<common_name>@<common_name>.com
Thousands of people with this name, who didn't want to give out their real e-mail address, used this e-mail address when signing up for things online. They probably never thought it would be someone's actual address. I finally had to quit using it because of the tremendous amount of e-mail that wasn't directed at me. Most of it looked legit enough to the spam filters to allow through.
I temporarily turned that account on about 5 years ago and it was getting about 3,000 garbage messages per day.
I thought having a cool e-mail address would be great, but not any more. I switched to an address that, while easy to say and tell people, it's very unusual and it's very unlikely someone else would ever come up with it.
I could also choose to pwn his online betting, games, dating, and porn accounts any moment I want. I may or may not have changed his gender preferences on a dating site...
What's doubly annoying is the US gov is pretty lax at things like unsubscribe links, so I keep getting notifications about his Medicare account that I can't unsubscribe from.
The problem is, "temporal" happens to mean "temporary" in Spanish. As soon as Gmail became popular in the Spanish-speaking world, people started using it as a placeholder address.
* Lots of people use it when creating throw-away accounts.
* Sometimes companies use it as a placeholder when they don't know a customer's address. Multiple telecom companies in various countries have done this to me, sometimes populating hundreds of customers' accounts with my email address, such that I receive all of their phone bills, sometimes even with detailed call logs.
* All kinds of students register for university classes using my address resulting in me getting tons of emails from professors. In many cases I could go drop their classes for them if I were evil enough.
* Once a Colombian school gave my address admin access on their school-wide Zoom organization. The really annoying part about this is that Zoom didn't give me any way in the UI to leave the organization, so my account was attached to this school until I complained on Twitter and someone silently fixed it.
* For the last couple months, someone has been scraping Shopify-backed web shops, entering my email address when prompted, putting things in their cart, and then abandoning it, such that I receive an email saying "Hey you left this thing in your cart! Do you still want to buy it?" The emails are always in Spanish, of course. I receive them from like 50 different web sites every day. (Luckily I was able to create a filter for certain Spanish words...)
None of this stuff gets filtered as spam because it does not look like spam to gmail's filters. I have learned it's more productive to block addresses than to mark spam, but this annoyingly takes four clicks per email. I have begged Google to give me a way to filter by language but of course no one is listening.
WIRED even wrote an article about it: https://www.wired.com/story/misplaced-emails-took-over-inbox...
I know, I know, I need to change my email address and probably get off Gmail altogether. It's difficult because I have 20 years of history built around this address.
I still check the gmail account ever so often and it still receives spam. My Fastmail account is perfect even after a year.
I keep that old account for 2 purposes:
1. It amuses me. I log in and clear it out once a year or so.
2. At various times I’ve had coworkers who didn’t believe it was common for people to enter someone else’s email address when registering for a sensitive system. When that happens, I’ve taken them to my old Yahoo webmail. Oh look, another kstrauser’s loan paperwork!
I can only imagine what that’d be like if it were at Gmail and not Yahoo.
I'm not a big Twitter user, and when I went to log in Twitter for the first time in probably a year or two, I forgot that it was still using my gmail account. I couldn't remember my password, so I did a password reset, received the email, and reset my password.
After looking around a bit, I realized this was not my account. It turned out the previous owner of firstnameLastname.ca also used firstname@firstnameLastname.ca
I ended up making a twitter post basically saying "Hello, I think I accidentally stole your account. If this used to be your account, email me.". A few weeks later I got an email from a fellow with the same name as me, who used to live in Canada but had moved back to England. I was able to change the email on the account and give him back access.
It was a really, really bad idea that sounded funny in my head. That number is scrawled on every toilet wall with "for a good time call: ..."
Every hour of the night...!
See also:
I had never been served a summons before so I was worried about it, I called a lawyer and the lawyer said to just throw the summons in the trash.
Although apparently the guy with the same name as me was going bankrupt or something, his bad debts started showing up on my credit report and I had to mail the reporting agencies to take them off, went on for a few years.
