They give my address as if it belonged to them. Probably they created addresses like narag33@server and they believe that it's narag@server instead.

So not only I receive all the spam from dubious sites that they suscribed to, but also their legitimate mail from lists and friends.

My namesakes are idiots. But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

(The last one of the above I replied to - it was an order for a rifle scope. I sent what I thought was an obvious joke email back asking whether it'd help me hit my neighbours' puppy at a mile range. The gun shop replied back suggesting an alternative scope... Moral: never apply UK style humour to US situations, especially not about guns...)

Most of the organizations and individuals sending the emails are accommodating. Then there are the likes of Discord, that require you to confirm that you would like to delete "your" account, when it's not even yours. Nevermind that I have no desire to delete someone else's account. They also refuse to write you in English when you tell them you prefer it over Spanish. Luckily; I speak that too.

Oh, no; this was direct from Peet's website. Doctor's office had a recurring shipment.

At least it listed "my" address. :)

https://xkcd.com/1279/

I have lastname@gmail.com and keep receiving various e-mails intended for people with my surname. Insurance documents and other semi-confidential stuff included.

This is an "I'm dumb and can't remember my email address" issue, not a political one.

I also get the usual run of the mill receipts, reservations, etc.

But in the last few years I started getting hotel reservations, golf course membership, bills, orders for liver supplements. I tracked down who it is ages ago and sent them an email (I was cordial - "Hey we have such similar names but I'm on the other side of the world, crazy huh?") and got no response. Eventually I replied to the liver pill people and said "Hey this isn't me and if you could let the actual person know that'd be great" and the emails stopped. Way to go liver pill people.

I had a similar experience, funnily enough golf course memberships too. Doing minimal OSI work on the numerous emails I found the guy on facebook and friended him (accepted due to same surname I assume). I remember saying something like:

"Hi, I noticed you just signed up for an Epic Games account, and you happened to use my email address <lastname>@gmail. Would you mind not doing that, please?"

He responded that I was a creep and that it was his email, and proceeded to block me. I mean he might've been right on the former, but patently wrong on the latter.

In retrospect, I probably should have printed the emails and then sent those too. That may have been taking the bit too far, but it would have been much funnier from my POV.

The creep creep creep ;-)

I once got someone and their family's Disney World booking details sent to <theirname>@<mydomain>. It was a real thing, I could click the link and go view their booking at the official website. I have no idea what made that person to type out <mydomain> as their email, the domain is not even close to any publicly hosted email services or any company names. I kept getting more notifications of the upcoming Disney World trip so I ended up disabling that particular address so that those emails bounce.

I sent a few emails to his family explaining this, they told me that I was wrong. I gave up and just ignore all of those emails.

It's on gmail and I don't use gmail for important things anyway...

What a bizarre response... somebody who isn't the person you intended to email has replied to you from the address you sent the message to. What could possibly make someone think that the person replying is the one who was wrong?

In their minds, they did email their brother, and the weird guy who replied is wrong. It might be possible, with enough investment of time, to help them understand how/why it went wrong, but as nicolas_t experienced, it is sometimes easier just to block them and move on.

I was lucky, I was a Hotmail early adopter and I regularly receive emails for two namesakes. I was able to figure out their correct email addresses over the years and they are both tech savvy enough to understand the issue. I forward on messages when they come through, and I actually met up with one of them at a house party he was invited to.

When I forwarded the invitation, he suggested coming along as well and I figured why the hell not. It was a fun ice breaker in a room full of strangers.

I used to reply to misaddressed mail when it amused me. I used to string along a whole family of people that included me in group emails with racist Obama memes and pictures bragging of poaching.

I stopped replying to these when in another case I was asked to tell estranged and family member that their sister had cancer since I was the only one still in contact with her. I did inform them they had the wrong address at that point.

I’m still on a mailing list for senior members of a local police department and even was sent logon/passwords to some of their systems but I’ve learned not to try to correct these things, it’s just too much of a hassle. In the case of Venmo and Verizon I couldn’t get it fixed even with phone calls.

This email is regarding: [].

Class: MATH 7 ADVANCED Prd: 2 Teacher: []

-----------------------------------------------

Good evening, please check [] for missing work, complete it and submit it. Let me know if you have questions or need any help or anything opened up or more tries. Remember the Ch. 3 test due today. Thank you, Mrs. []

I replied:

I think you've got the wrong email address.

