not even that.
There's also a contingent of the public that doesn't want any training and their main argument is "well this is how I've always done it!"
> I've seen many people locked out of their hosting accounts because they have their primary account email address as one of the hosted email addresses on their accounts, and suddenly they've lost access to their web hosting control panel because their domain expired or their email was otherwise taken offline.
This is a surprisingly difficult risk to effectively mitigate.
If you have a domain and tie your domain registration and hosting accounts to an email address hosted by the domain, you could get locked out if something goes wrong with the domain registration.
If you tie your registration and hosting accounts to a third-party email account, you could get locked out if the third-party decides to nuke your account for any arbitrary reason (cough, cough, Gmail).
If you tie your registration and hosting accounts to a cell phone number, you could get locked out if someone attacks your phone account (unauthorized porting, SIM swap, etc) or if the cell phone network goes down (think California fire protection blackouts, or hurricanes).
If you tie your registration and hosting accounts to TOTP or Webauthn 2FA, you could get locked out if you lose or damage your 2FA device.
There's no good way to authenticate domain registration and hosting accounts unless your registrar and host have the foresight to allow multiple authentication paths.
> If you tie your registration and hosting accounts to a third-party email account, you could get locked out if the third-party decides to nuke your account for any arbitrary reason (cough, cough, Gmail).
This is interesting. I usually point all my WHOIS info to <something>@<other-domain>, but <other-domain>'s WHOIS goes to one of my personal Gmail accounts.
I'm going to switch it to a domain where I control the DNS, so I can change the MX record if a provider decides to nuke my account.
Now I'm wondering how this works with any registrar's domain privacy feature — technically, they're the "owner" of the domain in the WHOIS record.
Just be careful that your DNS is sufficiently restricted; I've heard of DNS being the weak point for taking over accounts involving custom domains.
I'm surprised there aren't more in person or by mail verification options available. I guess partly due to the "who pays for it" aspect (and people moving, etc., plus no verificaion method is completely accurate), but the current state of authenticating online accounts is rather worrying in general and allows anyone anywhere in the world to try to take over your accounts.
I'd personally tie a domain to a paid email account hosted by a provider that is in a sound market position (not e.g. Yahoo), doesn't have a reputation for arbitrarily revoking accounts (not Google), and doesn't have overly aggressive spam controls (not Microsoft).
Years ago I considered setting up a hosting company. This is part of the reason why I didn't go through with it - dealing with idiots locking themselves out and/or letting their website get compromised & send spam/host inappropriate content wasn't worth it even though the technical side looked pretty straightforward and a fun challenge.
> A coworker of mine was able to connect me to a GoDaddy executive. The executive attempted to get the security team involved, but nothing has happened.
That part was really shocking. I can see why you might be stuck with a low-level support tech that can't and won't help you, but not being helped despite having this level of attention is horrible.
Someone used my email to sign up for Instagram ~10 years ago or so. I never got a mail or any kind of verification, so I didn't know. Only found out when I tried to sign up myself a few years ago, and "the address is already in use". So I took forgot password, and got the email. I tried to get support to move the other account so I could create my own, but they never responded. Luckily the account linked to my mail had like 3 pictures and 5 followers, so not to big a loss when I deleted it and created my own.
I also got signed up for some kind of dating service I cannot remember the name of (before Tinder etc), and after being getting some weird messages in my inbox I felt I had to delete his profile. Sorry about the matches you lost.
Given the nickname he's been using on some sites when signing up, I managed to track down his real email some time ago. Basically mine + a number. Asked him to stop using my mail, and what services he wanted we should try to move to him before me closing them. All I got in reply was something along "why are you in my inbox".
I suspect this happens most with people using a full size keyboard and the numeric keypad - when numlock is off, they miss that the numbers didn't get entered and boom, there's your address instead.
I suspect you never see this with people whose number-after-name was 4 or 7, because they won't be entering a valid email address.
An amusing anecdote from someone on the other side of this story...
A friend of mine has first@fullname.co.uk, and he's forever getting email intended for first@fullname.com (who is someone entirely different, also in the UK, and works in the military).
One day my friend books a flight and accidentally uses first@fullname.com. He doesn't realise anything is wrong as the flight still shows up in the app. However, the owner of first@fullname.com also sees the flight confirmation and thinks there's some identity fraud going on, so phones it in to the police. So my friend gets to the airport and scans his passport at the boarding gate, but is met with a big red exclamation mark. Next thing he knows, he's flanked by two armed officers who take him away for questioning for an hour!
After working out the mix-up, my friend sent a note to first@fullname.com thanking them for the welcome committee.
So I own a domain that is very similar to a ballet company for children in Florida and once, a mid-sized CEO emailed me PDF images with credit card details!
I tried reaching out, but my email was probably ignored because they thought it was a scam.
I'm sure that sending that info insecurely at least... violates mastercard agreements? I dunno. I just hope people checked and double-checked what emails they send.
I own a domain name that is a generic word but is also an one-off of a medical company (and a very "likely" typo).
My catch-all mailbox has received an insane amount of highly sensitive medical records over the years. Most of these mails were coming from employees of the company itself, not external correspondents.
I have since modified the catch-all mailbox to reject mails from the medical company, so they get a bounce message. This has not reduced the number of messages, but at least they will know something went wrong...