Sorry Bob!
Also, my daughter has firstname.lastname@gmail.com and there is another lady with the address firstnname.lastname@gmail.com (yes, a typo in her first name, duplicating one of the letters) and of course she keep receiving her emails and vice versa. Same solution - they mutually agreed to forward messages to the right person and delete them afterwards.
First world problems...
I often see repeated attempts to create accounts without reconsidering the email address, and sometimes they succeed (I received repeated invoices for Sky and for an insurance, not to mention occasional ones).
Sometimes from the same person, there starbucks card seems to be linked to it for example. Annoying.
Usually I’ll reply to the sender and tell them they have the wrong email address, some don’t believe me, sometimes they ask me if I know the person (out of a billion gmail users), some complain that I took to long to tell them about the wrong address, and sometimes a lawyer will direct me to delete all copies of the errant email…
I always reply back to tell them that the email lands on multiple devices and is downloaded and backed up automatically and to see if they want to pay me on a time and materials basis or if they want a project based fee. None have been willing to pay me to cleanup their mistake.
Way back when I signed up with gmail, I was happy to get a first-initial.lastname@gmail.com address, now I wish I’d gone with something more obscure.
Misplaced periods give me all sorts of other people's emails - new cars, new mortgages, new bank accounts, new home purchases that are not in my name or identity (based on the names I understand the confusion) - all sorts of things that I'm not doing IRL. Sometimes I try to reach out to the sender and get them to correct the email address, sometimes I just unsubscribe
EDIT: https://www.wired.com/1998/09/woz/
(a large article, search for 888-8888)
I don’t get why people do this. It’s not like it’s difficult to get a throwaway email account.
I have surname.name@gmail.com and I routinely used to receive emails for surnamename@gmail.com, because of some moron at google that though it was a good idea to ignore dots.
I haven’t checked that gmail account in a while (gmail is just trash at this point, beyond salvage) but I might still be receiving this guy’s loans solicitation or his car insurance certificates. Who knows.
After a couple of years gave up on that address as it was getting dozens of messages a day (a lot of them legit email, sent to the wrong address - including bank statements, shipping orders, etc.)
My <common-name>@<common-name>.com address gets incessant password reset requests for every major online site in existence. (I should have been clearer about this; sorry.)
I am suggesting that, by having strange or very unique e-mail address, you can fairly effectively mitigate this phenomenon.
We sent an email to bo****@gm***.com
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
I once went to get a new phone at Best Buy, and the employee needed my email address. I gave it to here (firstname@lastname.com) and she insisted that it was NOT my email address. She insisted that it MUST end in @gmail.com or @yahoo.com, something like that.
We frequently sign up for stuff online, and when we enter our email address it won't let us sign up... we figured it is because the email address is too similar to our actual name, the name we've entered in the 'first name' and 'last name' fields (it happens to both me and my wife at least 2-3 times a year).
My wife constantly (half-jokingly) reminds me of how much of an PITA I've caused her with my name (that she took), when her maiden name was so sophisticated and easy compared to my weird, unidentifiable, "foreign" (I'm British/English) one.
EDIT to add: I don't often have issues with forms, but I reserve that particular address for "important" family related things, the sort of account where I _know_ if I receive an email to it, I need to read it. Everything else I use a gmail for (as does my wife).
You could have solved the problem at the root by taking her name
I get ungodly amounts of spam, relentlessly, from everyone. Because anyone over the age of 50 seems to give it as their email to companies like Target.
It was really annoying, luckily it doesn't happen as much anymore.
I wish I could just disable that form of login, I have a very safe password so the login via email isn't necessary.
So it is a "one in a million" to randomly guess what the code is on any given login.
But it is "one in a million" for each Microsoft account you know about - and if they have millions of email addresses, and automate it each day (I also get attempts 1-2 times per day).