Thanks, David

The teacher then replied:

My apologies. You are correct. Your son is crushing it :) and I failed to take him off the group email. Thank you so much for letting me know and keep up the great work! Again, I apologize for the inconvenience. Mrs. []

I then replied:

Thanks! Only one thing: I don't have a son.

Imagine dealing with Comcast customer support. Then imagine not even being a customer anymore trying to get this resolved. Now imagine explaining how you're not the person on the account yet have the same name and how this is a huge privacy/security violation.

Took years to get rid of. One day I'm waiting for a silly collections bill or something to show up in "my" name for the other person.

I really wish I could get his phone bill sent to my email address so I could call and tell him he could have gotten a larger raise

* A Joe who runs a lego engineering team at his high school

* A Joe who goes to bible study in Utah

* A Joe who is building a house in Victoria Australia (I'm so familiar with him/others screwing up his email that I can forward it to him and his wife easily.

Your targetted ads must be really interesting :-)

The silver lining is, of course, that no one has yet built an accurate profile of you ...

Also: When I use Facebook's feature "show data that others have uploaded about you" (or similar), it is full of this guy's stuff that was provided to facebook (and attributed to me) by businesses this guy has relationships with.

Nothing I can do to remove it.

Now I get phone bills, internet bills, promo emails, subscription emails, two factor emails, and sometimes even bank related emails addressed to someone who shares their first name with me.

It's been years now. I've reported the emails, but neither the intended recipients, not the sending organizations seem to care.

I agree, my namesakes are idiots too and so are the companies who don't have a simple email verification system. :(

Never heard from them again.

He also is down for _any_ sweepstakes and has dubious dating preferences. He’s out there wondering why he never wins anything and no one swipes on his profile.

+1. My OG name email has been mistakenly registered for a PayPal account, but there's no way I can go about disavowing the account, or removing my email address from it.

They can make a new one with their own email if it’s important.

Edit: there is one boost mobile customer who has done this to me and I can’t figure out the exact address they used (the thing where you can add periods gives a lot of possibilities), and I really wish I could password reset and close this account because approximately every other month for years I get late payment notices, then impending cutoff notices, then cutoff notices, then “thank you for your payment your service has been restored” notices. It’s both sad and annoying and I finally just black-holed everything from boost mobile and hope I never decide to be their customer in the future because troubleshooting mail delivery problems when I’ve forgotten about this will drive me insane.

I've never really been 100% sure if changing the password and logging in to delete the account would violate the CFAA. I mean nobody would have gone after me for a Twitch account anyway, and I'd definitely have felt moral deleting the thing, but the letter of the law...

- The account effectively belongs to you anyway.

- The person who created it isn't going to be able to recover it if they lose their password, better they know about this sooner than later by you locking them out.

I mean this is essentially silly, because almost certainly what has happened (given my weird name that nobody would normally stumble across) is that my email address has become listed in some database and somebody has decided to use it to sign up for services for shady reasons. So I'm not arguing that I couldn't have gotten away with it. Definitely I could have. But I think it is an interesting reflection on these signup systems and how they might interact with the CFAA, that this weird situation can occur.

Obviously, inquiries to boost mobile support haven’t been helpful either. It’s a mystery.

As someone who has done this too, I wouldn't be surprised if it violates some misuse of computers act - but I'd rather that than be responsible for the security of someone else's finances

I have tried finding the numerous people throughout the world with the same name and surname as me and notifying them and asking them kindly to update their contacts or to stop using mine (name.surname@gmail scenario), some work, some don't.

At some point I even started canceling their appointments/subscriptions/closing their accounts, hoping they'd stop but apparently no use. Not a month passes without a few of these emails popping up in my inbox. The most annoying are when I am stuck in a group email with multiple recipients that are replying all.

I can’t imagine what it’s like for whoever uses the same naming convention for a super common name.

* obviously this is not my email address, but it demonstrates how the situation arose.

I don’t even use gmail anymore, but I keep looking into what kind of fun emails I get (and I report every opt-out-only newsletter, which includes Google Fiber and some US Democratic Party thing, as spam).

Now, I get Bank Statements, Credit Card, Health, Insurance and whatnot for over 5+ "Brajeshwar"s in India. I just ignore them as I use my GMAIL ID just for newsletter subscriptions and ramnants of the old Internet but I do check once a week during my weekly digital chores.

OT, but I’m going to start using “digital chores”. When my partner asks what I’m doing and I answer “paperwork” it doesn’t sound quite right.