People are not very careful, even with highly sensitive data...
I get a steady flow of misdirected email for UK and SoCal namefellows, going on 10 years now. SoCal guy got roped into Scientology but the UK fellow has had a stellar military career, at least according to the intros I’ve seen.
The most interesting ones were about a trial where the defendants sold substandard steel to the military. I got added to the thread with their lawyers discussing strategy and sending attachments. I deleted it all after notifying them, their case made it into some national news stories.
Someone I used to know had the Lawyer experience too, only the namesake was a high ranking UK banker and the topic was the late-2000s financial crisis.
I believe this is in part a failure of Google and other large email providers to provide clarity in the UI when registering a recovery email address. At least when this feature was first introduced, as I remember it, it was relatively easy to misinterpret the feature as signing you up for additional/alternative email addresses, rather than specifying an email address you already had access to that would be used for recovery if access to the main account was lost.
This may have been rectified since, and I'm still not sure how so many of these people haven't noticed that their "new" email address is not working - but I guess they put it down to spam filtering or similar.
Not an og public account but my first name starts with the first letter of the English alphabet twice. By quiencidence so does the first letter of my last name. That puts me dead top of any and every AD corporate email list. I get CCed on so many things. I think the worst, not the worst but it was the first time and I was brand new in my tech career and didn’t say anything until waaaaay after I should have. The CEO of a small NASDAQ was using his work account, my employer, to discuss the building of his mega house with his contractors. Specifics like cost, the address, window choices.
There are so many big service providers that do not verify emails and start spamming anyway.
And there are also companies like Epic Games that got my email via a (failed) Playstation registration something. When I wanted to register to buy a game it did not allow me to create my account. I had to use another temporary email while I entered the account with my correct email and deleted it.
We should make a support group for the endless frustrations.
I should also point out that I connected with one of the similarly-named-email guy. When I recognize that it was directed to him, I'll just forward the email now.
I have the equivalent of billg@gmail.com, with a common first name (but an uncommon spelling, at least for English-speaking countries).
Nowadays there's a lot of different people who try to use my address, but for a long time, most issues originated from a single person. At one point I received a Christmas wishlist from his nephew, to which I responded that I was not planning on giving any gifts this year, and would instead donate to charity. I didn't receive any response, but from what I remember, he didn't use my address after that.
Didn't realise this was a common problem. My gmail address has about 9 filters with ~100 terms each. Would be nice if Google automatically had an allow list with countries where I will accept account recoveries requests from.
Worst though is that PayPal created an account for another person with my email address. Apparently they don't send out the initial prove-your-ownership email. Still unresolved because PayPal refuses to believe me that I own the address, even though they don't even want to send a test email.
I get multiple account recovery requests per day. Google should have a good idea that they are not coming from me based on where I'm declining them from and where I log in correctly from, but they still spam me with those requests. I don't know if Advanced Protection blocks those requests, but I'm not willing to give up access to F-Droid just because Google can't be bothered to fix its account recovery process.
My email address is nothing too original (in the profile if you want to check) but it contains a dot. As you might know, gmail ignores dots in the addresses so nico.aragon and nicoaragon are basically the same.
Well it seems that Paypal decided recently that why bother confirming email addresses. Just let anyone use any email address. They send a confirmation email, yes. But then accept the address no matter if they receive the answer or not.
So I start getting notices of some not very bright namesake that is making tens of cents with some online store. The spanish paypal office is totally useless, they just suggested to contact Google.
I sent a mail message to the European Paypal delegate for data protection, but no answer and I still get more notifications later. It's quieter now, after another confirmation email (that I obviously didn't answer) but no idea if they did something or it's just that the account owner is not selling so much later.
Edit: years ago I got a "nico" account in a very popular local provider, so I had experienced the og problem before. Some other namesake is gay (maybe he's the pornstar that I see in Google) and received some explicit pictures.
> Well it seems that Paypal decided recently that why bother confirming email addresses. Just let anyone use any email address. They send a confirmation email, yes. But then accept the address no matter if they receive the answer or not.
Hah, I don't remember receiving a confirmation email. Unfortunately, there's no way to disavow an email address from someone's account either, which means I can't use that particular email for PayPal.
My wife has an old gmail account which is her first initial and last name. She set up email forwarding to another account several years ago promptly forgot about it. Unfortunately she picked her original password before I introduced her to password managers and so now her original account has been taken over by someone.
Interestingly enough that email forwarding she set up still occurs and she has all of the received email for her attacker(s) including all the security notices. I figured it would be a bunch of people emailing angry that they received spam from the account. Instead it’s a bunch of disjointed English talking about the weather - back and forth messages such as “in Tuesday we will have windy”. There are several iOS devices now logged into it. I am baffled yet insanely curious.
Unfortunately even though this email forwarding has been set up for more than a decade, googles automated account recovery does not recognize her request and we can’t get the original flast@gmail.com address back.
Anyone at google have thoughts? I can drop my personal contact info if so.
We're actually moving in the opposite direction now. A lot of services nowadays became less strict in what they require to open an account (for the sake of growth and engagement) compared to a decade ago.