Yes - the odds are small - but there is a greater than 0% chance someone can randomly get into your Microsoft account - and there is no way to stop it - even with 2FA etc - this bypasses all of that!!!
Crazy...
Because I'm a bit concerned if Microsoft passwords are leaking.
I suppose that's a decent rate, but it feels like most Microsoft accounts will just have something like Office or Minecraft set up.
To this day, I can't comprehend how this is supposed to be safe. So someone can just type in my username and wait until i eventually misclick in the Authenticator app? If it was from a browser I have used before at least, but I was getting these challenges from around the globe.
Microsoft doesn't show you login attempt IP addresses like Google does?
Some users were getting hundreds of reset emails/day triggered by random people in the world trying to reset their password.
It's a really hard problem to solve because if these users actually forgot their password someday, they would really want those emails. We ended up creating a snooze for 30 days button at the bottom of the email as an imperfect solution to balance short-term spam and long-term lockout (with an override if the device id requesting the reset had recently been logged-in to the account).
Idk if that still exists on IG but doubt it was ever ported to FB.
Human brains are not designed to remember:
* Passwords that aren't reused across the many dozens/hundreds of logins a person typically has * Passwords that aren't easily guessed phrases including substrings of personal information (birthdays, children's names, etc) * Long and strongly random
Yet good passwords need to be all of those. Christ, if websites just included a little "have you considered using a password manager?" link on the registration page. Tragedy of the commons I guess... everyone wants other companies to do the hard work of convincing a few percent per year to use them. We'll still be dicking around with this bullshit 30 years from now though.
The problem is easy. The work of implementing it is difficult and slow. Let someone else do it.
Public key crypto never took off for account management and neither did Persona, but the current iteration with passkeys/Webauthn should hopefully be a fresh step in the right direction there.
You can choose to substitute length for randomness. A long enough random sentence works quite well.
The hard bit is generating random sentences. I suppose you could use GPT to generate a sensible but random sentence, or just go old school and pick words from a large list and make a sentence with them.
I routinely see password reset emails get caught by greylisting. Most are released by the 2nd email but sometimes it takes more.
My assumption is that they're just guessing over millions of accounts and are expect 1-2 to hit so they can take over those accounts.
Let’s also all think back to 2011 or so when Facebook thought it’d be a good idea to try to vacuum up all its users’ emails by giving us all @facebook.com email addresses, buying fb.com in the process. As I recall they killed it after a couple few years.
Microsoft, I'm looking at you (https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...). It nerve-wrecking trying to figure out if some login box or link is legit. They claim to be transitioning to cloud.microsoft, but if you go there, you are redirected to yet another new domain (microsoft365.com) which looks like a scam site, which doesn't render properly in Firefox.
Why do we allow this?
Microsoft has something like a hundred domains, including purposefully misspelled ones like "microsft.com", which is real, owned by them, and regularly used to bypass "security filtering" by paranoid admins.
Re: the first part of your comment, the most common reason I've seen is companies using 2nd domains to send emails that are at higher risk of bouncing or being marked spam (newsletters, cold outreach, etc). And using your primary domain to send "more important" emails from.
It is strange that they appear to be able to avoid being blocked for bulk/frequent requests though. Seems like a big flaw.
Which is guaranteed to generate press articles.
That's what 2FA is there for, but you still get the annoying e-mail notifications for attempted sign-ins.
Make sure to weigh the pros and cons when you pick your username on the internet.
A dedicated e-mail filter to limit the mental attrition might not be the worst idea.
The @tommy on Twitter was a dev at Gameloft who gets constantly harassed in his mentions to give it up. I had a similar problem on Instagram. I've mostly stopped using it, but when I did post and had an open profile I constantly got comments offering money for my username.
Eventually someone set up a follower bot on my account and I was getting hundreds of new followers a day. I made my profile private and don't post anymore, but it's still hundreds of new follower requests per day.
Eventually I went with a much longer username and the problem went away.