A few years ago I tried to contact some of my other selfs to ask them to mind their email, but never got any response. I'm just ignoring them now or hitting the spam button (after all, the senders should have a process to check the address instead of taking erroneous email addresses written by hand on paper).

My name is fairly popular in my part of the world and everyone who has it uses my email address as a throwaway since they actually authenticate using a phone number. I have matrimonials, visa applications, leave applications, uber accounts, SaaS subscriptions, porn subscriptions, random newsletters and what not. My gmail account is all but unusable now.

Sometimes I get so annoyed I do a password reset on their accounts. Gotta learn some how.

Same here. But my first name is so unusual that I have literally not found anyone else on the internet with my first name. Any and all searches for my first name (and nothing else) have results that point to me.

I haven't noticed many leaks/sales at all of my specific account addresses. I get almost all my spam on my regular gmail, and promotions for companies that my namesakes have signed up for, left my email at a store, etc.

I have identified several people from the variety of emails I get, including work/school/personal.

> But some of the companies responsible of the subscriptions, like Paypal, are assholes. They allow the creation of accounts without verifying the email, then refuse to admit it's their problem and do something about it.

This is my absolute biggest gripe. Someone signed up for AT&T using my email. I contacted their support on facebook, and even after explaining the whole issue they asked my for my phone number, and recommended I call their support. I'm not even in the country. They stopped responding when I pointed that out.

While I want to trash AT&T (deservedly), they're unfortunately not alone in that behavior.

The bills are in encrypted pdf-- but the encryption is trivial to remove. I looked at the bills, its someone with a name similar to mine, just one letter different. I emailed the real person, telling him he had used my email, but got no reply.

I just press spam now, and the emails have stopped coming to my inbox. But I still get the emails 6-7 years later. Its mind boggling as how a) Airtel never confirmed the email b) Havent stopped sending even though they've been going to spam for years now

This is my biggest issue with what you're talking about. I get annoyed at the clueless users who happen to share my initials and last name but I can forgive them for their ignorance.

But, IMHO, any company, in 2022, that uses email for authentication, or for any type of business/financial exchange of information, that doesn't bother to do a simple validation of "do you really own this email?" should not be allowed to continue to operate!

I sadly learned long ago that expressing this opinion to their support or security contacts is useless.

Recently, google/gmail decided to be too helpful. The namesake used my email address when they booked a stay at a hotel (helpfully the hotel made it impossible for me to unsubscribe!) The hotel has sent me a few emails related to the booking, reminders and the like. Google being Google, sees the email, and creates a calendar entry for me. I delete it. The next email comes in, and boom, there's the calendar entry again.

I mostly get signed up for newsletters but I do actually have the name and address of one of the people who uses my email address. I know its not exactly polite and didn't want to be mean and cancel any orders but I mayyy have logged in and changed her name on the delivery address to "stop using my email address please" and she's never done it again.

theres also a teenager at a school in the US using my email address on social media I get a lot of requests to send me freebies!

I also apparently have an espn account now, if I liked sports I'd be taking advantage of that one!

Even weirder was one time I had RSVP's to a wedding. The couples name was exactly the same as my partners and I's! I had to email the pastor and say I think you have the wrong email address!

I've had blood test results, graduation photos, I get emails from this girls doctors. I've contacted them so many times to say I'm not your patient but they don't listen. I also know what car she leases! At this point she must have realised!?

I had first.last@gmail.com and indeed got a lot of email that isn't mine. A few years back I switched to token1.token2@gmail.com, where token1 = something vaguely similar but not my first name, and token2 = nonsense word. Basically an address that is something between random string and insider joke.

Of course I always include my correct real name in the From: field, fill it correctly in all the relevant fields on forms and have never suggested to anyone that my actual name is "Token1 Token2". Nevertheless it's not uncommon for people to assume that this is my name, and I get people writing to me "Hi Token1," or "Dear Ms. Token2". I even had an expensive electronic item shipped to my correct home address but addressed to Token1 Token2, and returned to sender, since such a person doesn't live here (and likely doesn't exists at all).

Some people just don't understand how email addresses work.

[0] dots are not significant so it's basically the same email address and it is mine, but they use it without the dots while I use it with.

- One guy in London. I get monthly invoices from his daughters childcare centre and the odd email from his solicitor about his investment property. His wife replies to all of these CCing me in too.

- A Native American artist who gets a few emails to purchase his work. I don’t mind this one so much, I found his real email and forward everything on to him.