Technically there is, I think SMTP has 'VRFY' or similar to check if an email address exists. However I recall reading (like, over a decade ago) that it's often not supported as it makes it easier for spammers to validate real email addresses.
My GitHub is four letters which is quite convenient. Recently a friend and I ran a script on the GitHub API to find the shortest available names and found that there are no three letter names and very few four letter names remaining.
Of course I got rate limited in this, as you can probably imagine given the factorial complexity of checking every name.
Anecdotally: I have a 2 character GitHub user (https://github.com/j-) and I like to think I do more than name squat. I missed out on the 1 character user (https://github.com/j) by only a matter of weeks!
I have an original gmail address, going back to August of 2004 (gmail launched in beta in April, 2004). The username is a word in a non-English language that at the time had zero hits on Google. Even today, a search for that username nets < 175k results. I never signed up for anything with it and have only ever used it for email to a few close friends.
Until about 3-4 years ago, I basically didn't get any spam or these kinds of accidental "put the wrong email in the signup box". Then one-by-one, I started getting them. Facebook account request, bank signups, tinder account verification emails, twitch, the works.
Sometimes I'll get half a dozen emails clearly initiated by somebody trying to get access to some account somewhere and my email address was provided as a backup. Occasionally, I'll get notifications that somebody is trying to rest my password.
I wonder sometimes, with email and the internet being so ubiquitous and for so long, how is it that people don't honestly know their own addresses? And then I'll get peaks into the lives of these people every once in a while. Pictures from their facebook account, emails from real estate brokers, from "hookups" and so on.
Every once in a while, if there's an obvious way to contact somebody, and the emails seem like they're from legitimate people, I'll respond and say something like "wrong email address." or something. About 1 out of 20 times the person on the other end will fight back informing me that I, in fact, "am wrong about my email address and yes I can't avoid making my childcare payment this lamely."
It's gotten frustrating, the Eternal September has now impacted one of the oldest continuous ways I've used the internet, a way I've jealously guarded and preserved from spammers, scammers, and all other form of miscreant, only for that judicious and careful defense to be washed effortlessly away by people who aren't even aware what their own on-line identity is.
I don't have an OG@popularservice.com account, but I do own the .com for my last name. It's not a common name, but not too uncommon either.
So I do get fairly regular emails addressed to people who share my last name and forgot that their domain may be the same as mine but is a different TLD and not the .com. I don't have a wildcard catchall email set up but I do have the common ones like info@mylastname.com.
The most recent was someone who ordered business cards from Vistaprint and used my info@ address. I figured out who it was and emailed them at their own info@ address. (No, I didn't sign into their Vistaprint account, though I could have easily done a password reset.) Haven't heard back yet. I just hope they didn't put my domain on the cards. They probably did - time to reorder!
As you read through all of these comments you hope that there is some pattern of why all of this happens. Then, unfortunately, you come to the conclusion that there are hundreds of reasons why this happens.
People on the other end of the counter just type in what’s easy because they make minimum wage and don’t care, people on the other end of the phone that didn’t hear something and just type in what’s easy because they truly don’t care, people that truly don’t understand the internet and really think that their family members first name or last name, or any combination there of will magically get to them via email because no else has the same name.
Life is truly random and the truth is rather boring once you find out what really happened.
I actually wrote about that guy not long ago. His name is Mike O'Connor, and he owns bar.com, grill.com, place.com, and television.com, among others.
Probably his most famous domain was corp.com, which was recently bought by Microsoft because it turns out that older versions of Windows and other Microsoft products actually invited people to use corp.com for their internal Active Directory names. Problem is, when those machines are outside the internal network, they're constantly trying to share passwords and other sensitive data with corp.com.
Tangent to what I’m seeing in the comments. I have a Google Voice number. When I signed up they let me choose an available number of my choice. So I found one with lots of repeating numbers to make it easy to remember.
Turns out it’s the same number as a major medical insurance support number. Just a different area code. I get calls in waves, it seems. This week I get 3 or 4 a day. I ignore them. Occasionally I get voicemail “I have a question about a patient” or whatever.
If I answer and try to explain it, it confuses people and they usually get frustrated. Not worth my time anymore. Basically I ignore all calls that aren’t from people I have saved.
I own the domain doesnthaveone.com, so I've also gotten a ton of these types of emails. It really is shocking.
Just scrolling through the catchall for the last couple of days I see AT&T and Verizon bills, several doctor's office reminders, some medical patient portal emails (including "new test results available"), a Navy Credit Union account notice, a surprising number of reminders and test results from veterinary offices...
The only one I ever bothered trying to get sorted out was when I discovered that I seemed to be getting any HP corporate purchase order without an email address on file.
One of the schools I went to introduced alumni email forwarding fairly early on and allowed you to pick your own user name. I have a not rare but not super-common first name and was able to grab a user name with just my first name.
I haven't had it happen for quite a while, but for a fairly long period when email was relatively new to a lot of people I received a fairly regular stream of mail intended for other (presumably alumni) with the same first name, including some fairly sensitive emails with board meeting minutes and the like.
I have this problem, and I've lost count of the number of people who've either signed up for services using my account instead of their own, or alternatively people who send me emails that are intended for someone else after (presumably) miss-hearing an email address that was read out to them over the phone or whatever. Some of the highlights:
- People have bought iPhones, XBoxes, Playstations, ... and created the respective accounts using my email address.