I don't know if this is related (probably not), but fun fact: Fidelity lets you log in to your account over the phone using numbers[0] -- one per character. Yep, passwords too.
> Use your telephone keypad to convert the letters to numbers. There is no case sensitivity. Substitute an asterisk (*) for all special characters. Here's an example:
> To enter a username, e.g., Smith123, press or say 7-6-4-8-4-1-2-3
> To enter a password, e.g., Lucky1$23, press or say 5-8-2-5-9-1-*-2-3
My 6 letter username mapped to numbers that corresponded to up to 4^6 accounts. That's really bad but not nearly as bad as what they're doing to passwords.
The longer username is both worse and better. Worse because it matches way way more possible accounts and better because (I presume) it matches fewer actual accounts so it gets fewer failed attempts. That's my guess, anyway.
Edit: it is possible that they only allow one account per "folded" username. That increasing the username length resolved the problem immediately suggests otherwise, but like I said, I dunno. I have no insight into their systems.
0: https://www.fidelity.com/customer-service/faqs-managing-your... look for "telephone services"
We've received hundreds of notification mails, newsletter subscriptions, alerts (from internal systems disclosing details about infrastructure of giant corporations), etc.
It was quite fun, but became annoying quickly. We've then reduced reception to the common hostmaster@, ... mailboxes and for all other mailboxes we are now rejecting the mails with a nice reminder message in our Sieve filters.
Just FYI: For a more-or-less authoritative list of what aliases you ought to consider having, see RFC 2142: <https://www.rfc-editor.org/rfc/rfc2142>
Nothing for DMARC - not even notice@?
My Facebook email for ages was my school email (as is tradition, right?) and one day someone registered as my actual email around the time I was doing a bunch of address consolidation because my school was moving all historical accounts to a separate subdomain.
I clicked to confirm foolishly (should not have done that) and it became associated with someone else's Facebook account.
Facebook has a process for this. You request an email to your address and it sends you one and you reply and it removes the email from the other guy.
Well, I did that except he set it without the '.' and when I replied from mine it wouldn't accept it. I tried again as it was and only realized after three tries what the problem was. Facebook's difference in verification processes (click to confirm / reply to dissociate) meant that I was not doing the right thing.
Repeating the action means I looked like a fraudster so that must have been why even though I added the dot version as an email to send as it would no longer accept me.
To make matters worse, I decided I'd just fix it by resetting my password and logging in and removing my email.
Well, I succeeded in the password reset but Facebook protects you here by requiring friends to verify it's you. Well, I didn't know his friends so I just let it go: he could no longer log in except via phone number (I hope, or he was locked out) and I couldn't associate my email correctly.
Then one random day I tried again and it worked.
I thought it was probably phishing, yet the links all looked legitimate, including the one for password reset and the one to tell Facebook I didn't request the reset.
So I thought it might be a homoglyph attack (a URL that looks legitimate but isn't because it's using alternate characters that look the same or similar), and rather than click the link saying I didn't request the password reset, I logged into Facebook hoping to find a notification or something in the account settings logging that it was a genuine request.
I was surprised to see no notifcation, nor anything in the account settings and security area.
I was also surprised to see I needed to login again, as I thought Facebook kept a long term session open for longer than the 2 weeks since I'd visited it previously.
If it was a tricky method to get me to login to Facebook again, it worked! But I didn't stay long after I didn't find what I was looking for.
this will make the url bar display the encoded version instead (xn--wikipedi-86g.org)
Even the email headers looked legit but there was something so weird feeling about it I figured it was a sophisticated phishing attempt.
I also found it odd there was no notification or anything inside Facebook.
Every week or so they lock my account due to "suspicious activity" even though I haven't used my account.
I have all the security features and such turned on like MFA and a strong password (that I have to change like every week after every time my account gets locked).
There is no useful info in the security logs. I have no idea what to do to stop this from happening.