- Then there’s this other complete douche in the States. Emails about his car servicing reminders, all sorts of totally boring crap. One time I even got a flight booking for him. I though someone had stolen my credit card info and booked a flight in my name at first. I could click into it and change anything. I could have canceled it. I should have picked terrible seats or preordered the worst thing on the menu for him.

Someone even has a Paypal account on my dot-less email. It beats me how a payments company can let somebody add an email without verification and not offer an easy to way to remove it.

Instead use the reserved domain example.com.

The problem is the word spam. What you describe, misdirected mail from completely legal businesses is not really spam, even if it is junk for you personally.

There is aggressive marketing of very vaguely related products you have actually registered for. There is marketing of illegal products mostly using harvested addresses. There is phishing often using stolen addresses.

If you want to understand the problem as the OP obviously does just speaking of spam is not helpful.

Unsolicited commercial messages.

If the actual receiver didn’t solicit the message, it is spam. It doesn’t matter if the business is legitimate or not, if anything it makes it worse because the FTC occasionally does fine companies for sending spam.

Legally, you have to verify the email address before sending any further messages. If you don’t, you open yourself up to some serious fines if and when the FTC or whomever decides they want to make an example of you.

What about selling fake products?

Those persons give my address all over the place. Don't you understand the implication?

Also using unverified addresses by Paypal and other assholes is irresponsible and honestly I can't see why it isn't spam.

Edit: Add Netflix to the assholes list. I've just reset the password for another idiot.

I do not have a facebook account

Over a year ago, I noticed that somebody's paypal was set to my gmail account. They had also used my account for payments to Donald Trump (I was getting hilariously desperate and pleading messages for more donations) Banggood, and Amigo Loans (as guarantor)

I was able to get information about different addresses they have lived (Ireland - not sure how many Trump supporters live in Ireland, which was weird), what other email addresses they had, etc.

In the end, I logged into their paypal (surprisingly easy) and changed their email address to the correct email address, and emailed them their new password.

I still get the odd one-off email from other places, such as a damp report for a property in Hemel Hempstead, but at least I haven't had any more paypal messages. I sometimes wonder about the legality of what I did - obviously I did nothing malicious, but I suspect it contravenes the letter of at least one law. But the thought of being made in some way responsible for the security of someone else's finances filled me with dread.

Add Discord to the list.

Use an account with an unverified mail? Fine by us!

Go and try to actually verify the mail? Alarm bells go off and the acct locks up (sorry, not sorry for the owner of that acct)

My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.

Basically the majority of apps in the Play Store have permissions to see the contacts, then they vacuum up the whole address book and sell it to companies doing correlation with data from other services—and pretty much compiling giant stores of identifying info and contacts. I guess it's a given that tons of that info also falls into spammers' hands, and since almost no one in the public ever heard of these particular companies, they face zero consequences for what they're doing.

Dunno what to do about messengers and such, which integrate with the contact system to show their correspondents in e.g. the ‘share’ menu. Not sure if these contacts are available to other apps—but if they are, it seems impossible to hide them.

Also there's e.g. a plugin for the (non open-source) Xposed ‘framework’, to feed fake data to apps that want to access the location and other such info. Seems to be able to fake the contacts, too, but afaiu requires a rooted phone: https://github.com/M66B/XPrivacyLua

Do you think the spammers retired? I doubt it, there is only a shift towards trying to get more phone numbers instead of email.

Then I got a response from the salesperson. I asked if he knew that I had started getting spam to the e-mail address that only they had, and he said there was no way that was possible.

I figured that his machine had some malware on it, and that harvested my address and sent it to the spammers. But the cynic in me wondered if they wanted to make money from selling the spammers my e-mail address AND from selling me a spam firewall.

I attended my town's meeting for a political party in 2016. I put my name and email on the list with an email address that I made up on the spot. It continues to get HAMMERED by every up-and-coming politician in the state who's trying to make a name for themselves.

A few years ago I attended Senator Ed Markey's roadshow for the Green New Deal. I again used a unique email address. Someone on the staff sent the address a LinkedIn invite promoting their puppet show business.

I interviewed with Microsoft in the fall of 2004 and used a unique email address on the application. It started getting SPAM. I think I blocked it in my email provider.

Looking in my SPAM folder, most of the spam is going to my gmail account, and most of it is recruiter spam. (There are a lot of recruiters who just SPAM, and I report them.) But: I have 2 emails in German to an email address I used with the Computer History Museum in Mountain View probably sometime between 2005-2007.