- Holiday bookings, flights, accommodation bookings.
- A PayPal account that was created using my address five years ago that I'm still trying to get PayPal to resolve.
- I've been sent death certificates, wills, lawsuits, confidential legal docs.
- Someone bought a car. I received all the transaction details and was signed up to a variety of free services that appear to have been bundled with the car.
One of the most frustrating things about this is that it's generally impossible to contact the person who make the mistake directly, so resolving it often involves jumping through lots of hoops and explanations to third party websites or other individuals. The other huge frustration is the sheer number of sites that don't validate email addresses. Or perhaps worse (and I'm looking at you PayPal), send a validation email but then create the account and assume everything's fine regardless, with no way to opt out or reject the verification.
I was a very early Gmail user due to being a Google Answers researcher so I got an 'OG' name (which I still own but don't use as my main inbox) and it gets lots of mind boggling stuff as covered in the article. Even a Facebook account (which I could log into) and tickets for major shows (which I could cancel/change seat at, if I had wanted to).. Since I don't use the account myself other than for YouTube anymore, I just let it fly by and look at it in amazement every now and then.
I know a guy who owns a domain in my country equivalent to user.com or test.com or something like that. He frequently knows what new tech companies are about to launch because devs doing local testing sometimes put the email as blahblah@user.com and he gets all the onboarding emails.
He received one while we were working on a project together and opened it up to show me. I thought it's kinda hilarious that some dev is just chucking that in their sign up page but he actually gets a real email because of it.
I get a surprising amount of personal email from several people who mistype their own email quite consistently. Everything from mortgage info to job offers and updates from teachers. And I don’t have a special mailbox name or domain. Can’t imagine how much someone with a domain like that might actually get.
Sort of like having a 1 digit Steam ID I suppose. I used to get kicked off servers because it must be fake, and get offers to buy it. Never been taken over though.
I don’t have an “OG” account but a common first, last and middle initial and I get about 1-2 new signups for stuff every week.
It’s amazing how many services will not confirm email addresses and just send sensitive info (and make it hard to unsub).
Many years ago I had a CEO who made us keep one of those “retype your password to confirm” that I thought was stupid, but we did it. I think of how right he was every time some Uber driver signs up with my email.
A friend of mine made https://guide.mlz.me/ "The Complete Idiot's Guide to Correctly Validating Customer's Email Addresses". He doesn't send it to everyone who typos an email address, but for businesses - especially ones that send him financial data unsolicited - the level of snark is appropriate.
This guide advocates for some pretty silly best practices.
It’s very hung up on making sure the user types the right email address on account registration, having them type it twice, making them provide some sort of security question (before their account is created, mind you!), making sure the question is answered correctly by the person clicking the link, etc etc.
None of that is necessary. Your signup form can literally be a single email field. You validate that it looks enough like an email, and send a unique link to it to continue signup. Then you ask whoever clicked that link questions like “please create a password”, “select a username”, whatever personal information you require.
What happens if they type the wrong email? Well, you send a signup link to the wrong person. Big whoop. Worst case, someone else will get a link to create an account on your system. (Not to create the original person’s account! Because you didn’t ask for anything but an email yet! They would be creating an account, with their own email, even.)
The email validation link only tells you that the person who followed the link owns the email address that was typed. Just don’t do anything permanent (like actually creating an account) until the link is followed, and you don’t need to worry about whether the email was correct.
Now, this still has issues where people can type all sorts of emails into the signup form without friction to make your service spam them with signup links, but I’d argue that the advice in the article has the same problem, just with a trivial amount of additional steps (like having to type the email twice and set up some security question.)
> It’s very hung up on making sure the user types the right email address on account registration, having them type it twice, making them provide some sort of security question (before their account is created, mind you!), making sure the question is answered correctly by the person clicking the link, etc etc.
No, it's saying you can do this, this, _or_ this.
It's giving you options, not telling you to do everything on it.
> Me: "...send the user a simple clickable link in an email and assume that the clicking of the link establishes validity."
> You: "...send the user a simple clickable link in an email and assume that the clicking of the link establishes validity."
It doesn’t seem like it’s giving an option here at all.
I certainly want to send the user a simple clickable link in an email and assume that the clicking of the link establishes validity. It’s how I know they actually own the email address they typed! (And that they are capable of receiving email I send them.)
I just wouldn’t use that validity to assume anything other than: “The person who clicked this link is allowed to create an account with the email address I sent the link to”. In other words, it must happen prior to account creation, not after. But the section of the guide is entitled “validating email addresses during new account creation”, so it’s pretty obvious that is this before the new account is created.
I have [firstlast]@gmail.com. I definitely don't get the amount of crap that I would if I had only one of those names alone, but I still wish I had picked something else.
Definitely not worth telling people that they messed up because chances are they don't care, won't know what to do, or will get angry. The only time I'll correct someone is if the email was entered incorrectly by a sender.
I have one of these, and sometimes I wonder if the stuff I get is really from someone who registered somewhere with my account, or just some highly elaborate phish/spammers' "live account detection" (register for a service using the target's email, then watch for signs of that service being touched, such as the target attempting to unregister itself from the service.)