I think deleting the account would stop it :P
:p
Once a year or so somebody tries to get into that gmail or associated social media account with a bunch of password-reset emails. I'm pretty sure it's someone with a similar name who is slightly misspelling their email, messing up the dot (gmail ignores dots but other systems don't), etc.
Someone out there apparently doesn’t realize that address doesn’t belong to them, because for 10 years he has been getting signup confirmations, appointment reminders, and very personal correspondence meant for the confused individual.
Some of my favourites are the tax information (and other common business related correspondence) on their Disney songwriting royalties (I make more before my first coffee break than they do all year on streaming revenue, but they've got a fair number of songs), there is also a bank account tied it in Peru (CFO doesn't care but I'm not locking her out - I do have some compassion.. not much but it's there), but OTOH I've permanently locked people out of their brand new iPhones because they all choose to use my email address, or the person on the other end types it in wrong for them. I also think people don't read what their browser saves and later populates for them.
People will also just randomly give out fake addresses (that are real) when signing up to just to get a discount.
It's a single word that was popularized through pop culture years after I created it, and one letter away from being a traditional western name (and also one character toggled from a popular Hispanic one).
Also a very wealthy PTA mom in Mountain View uses my email address all the time. Our children are doing very well.
Sites should always confirm an address by having you authenticate a link before permanently using it in perpetuity. It would stop a lot of bad actions.
- create an email address alias (random, unguessable)
- change your login to use that email address
- remove your phone number from Facebook
There are many ways to do this (plus addressing, apple hide my email, account aliases, etc.) Pick your own approach.
I assume they were sidestepping some sort of detection algorithm, but it happened during a time when she was losing her mind in real life so it was a strange kind of metaphor.
The recovery process is totally broken for them now. We eventually managed to revert back to the original email address by visiting facebook.com/hacked (not without the help of a weird youtube video to make sure we were selecting the right options, though), and we lost a ton of time on a weird issue where emails or recovery options were deeplinking to the app, which was opening but didn't know what to show us. After deleting the app, we managed to start generating 2-factor email codes, but the same prompts that generate them don't accept them. And the 'send in an ID to verify your identity' feature just doesn't load at all. I'm chipping away at it when I see them, but I give recovery a low probability of success.
Understandable that this is probably not very fair to those who can't afford it, but I wish there was a 'pay $100 to speak with a rep who can fix this now' feature.
Separately, but related, I remember getting a spam email back in the late 90's where the spammer CC'd instead BCC'd, and it was sent to over 100 addresses who were all clearly variations of my first and last name ... It was a fun when there were multiple reply-alls with "Are we ALL $firstName $lastNames's on this list?" --- Surreal
Meaning, even if they somehow had access to my email (they don't - strong, unique password and separate MFA) they wouldn't be able to get the reset code as it's encrypted by a key stored in secure physical hardware.
Still, kudos to the hackers for trying. Getting these emails means _someone_ cares enough about my account to want access. Even if I rarely use it for anything other than checking in on distant relatives ...
I take it as karma for all the junk <verycommonname@>hotmail.com must get whenever I use a public wifi network. Sorry verycommonname!
You’re Temporarily Blocked
It looks like you were misusing this feature by going too fast. You’ve been
temporarily blocked from using it.
If you think this doesn't go against our Community Standards let us know.
Fortunately they include a feedback mechanism for this situation:
If you didn't request a new password, [let us know](https://www.facebook.com/login/recover/cancel/…).I run an FB page with ~60k followers.
Since about a month now, I'm getting these password reset emails in batches.. some day none, other days 10-20.
He seemed to imply that if I was located in Russia I would not refuse him "for reasons". He didn't really strike me as being connected, but maybe he washes Putin's dog..
Anyway I got a lot of password reset emails too until I set up 2fa with a yubikey.
I really need to remember to put something on dogself.com that will piss off the .ru but I haven't thought of anything good and legal (or at least ethical).