Speaking of resume spam: Next time I publish a resume I'm going to do "jobboard_year@...". I'm getting hammered with resume spam, a lot of it from recruiters who either haven't read my resume, have poor comprehension, or hit send with glaring errors.

Years ago I blocked a bunch of addresses in my email provider that I never used. (I'm not going to look them up now.) They were very random, but somehow they just kept getting emails. I have no idea why.

And finally: In 2003 I put out a resume with "resume@..." That got hammered with SPAM. A repeat offender was someone trying to sell a car detailing franchise. I had to block that address.

In 2003 someone tried to get me to join Quickstar, a new initiative from Amway. (It's now been merged into Amway.)

I gave them "quickstar@..."

A few months later I got a cease-and-desist to the email address, and the moron who tried to get me involved called me up and started threatening me.

I had to explain to their lawyer what a catch-all is. Fortunately, he was a very reasonable person who very quickly realized that his company made a HUUUUUGE mistake.

The alias I used for one of the big donation platforms has apparently been given to every single person running for any political office in the state along with many out of state. It gets dozens of emails a day, most of which automatically end up in spam.

The problem with unsubscribing is that distributing your email address isn't illegal, so they put you on a new list with a different name and - you didn't exactly unsubscribe from THAT list did you!

The Trump campaign has had some remarkable temerity in this field:

>GROSS: So let me stop you. So in order to not make monthly donations, you had to notice that there was a pre-checked box saying you were making monthly donations. And you had to uncheck that box. You had to take action (laughter) if you didn't want to make monthly donations?

>GOLDMACHER: Exactly. That's what they did earlier in the campaign. And then they made the box more complicated. They added a second box to take out a bonus donation a few days later. And they added all kinds of extraneous text in each of these boxes. And so by the end of the race, the disclosure that this box that was pre-checked would withdraw a monthly donation was buried beneath seven lines of other text that had nothing to do with the fact that it was going to take this money out every month, and seven lines of text saying there's going to be a second donation. So if you sign up to give $25, you gave that day, they took out another $25 a few days later. And then it took out $25 every month. And then this is what they did at the end of the race which caused such a spike in refund requests. They didn't take the money out every month, they started taking it out every week. And so while somebody might miss that their donation happened a second time the next month or they take a couple of months on their credit card to miss, you don't usually miss that suddenly, your credit card has four contributions in a single month when you intended to only make one. And so what happened in the reporting that I did was that there was a huge surge of complaints to credit card companies of fraud, saying, this is wrong. I didn't sign up for these kinds of donations.

https://www.npr.org/transcripts/1092816157

No, it's a problem with the CAN-SPAM act.

They would, if they were giving out unique email addresses or used aliases/catch-all.

If they're just giving out me@domain to everyone, then it's just "natural" spam.

It beggars belief, but sometimes one party will be sending mails carefully tailored to make you think they are from the other party - stealing not just the overall design and color schemes, but even trying to use turns of phrases common to the other party. The mails will link back to a similarly carefully crafted website which never says which party the candidate is from. If you sniff around, you can find their other site which is designed to appeal to their usual voters, which clearly identifies which party they are from. I've seen a half dozen state level politicians pull this in the last 15 years or so. Crazy stuff.

Additionally, I get political spam (and a few other politics adjacent topics) meant for my father (addressed to him by name). This is because AOL sells subscriber lists to spammers, and I still have an AOL address from my teenage years and I'm a techno-packrat who never willingly throws anything away. How do I know they sold their subscriber lists? Because my father had the master account, and my siblings and I all had sub-accounts from the main one. Obviously, in the AOL records which got sold his name was on all the email addresses as the account owner. But of course, AOL has been a shady company for decades so this is no surprise.

I get a lot of spam from various meetup groups too. One which I can't shake, which I find very amusing, is "Women in Tech" meetups. My IRL name is male, but not that common anymore, and people are tempted to read it as feminine. Try as I might, I cannot convince them that I should not be showing up to "Women in Tech" meetups and unsubscribing doesn't seem to do anything. I have taken to just forwarding those emails to my wife, who actually is a woman in tech, but strangely doesn't get these emails.

¯\_(ツ)_/¯

Adobe are just a bunch of idiots who have no clue what they're doing. There's a whole story, but let's just summarize by saying they have people working for them who both want to argue about how it's "not possible", yet have zero insight in to how their data is stored.

I couldn't get anyone at Avid to listen even though our company has bought millions of dollars of equipment and software from them, so I walked up to the president of the company at an event and told him. They reacted very quickly and affirmatively after that.