I have firstname@{major email service that isn't google} and, even though my name's a relatively uncommon variant spelling, the account is still pretty much completely unusable because of all the misdirected email and spam it receives-- I can't use the account even as a throwaway "sign up for crap" email address, much less for personal correspondence, because any mail directed at me would be buried in all the other junk it receives.
Just signed into it for the first time in a while, and it looks like it's gotten some better than it was-- now it's mostly mailing list stuff and actual spam (of the "your paypal account is locked" variety); seems that most legitimate services are doing better about email verification these days. At one point a few years back, someone had managed to actually create working Apple ID, Facebook, and Paypal accounts against it without access to the email (was still receiving "verify your email"-type messages at the same time as transactional emails indicating real activity).
If my guess that you’re referring to Yahoo Mail is correct, I’ve seen the same problem but with spam. With all the hacks and data leaks that happened over the years, one of my mailboxes there receives a lot (like a whole lot) of spam. Yahoo’s spam filters have also seemed terrible for not detecting spam and not learning from mail market as spam by me. I have similar anecdotes from a few other people I know.
On this topic, I do get some mails intended for others, including bank statements with passwords that are trivial to crack, account signups for social media platforms, delivery services, etc. I’ve also seen that there’s no way to rectify this in many cases — the entity sending the email (or the appropriate group within the company) isn’t available to contact and resolve the situation. In other cases they just don’t care even after they receive the emails about the information leaks form their systems.
When I joined Yahoo! Australia & NZ in 1997 I had the OG account <firstname>@yahoo.com.au. We later launched Yahoo! Australia & NZ Mail and moved the company accounts to a yahoo-inc subdomain, so the natural thing to do was redirect our former yahoo.com.au email addresses to the equivalent corp inbox. The OG address was on my business cards, and it was nice having some continuity. Briefly.
I never realised how many friends I had on the internet, and at first I gently replied to a few that I wasn't the `<firstname>` they were looking for. This was a more utopian era where email spam was in a more infant stage, and most of these friends were real people trying to connect rather than bots and scammers. However, there were a lot of new users joining Y!Mail and apparently quite a few were looking for me.
Some of my new friends were pretty insistent (and oversharing), so it didn't take long for me to abandon the OG forwarding address and associated nostalgia. So many friends, so little time for real conversation.
As a former owner of an apparently popular gmail address: can confirm.
The really sad thing about it is that it exposes major flaws about the way we think about users and techonology.
* Lots of highly profitable and seemingly reputable sites give zero fucks about unsubscribe requests, don't require email verification and have no reasonable way of getting in touch with support staff.
* Considering the amount of errors stemming from failure to understand the concept of unique email addresses, lots of people who shouldn't use the net still insist on doing so. No clever app design or UX patterns can withstand the failure to grasp the most common uniquely identifying online token we have.
* A lot of the people mentioned above probably insist on using the net because they don't have a choice: Everything comes with an app or a web site and requires online registration just to harvest whatever is the desired user data du jour. Depending on where you live, even using official government services might require going online.
Similarly, on Office Snapshots, we regularly receive contact form messages from people who search stuff like ‘NFL headquarters’.
A lot of them are people releasing some political steam and we can usually tell if a company has been in the news based on the type of messages that come in.
I still don’t really understand how people make the mistake given the nature of our site, but it is what it is.
Getting a copy of a AirBNB booking that just happened to be 5mins down the road from me. I resisted the urge to check-in as the person with the same name (emailed their friends on the booking to alert them).
I was also included in a neighbourhood spat somewhere in the states at one point. It took considerable effort to get across I was not their neighbour (they thought I was ignoring the issue). Eventually the person's wife engaged and it's been quiet since.
My wife has a fairly uncommon irish name but gets accounts created on platforms all the time by someone with the same name. Doesn't beat showing up to work and finding your boss has the same name. My wife was not happy when she decided to go on a sabatical. Payroll added the salary sacrifice to my wife's payroll account (they never checked employee IDs because surely two people in the same organisation wouldn't have the same name!!). :0
I can relate to that. I own a <two-letter>@outlook.de mail address - It has been signed up for Piola, Snapchat, Instagram, UMG Gaming and Dropbox. I also received some german correspondence, which should have gone somewhere else, but ended up in my account.
On another note - I've got several <firstname>.<lastname>@<providername>.tld mail addresses, and also a <firstname><lastname> domain. They get mixed up quite often:
There is someone with almost the same name as mine, except that my last letter is "t", and his is "g". Because these keys are so close to each other on a keyboard, I receive a lot of stuff which was meant for him. I always forward it.
Then there is someone with the exact same name in my country, who has <firstname>-<lastname>@<provider>.de, whereas I have <firstname>.<lastname>@<provider>.de
Needless to say I got to know a lot about him in the last 10 years.
While my personal OG account has been very tame so far compared to other stories here (6 letters gmail account from beta period), I got a far more interesting one from my company domain.
Since people are routinely misspell my coworkers email, I decided early on I would be the catch-all of the company domain.
Excluding the droves of email from various services from former coworker, there has been a very interesting one: someone that never worked for the company decided to use [firstname].[lastname]@company. That guy was in my country military, serving on a military boat. For some time (before I found how to block any email addressed to that particular email at the domain level), I received what seemed to be very sensitive military information.