Right now I'm dealing with the government of the local town. I filled out a form on their web site asking something, and in the months since I've gotten emails that have the EXACT DATA that I put on the form with phishing URLs in them. I'm still waiting for the Town to explain what happened and whether the compromise was in Mailchimp, Linode or Sendgrid.

https://twitter.com/WolfieChristl/status/1198739105275875328...

https://business.adobe.com/solutions/data-insights-audiences...

Check your ublock on any given website, and there's a good chance one of the trackers being blocked is from Adobe.

We’ve gotten less spam than I expected and from fewer sources.

The big ones are dropbox (likely breach related), justworks, [email addresses listed in Whois records - note: Whois privacy features are absolutely worth it], and emails associated with open source projects and businesses that get listed in repos/project/business websites.

I have blacklisted 1 video game discussion forum whose owners sold it and all its data and 4-5 misc retailers (mostly in fashion/clothing) for either outright spam or having non-functional un-subscription features.

We continue to use this email strategy for a variety of reasons, not only spam management. I don’t think I would set such a system up if my only goal was spam reduction as breaches and publicly posted addresses account for the vast majority of the spam and those will get you either way. There is merit to having your main personal address be separate from the ones you publically post for business/open source purposes.

As an aside: the experience has led me to an anti-spam idea that I wonder if anyone has tried on a larger scale. I have multiple different addresses that were clearly involved in a breach or I post on public websites where they get scraped. However, I know that both addresses are unrelated to each other so I end up getting listed on some spam lists multiple times. In these cases, any message where you get separate copies to multiple different addresses is spam 100% of the time.

My motivation of keeping it up is mostly habit, I wouldn't want shop mails on one of my public addresses anyways. A nice benefit is that phishing mails arriving at the wrong address are even easier to not fall for (but a deeper phishing attempt, with targeting based on a breach or something like that might become easier to fall for)

I think you just described a bloom filter.

The offenders that I remember:

- Men’s Health magazine

- local gym

- online flower shop

- agency that at the time handled visa applications for a local Indian consulate

- couple of infoproducts from Producthunt (think “free e-book of 10 most effective cloud practices” type of stuff) gave my email without consent to other sellers of infoproducts.

He's the type that also will string along the spam callers until they hang up on him, so he enjoys these conversations.

I tried to order a textbook online and my transaction got flagged as suspicious, so I had to call a support person, and he wasn't having it. - foreign credit card - address marked as non-residential area - sketchy email-address using their company name

Had to take the bus to a bookstore.

This was actually the only political spam I got for most of my life until my wife got mad at me for never voting and I finally registered. Then the Democrats must have trawled the public records and they started spamming me, too. I'm so glad to have participated in democracy. Things are clearly much better in 2022 than in 2019 because I voted.

> I get very little of it from Republicans but lots of it from Democrats.

Have you donated money to Republicans? How about Democrats? What are you registered as? What have you been registered as before?

I have also received pornographic images with embedded code which somehow seems to run JS code when you open them. In short, they try to con you once they know you're a frequent buyer. Oh, and they also WhatsApp me directly with lot of links to porno-like malware or actual malware directly from new numbers every week. I had to stop using my WhatsApp after all this happened.

But, it is what it is and I have learned to move on.

I get the odd one from the address I used when buying my ledger hardware wallet in 2017. Their address list was famously leaked a while ago, and this email address was on it - luckily not my address or phone number though.

Then occasionally I get one to my amazon-specific address. I figure via one of the vendors I've ordered from via Amazon? But who knows. Bezos didn't get his billions by not trying everything.

Source: I've implemented PayPal integrations for several sites over the years, and saw first hand what data is exchanged during the API workflows.

Also not to say this is how all recruiters work. I've spent enough time in the industry to know in 2 minutes or less if I'm talking to a decent recruiter.

Can you describe what it is you need to keep track of ?

I imagine giving out servicename@domain.com and if you get spam on that pseudonym you just block it in procmail or smtpd.conf or (whatever you do in gmail).

Right ?

- https://recruitin.net/

- https://www.gitrecruit.co/

- https://amazinghiring.com/amazinghiring-chrome-extension/

Recruiters feel that email/phone have better response rates, so many of them try to bypass linkedin by looking up your details in such a service. The third of these in particular found my details from the gravatar leak, as best as I can tell, so I wouldn't expect high ethics from these companies.

- web.de

- gmx.de/net/com

I reproduced this with a new domain, a nowhere occuring email on an email server that does not list its accounts via imap, and a single email from those services to the new email was enough to receive spam afterwards; even when the email wasn't listed anywhere on the web.