I can't be too sure, as I did exactly what was outlined at the end of the emails: destroy them as soon as I received them, since I was not the intended recipient. Luckily, nothing ever came out of it.
You don't even need an 'OG' email account. I remember a while ago I was making a weird claim to someone: "Hey, bet I can get access to a random online dating account within 5 minutes?" Well, sure enough it wasn't the first time. The process is simple: Go to any dating platform, register with a throwaway email, check the email body and switch over to your favorite search engine. Now search for throwaway email providers (domains, names etc.) with web UIs (that require no login but only require knowing the address) in conjunction with keywords and phrases from the email body. Yes, some search engines actually index these. Once found, copy the inbox' email address and do the "forgot password" process and you are almost done obviously ... Surprisingly enough, this also works for PayPal and the like and not just for dating platforms.
there used to be a "hack" where you'd look up profiles on AIM (Aol instant messanger) by email address and just type things like asdfhl@hotmail.com and if it were to come up with results, sometimes multiple, you'd check to see if you could register that address at hotmail and then take over the account.
I have an old Hotmail address that I signed up for while taking high school Spanish. It consists of the Spanish equivalent of my first and middle names and my HS graduation year. I haven't used it as my main email in years, but it still is connected to my Gmail. For a long time I was getting account messages for iTunes and Xbox Live. Eventually that petered out.
I'd forgotten about this until last week I started receiving messages from a cluster of contacts as if I were the member of an online continuing education course. None of the addresses had the domain of an educational institution, but the content mostly tracked. I managed to communicate to the group that they had the wrong after, but it took a few repetitions, because they were not all members of the same thread.
Apart from the joys of having an OG email address of my first and last name, which is neither a very common or uncommon name, I have also created handles, for the sake of privacy, using slight variations of my name. It has always been easy, with a slight creative twist, to be able to create quite short and plain english versions without all the extra numbers and letters.
I also had in the early days of facebook the username 'qetuo' which was very convenient. Though has since been picked up years later by some chancer, after my having deleted my initial account. Though I did introduce the idea to some friends, who then created usernames such as 'tyghv' or 'rtfgv' which are sort of OG qwerty convenient usernames.
I don't know where else to tell this story, but I got the most amazing piece of spam the other day. According to the sender, an unnamed person had told them to contact me. They allege that over the past 50 years the CIA has been investigating life itself and the sender wanted me to see some bombshell revelation that world governments and large corporations had known about for the last 17 years. I was given a shortened link where I could find out the truth and learn how I play a role in fighting the nebulous yet nefarious powers. In the final part of the call to action I was informed that I better hurry up because unnamed powerful people are going to censor this information from the internet soon.
I have at least three people that have used my address for things as random as harbor freight and Redbox. Every month or so I’ll get an email receipt and it is always interesting to see what these other people are buying at harbor freight or renting from redbox. My wife has another woman who apparently doesn’t know her email address because she gets notifications about this woman’s spa appointments (it’s interesting how often this other woman gets Botox and lip injections), ballet lesson invoices for her two daughters, etc.
The crazy thing is that we don’t really have any way to contact these people. None of the invoices include identifying information other than what state the businesses are located in.
I get Harbor Freight as well. I’ve been getting someone’s AT&T bill for years. No amount of trying to convince AT&T to fix this has been successful. I agree that it’s maddening that there’s often no way to tell these companies that they have the wrong person.
For a while, any time I got signed up for something where they provided a cell phone, I’d use my Google Talk number to text the cell phone and inform them. I don’t really bother any more, as generally people are just confused and it ends up being a lot of back and forth.
A sampling of the other emails I’ve received over the years:
- Nude photos from a woman who, when I informed her that I wasn’t the person she meant to send them to, got quite offended that I didn’t want her pictures. After a little back and forth she realized her mistake (and I deleted the email and the pictures).
- Pictures and video of a baby, along with emails criticizing me for not wanting to see my baby, and not supporting her.
- There’s a man in Texas and a man in Florida who have both used my email address to sign up for what could only charitably be described as dating sites. These sites all seem to use the same base software, and have no way to remove your account. With these I’ve taken to resetting the password and deleting the account. Sometimes I’ll have a little fun and change the bio to something like “I hope you like STDs, because that’s all I’m bringing to the table”.
- Receipts for web purchases. Mostly these are boring, clothes, home goods and the like. However one person used my email address when purchasing several hundred dollars in sex toys. The email included his name (same as mine) and his address, along with a detailed accounting of his purchase. I was tempted to print that and mail it to the address with a nice note advising him to use his own email address next time.
- Job search emails. Sometimes it’s scheduling interviews, sometimes it’s notification of a start date and some paperwork. I’ve also gotten an email with the results of a background check that wasn’t favorable.
- The absolute craziest one was an email exchange that lasted over a year. This man in California would send texts from his phone to a bunch of different email addresses complaining to his wife, who had left him (and was included on the emails). He would rant about her new boyfriend, complain that she had stolen money from him and wouldn’t visit with his kid. It was a bit sad but I tried repeatedly to convince him that I wasn’t the person he thought I was, even going so far as to send him a selfie and asking him if I looked anything like the person he thought he was emailing (his response: yes, but you’ve gained a few pounds! Jackass.). I never did convince him, and he refused to stop sending emails. He told me I should just block him. I suspect he was having some mental health issues and perhaps wasn’t all there. The emails finally stopped. I kind of wonder if he passed away or ended up in a facility without access to his phone.
I get emails occasionally for I think 3 people in America all of whom have the same name as me. One is always to do with tires (tyres) he's bought, another is for a guy who buys a lot of expensive consumer goods in Costco and the third is for a guy who's involved in a charity. I don't get any for the latter for any more but I do for the first two, despite emailing all three repeatedly about it. The last email I got about the charity was a disrespectful one about a wealthy couple who they were expecting to receive a large donation from. He took action after he realized that one had escaped into the wild.
My emails/handles are almost always just first initial, last name but that's short enough (6 chars) these days to get weird things as well - most notable was a few months of communications from JSOC (https://en.wikipedia.org/wiki/Joint_Special_Operations_Comma...).
Thankfully nothing seemed super secretive, but I got a lot of PowerPoint presentations and other things that I definitely should not have been seeing.
Not to mention the countless password reset requests, 1₽ added to accounts from kiosks, etc.
My GMail account (that I don't really use for anything apart for having a Google account) apparently shares its name with a Brazilian game store chain. I have received a number of complaints (in Portuguese) that were apparently about games not running properly. Someone also tried to send some money to it via PayPal, and it was clearly not directed at me. Luckily a quick call to PayPal resolved this issue.
Edit: Apparently some guy found it funny to sign up using that GMail address on a Brazilian dating website. And no, the address itself isn't a Portuguese term or anything.
Another anecdote: I have another email address (first_last@isp) and my last name is one of those that are very common but exist with several different spellings. One day I got a message from a freshly-wed lady, and she intended to send the mail to her husband. From the mail it seemed like she took his last name when they married, which made it even funnier that she mistyped it in the email address she sent the mail to. :)
I have an uncommon last name OG email address. One time, I got someone's rental car reservation. A few months later, I got something from the agency about the car being in a crash. A few months after that, I got an email from a collection agency.
Luckily, I didn't have any issues. I just wrong a short, blunt email saying this is the wrong email address, I have no relationship with this company, and they realized the mistake and left me alone. That said, this was a European rental car company (and a European collector, I assume). The American ones might have been more aggressive.
Barnes and Noble don't do email confirmation, I know this because of all the Bible receipts I have, bought with my email account on the sale by a geriatric in Utah with my name. I don't really mind, but Barnes and Noble wouldn't cancel the account. I had to put my foot down when I had an email from some other service that sent one of his passwords plaintext. I emailed the company in question and changed some setting in the account to "this person does not use this email address" but I still routinely get Barnes and Noble emails :/
I also have a short common word for my email address. I don't often get signups for it, but there's always one service with the same name that I get registration emails for.
On one occasion though, a user from Tumblr had set their account name to my email. I think I forgot about it for a year, until the system emailed me about account inactivity. Upon talking to their support team about the issue, they told me just to reset the password and deactivate the account. Feels weird closing an account that I don't own and the owner has no access to.
I got my gmail account in Sept 2004 and manged to get my my relatively common name in my country firstname.lastname@gmail.com
I have been asked to review CVs for Doctors, received invoices for companies, received somebodies power bill on a regular basis even after advising the company its not me and quiet a few emails f some guy touring Australia who spent the whole time giving people the wrong email address. I had a nice conversation with a friend of his explaining that I wasn't really him pulling a prank.
> I have (my legal name)@gmail.com and I occasionally get mail for people with the same name.
Same here. In the last few years, I've had a Toyota dealer send me quotes for new cars ("as per our meeting yesterday"), I've been looped into ongoing business conversations about negotiating bulk rates for importing doodads from China, and have even received a job offer as a junior dealer at a brokerage. This last one had a CV for the job applicant attached so I could see the applicant's actual address and forwarded the mail to them.
It came from the doctor's phone. I suspect there was a miscommunication somewhere.
I've only done "polite" replies if there's clear innocence. One was to a teenager trying to guess email addresses for people involved in a college program they wanted to attend. Another was a Canadian regional employment authority trying to collect back wages from a deadbeat employer.
But someone uses my email address at a repair shop, salon, ect? Ignore. Someone puts my email address into a group discussion? Spam.
I also own my own domain. (legal name)@gmail.com sat idle for years until I found that it's easier to say "(legal name)@gmail.com" instead of ??????@(legal name).com Then I switched.
I usually just vigorously unsubscribe.
In the rare case it hasn't been possible, I've deleted the account that someone created with my email. To stop the messages coming in.
I have firstname.lastname@gmail.com. My name is not very common but not totally uncommon and I've had very similar experiences to the article and others here.
The most surprising thing I had was someone who signed up to an Amazon account using the address (my own amazon account has always used a different email address). Whoever did that literally gave a complete stranger access to their credit card. (I contacted Amazon and got them to remove my email from the account).
I have one like this. It’s horrible. I constantly get invitations to some other people’s kids birthday parties. Invitations to random peoples weddings. Drafts for real estate sale contracts. Even Microsoft’s HR sent me onboarding details by accident. I also get some official looking emails by some US administrative institutions. The list could be continued...