On a couple other addresses they receive spam mostly from Ghana, Botswana, or rural Delhi, so they're easy to identify. I keep the reddit-trained reply NLP bot active to reply to spammers and keep em busy.

At some point I might go the offensive route, cause they always seem to use standard software on outdated Windows machines, with couple of aliases of Western sounding names (well, at least in their own imagination).

My opsec mandates that I split up email addresses by security level and purpose, and the emails aren't related anyhow, don't use the same name and are basically random emails that cannot be correlated. I'd also encourage everyone to use a password manager and use only random passwords everywhere to prevent account stuffing or stupid script kiddies trying to compromise your accounts.

If there's one thing the BreachCompilation has taught me it's that every humanly chosen password is based on patterns and/or easily gathered social structures that surround them on a daily basis.

Google is very successful in rejecting spam before acknowledging its reception via SMTP (probably mostly via IP blacklist) so I don't see it, the amount of spam shrank drastically. For a very long time a lot of spam came via icq@mydomain (yes, it has been a while), but nowadays almost all spam that I see comes via the @web.de address where Google cannot apply its IP blacklist because its received via web.de's servers. I know because the mydomain email server also used to forward received mails to Google, resulting in said 30k entries in the spam folder. The transition to put Google itself in the DNS record made all the difference.

I am kind-of surprised I don't see more spam coming via the catchall address. Sometimes spammers use mydomain with random local part as sender address, so I get bounces.

Surprisingly, none of these email addresses have gotten spam, outside of what the original service sends.

As someone else mentioned, most of the spam I received comes from people with the same name as me. I was an early gmail adopter and my gmail is my firstnamelastname@gmail. I get spam, people's rental agreements, dating profile information, mortgage closing papers, etc for people with my name from across the country. There is someone who has been convinced they can create a gmail with my firstname.lastmail@gmail who has signed up my account for facebook, netflix, and espn+. This is much more of a problem for me.

Reading this thread makes me feel lucky!

The most interesting site I've pw reset and cancelled so far has been my name-sake's dating account on bigblackbeautifulsingles. He had quite a few matches.

My father has encountered this a fair bit. He was able to get a one of the most prolific incorrect email address users to realize their mistake when they used his email address while purchasing a house in England and he was able to contact the realtor to get back to the person misusing the address and correct the email address.

There's still someone who has emirates frequent flier miles associated with his email address that they can't use (they've forgotten the password to the account and it keeps sending the email to him - but without enough information for him to either respond back or identify the account to have it corrected).

I ask the senders to "request a refund" but surprisingly, they never do. I guess that's one benefit of having a common username on a service.

The most amusing was the UK Parliament petitions site, since you would have thought they were a bit more careful with the email addresses given to them.

But the strangest is the persistent use of specific email addresses that I've never used anywhere - about half a dozen common forenames, and one forename-plus-three-numbers. I've no idea where they originally came from - perhaps someone padding out their email lists for sale with semi-randomly generated ones? - but that set of addresses has been used and reused for over a decade. At least it makes it easy for me to train spam filters, since even novel emails are easy for the filters to spot when multiple copies arrive together.

They also keep emailing me that my domain is about to expire - I never had a domain there

More than 15 years ago the addresses I had used for Financial Times and Finnair started to get Viagra etc spam. At least one of them was after a big leak at an online marketing firm that made headlines. I closed the addresses so I have no idea whether the flood has ever stopped.

Maybe 10 years ago I booked a cruise to Saint Petersburg using a coupon from Groupon. After that I started to get spam in Russian. I don't read Russian but online gambling was obviously a topic. I contacted Groupon and asked about their sharing. Talked to their head of don't remember and he claimed it's simple: They don't share the address with anyone. It was obviously not true befause I never had any contact with Russia before or after and the timing was very evident. I closed the address.

Another address is in the Linux source / LKML. It gets Nigeria letters all the time, but with low frequency. Less than 1 a week on average. Maybe 1 or 2 in German and French over the years.

Those are the biggest cases. Maybe some other odd one over 20 years. It's worse with completely stupid tech marketing on my work address (which has been the same for 4 years).

Edit: And there has always been spam to my gmail address. I have shared/stored my gmail address in extremely few locations just for forwarding and it's of form first.last@gmail.com. There are only 3-5 people on the planet with the same name. The spam comes without dot so I guess it's not from a list of email addresses, but generated from a list of names. My name has been on the Internet e.g. in Usenet and in scientific papers many times long before gmail existed. Volume is not too bad, a couple of them every month. It was worse years ago.

The worst part though is they also SPIM me, I predominantly get text message spam from these campaigns. The Democratic party is the worst here. I volunteered to man the phones one year for a candidate during the primaries, and now they are CONSTANTLY texting me to try to get money or otherwise support candidates on the national stage, most of whom I despise. The Republicans send me postal mail and email, but no text messages or IMs.

YMMV, I get it far more from Republicans than Democrats. However it may be due in part to a GOP donor with a name similar to mine that lives in a state I haven't stepped foot in for over a decade.

So, effectively I don't "know" anyone with any authority just because I volunteered to man the phones. I'm not on the candidate's guest list for their summer house parties.

As part of my local activism, I've volunteered several times for different forms of political action, and through that I have never once developed a personal relationship with anyone in leadership of these organizations.

I'm quite sure the reason will be that this service emails others on "your behalf" and probably does something like placing your email address in the "From" field or in the body of correspondence. I assume they are concerned about phishing or catfishing emails purporting to be from the service.

This doesn't appear to be an adequate solution to the problem.

Though who knows, maybe hex addresses will look fake / malicious and trigger a ban anyway.

We will fix this in our TOS

It is much more readable to have z1ll0w@mydomain than hashes (that was suggested above).

The worst was when spammers got ahold of my email from a hotel chain and would add random letters to the username. So, for instance, the email address I provided to the hotel chain was something like hotelchain-jawns@example.com, and the spammers would send to aaahotelchain-jawnsaaa@example.com, bbbhotelchain-jawnsbbb@example.com, etc.

That forced me to stop using a catch-all and only accept usernames that conformed to a certain format.

     E1iusbp-00017V-NM@steve.org.uk

I suspect that most of the entries on the list got hacked. There are a few exceptions where companies do not honor unsubscribe requests and keep sending you emails or flat out sell your email address.

Here's a list that was collected over many years:

- Cory Doctorow's mailing list (twice)

- bitcard

- Achatzi, CSV direct, easynotebooks, foto-erhard, hivilux - (german online shops)

- dcemu, gbadev

- Dropbox

- funcom

- gawker

- Kimsufi and OVH

- GoodLuckBuy

- Mails listed in WHOIS

- Mails used in Yahoo groups (RIP)

- MiniInTheBox

- monster.com

- moneybookers

- pianostreet

- Usenet (duh)

- Typepad

- UnternHammer

If you're still subscribed and not able to unsub, please just email me, doctorow@craphound.com, and I'll unsubscribe you by hand.

This is a phishing attack.

After a while I talked with one of those customers and they knew about it. It was "an email that got compromised".

Eg. one of their employees did fall for the phish and opened the email, clicked the link, opened the binary. Got infected and (a part of?) their inbox uploaded to the spammer. That is then used to send out new targeted phishing attacks where the name is spoofed, but send from another victim of theirs. Pretty effective phishing attack it seems. Took me a bit before I realized what I was looking at as the email seemed to come from that customer. It was only because it was a bit weird that I noticed things being off like that the email address itself was different.

Such as my profile here on HN.

But there some that must have been leaked or sold from specific services. These include, but are not limited to: USwitch, Linked-In, Disqus, and a forum to support LGBTQIA+ people in academia.

There are others where I have strong suspicions and some evidence, but where it's not airtight.

The one that puzzles me is that some recruiting database got my personal email address, the one I only give out to people I care to keep in touch with. I've never, ever given that email address to a recruiter! I asked them how they got that email, and of course they just said "some AI-powered recruiting tool we use". It's sad because that email address is super fun and I had managed to keep it private for so long...

The biggest source of spam to my orporate addresses is Linked-In.

  id            emails  creation    notes
  =======================================
  freepsp       37177   2005-09-23
  mtgox         21229   2011-06-19
  scriptaculous 10408   2006-03-27
  winex         5103    2007-05-01
  patriciafield 4293    2007-03-09 
  rms           3472    2007-03-10  www.rmsexperts.com
  wallstsense   3310    2009-04-01      
  panda         3300    2004-11-02  panda antivirus

https://bbs.spamgourmet.com/viewtopic.php?f=5&t=1785&sid=3e7...

There are intersting tales of how users of this service used multiple accounts to thwart spam.

Also these are my overall stats:

  Your message stats: 21,008 forwarded, 272,134 eaten. You have 1007 spamgourmet address(es).