The worst thing is that people continue to accidentally sending these mails for me, even if i ask them to stop.
From early invite days, I have a super OG gmail account (so OG that it is often mistaken for a system account), and I get a lot of random resumes, driver licences mostly from people all over Asia, job applications, some people decide to use it for Uber, gaming, and of course a few individuals used it to sign up for their banking services.
I did exploit this exactly once, someone signed me up for Spotify (free tier) which wasn't available in my area then.
My wife and I have OG mac.com accounts (registered a few minutes after Steve announced it). She got her first name. I had to settle for a slightly modified one, as I'll bet that "chris@mac.com" is probably Chris Espinosa.
We get lots of interesting stuff. Ironically, most of it is because Apple routes icloud.com and me.com to mac.com, and there's no way (short of a mail rule) to reject that.
I've resorted to setting a vacation response that tells everyobe who emails my Google account that it is mine and that it is not used for email; and I consider the account a backhole for email, and only use it for google services.
It still seems to get daily private communications, including private information between lawyers and their partners and cients, and doctors and clients. It's kind of amazing.
I also got into Gmail in the beta, and my account is a plain first-initial-last-name address that is used by many other people with the same last name as me. Either they don't know their own email address or they are just intending to use it as a spam dump, I get an incredible amount of mail for other people. Including financial records and invitations to all sorts of things.
Tip: Don't use generic names like johnsmith@whatever. It might be your name but a lot of John Smiths are going to use that account on a variety of services they use, for some reason. If you do that prepare to receive a bunch of registration and password reset emails. I even got linked with some guy in another country who did a very expensive Uber ride, which was kindof scary.
If someone signs up for Uber with your Gmail address, you can log into their account without changing their password using Google login. This is a very old Uber vulnerability that I know at least a few people have taken advantage of.
I set up a domain for family and created an email for my aunt <auntie>@<family>.<domain>
She was in a retirement community and in her 80s was Chair of the Computer Club and used to do orientation for new people. She quickly realised that she needed a yahoo account as when she showed them her one they all asked - "how do I get one of those!"
I've had my own share of this. Among the emails I've received, there have been some from within the New Zealand Parliament, a fire department in Oregon, an OB/GYN on the east coast of the US, car loans, home loans, concert tickets, plane tickets, and other less consequential things.
I have my username @ gmail which is kinda OG as it has no numbers etc., and I got in early via an invite to secure it. I get fair amount of spam on it, but as I don't use it as my main email, I'm not that bothered.
I have never understood the cache or appeal of having a particular address at Gmail or Yahoo or Outlook or whatever. By the time Gmail happened, I was already many years into using my own domain for email. Why would I want an address at an advertising company?
My email is a domain hack spelling my name using a three letter ccTLD. You’d think telling people my email address is just my name with the a circled and a dot between the e and s, but you’d be wrong. Way wrong. It’s a cool address at least...
I own my firstname @icloud/me.com — Stopped using it after getting up to a thousand more or less legit emails, incl. bank receipts, phone bills, etc. a day. The fact that Apple sucks with spam filtering doesn't come handy either.
While I don't have an opinion on the quality of Apple's spam filtering, your case seems particularly interesting (and hard!) because it is not spam - it is send by legitimate people with legitimate intentions.
I mean, sure, it is spam to you, but I doubt you could train a decent spam filter for this situation. Maybe a whitelist, but that's about it.
I own a <major city in Russia>@gmail.com account - I don't get that much random mail there - maybe one per month or so - but what I do get is amazing. All sorts of PDFs with plans, proposals, bids, and requests to reconsider.
Not only username, domain names also. I have many @ShortEnglishWord.id and from time to time I receive emails related to the domain. salad.id -> people want to buy salad, @sweets.id, @blazer, bonsai, etc you get the idea.
I have more or less followed the lives of several other people with my same name through years of misaddressed email. Most of the time I simply ignore it, occasionally I will respond, it is not much of a burden.
What if you simply changed all your accounts to use a + variant (e.g. johnsmith+official@gmail.com) and filter out everything sent to you without a + in the address?
I’ve learned that there are a lot of places that auto remove the +official (or whatever you have after the + sign). I assume there is a common email library out there that auto strips this information.
Perhaps adding dots then? They shouldn't normally be stripped, but are also ignored by gmail. john.smith would obviously still get a ton of spam, but something like j.ohn.smith might not. (If we were literally talking about the name John Smith I expect it still would, but for other names that should work...)
I wonder if the people at Hey thought about this, and what the experience is like for their users that are getting destroyed by spam like this, or will be like.
my account on twitter is simply my sirname. however, i unfortunately share it w/ some random politician in another country. i get at least one notification a day from someone trying to tag them and harass/troll them. the most annoying thing is when they are replying directly to a tweet from the politicians account but still manage to tag me instead of them.
She just didn't get it and more and more new accounts began showing up.
When that didn't work, I tracked down one of her relatives on Facebook, who happened to be younger so she got the whole Internet thing, and explained that her elderly grandmother (it turns out) was using an address that didn't belong to her. Her granddaughter told me she would talk to her grandma and tell her how silly she was being and promised to explain how her grandma could keep herself safe while shopping online.
No new accounts in the grandma's name have shown up since...