
The joys of owning an ‘OG’ email account - todsacerdoti
https://krebsonsecurity.com/2020/09/the-joys-of-owning-an-og-email-account/
======
gregd
My wife owns an email address in Gmail and you wouldn't think it was a very
popular email address. Until of course someone's account information at
numerous shopping sites began showing up. My wife contacted this person by
phone and it turned out to be an elderly woman. The elderly woman was not
having it and began arguing with my wife about whose email address it was. The
elderly woman ranted on and on about HOW DARE MY WIFE TAKE HER EMAIL
ADDRESS!?*@4@~!

She just didn't get it and more and more new accounts began showing up.

When that didn't work, I tracked down one of her relatives on Facebook, who
happened to be younger so she got the whole Internet thing, and explained that
her elderly grandmother (it turns out) was using an address that didn't belong
to her. Her granddaughter told me she would talk to her grandma and tell her
how silly she was being and promised to explain how her grandma could keep
herself safe while shopping online.

No new accounts in the grandma's name have shown up since...

~~~
nchelluri
That couldn't have worked out better, and was a nice thing for you and your
wife to have done.

------
kstrauser
Ugh, this is my life. Yes, including accusations of “hacking” when someone
signed up for Facebook with my email.

On the plus side, this personal experience made me very adamant about
protecting mistakenly-registered users at my employer. When we were planning
to add logged in accounts to our service, the sales team (understandably!)
wanted the signup process to be as frictionless as possible, and thought that
new users should be able to start putting data into their account as soon as
they registered. I insisted that we require email verification before allowing
users to enter personal data. When I got resistance to my plan, I logged into
my webmail and showed the team all the crazy email I got from people who’d
mis-entered my address, and suddenly they understood. I wasn’t just inventing
some bizarre, unlikely edge case: these things really happen, and often.

Edit: And as you might guess if you squint at my username, my name isn’t super
common. It’s not unique on the planet, but it’s certainly not “Smith”. If _I_
have to deal with all this, I bet the Smiths of the world find it nightmarish.

~~~
wyclif
My main email address is <myreallastname>@gmail.com. My surname is not a very
common one, yet I still experience many of the side effects described here.
I've had this account since the first day Gmail was available to the public,
April 1st 2004—I was invited by a friend who worked for Google at the time.

Back then, I never considered this address an "OG" address, but then around
2012 I noticed something funny. I volunteered to do some charity work and
everyone was asked to sign in to a log book and write down their email address
with a pen. Several people who worked for this charity said to me "How did you
get that email address?" and seemed to think it was unusual that I had a Gmail
address that was simply my last name. When I asked them what their email
address was, they'd say something like "fluffybunny32428@hotmail.com" or
something like that. Hard to believe people use those kinds of addresses for
official business and applying for jobs, but they do.

My name is also very English. So when I get missent email, almost everybody
using my address is from the UK, Canada, Australia, or NZ.

~~~
murrayb
I have a firstname.lastname Gmail account. Neither frst or last are
particularly common. There are various people around the planet who hand out
my address as there own, I get invoices on a regular basis but also
correspondence from real estate agents and legal correspondence. Most recently
I spam listed a Canadian telco because some gentleman in Canada is joyfully
handing out my address. On the other hand I very rarely get someone else's
snail mail and if I do it is for a neighbour I know a house or two away and
never someone in another country :-)

~~~
teraku
"." is a ghost character for gmail.

firstname.lastname (at) gmail and firstnamelastname (at) gmail

are the same address.

[https://support.google.com/mail/answer/7436150?hl=en](https://support.google.com/mail/answer/7436150?hl=en)

~~~
TuringNYC
Not quite as I learned, for connected services. If you registered originally
as johndoe@gmail.com and use john.doe@gmail.com it works fine for mail. For
Log-in-with-Google, it goes back to johndoe@gmail.com and many websites treat
that as a distinct account. Now you end up with two distinct accounts on the
"same" gmail. Not great.

------
jameslk
I have one of these accounts (it's a dictionary word), and I can confirm
everything the author has said is true. I receive constant onboarding emails I
can't opt out of, "so and so thinks you're cute" dating profile notifications,
weekly account recovery notifications, all kinds of random crap that was meant
for someone else but due to slight misspellings come to me, such as important
contracts from lawyers, endless spam and newsletters I will never be able to
escape. I've long given up trying to help others deal with mistakenly using my
email. It sucks massively and has made my email unusable. Had I known this
when I registered my email, I probably would have thought twice about being
cute and registering it. These days, I mostly use my own domain for email and
carry on.

~~~
kbaker
Sorry to hear that. As a fellow 'OG' gmail user, I feel your pain, but between
the constant 2-3 daily unsubscribe hits and many many Gmail filters it is
actually manageable and usable.

Google's "targeted-journalist-level" Advanced Protection Program means I don't
have to worry about password resets or account recovery stuff on the account.

Though I have lost track of the number of services I didn't have immediate
access to since someone signed up using my email address, and reclaiming it
can be a battle sometimes. The Apple ID was interesting - but luckily
everyone's "first pet's name" was "Fido"... (Seriously... Please validate your
emails everyone!!!)

Often, whenever a real mailing address is included I print out the email and
send it in a real letter with a friendly (if just a tad passive-aggressive)
note inside. But overall I try to do the right thing for important documents
and correspondence.

I do shudder to think how many random accounts are just an email-password-
reset away from having access though...

~~~
stordoff
I don't have the same degree of problems with first initial + family name @
gmail (with an uncommon family name), but I've had someone use it for
something related to car insurance (which has resulted in a _ton_ of spam), to
enter a university run, and had company internal documents forwarded to me
(turns out the CEO shares my name).

~~~
bonzini
I have name.wifename@gmail.com and I have not gotten many subscriptions but I
got quite a few random emails meant for other people.

I did get a subscription for a Diners credit card, and I am torn about
contacting the guy; I don't look at the emails but I probably could find the
owner relatively easily. I contacted Diners and they didn't believe me. (Who
the heck is using Diners these days?)

------
LeoPanthera
Due to a bug, for a few months I received email addressed to google@gmail.com.
This was years ago, when Gmail was still newish.

I couldn't _send_ mail from that address, but I sure did receive it. An
endless torrent of weird junk, and a surprising amount of personal data,
business secrets, and passwords. If I was maliciously minded I could have done
a lot of damage.

I spent those months trying to find any way to get a message into Google to
fix it, and only eventually succeeded when I learned a friend-of-a-friend
actually worked there, and they helped un-scramble my account.

~~~
iJohnDoe
For all the “smart” people at Google, their incompetence is astounding.

~~~
HenryKissinger
Don't they have like three different internal Javascript libraries or
something?

~~~
Rebelgecko
Am a Googler who doesn't write Javascript, opinions are my own etc etc...

I don't know how many there are, but are you saying that 3 would be a lot?
There's probably hundreds of internal libraries for other languages like Java,
C++, Go, etc. 3 really doesn't seem excessive.

~~~
hoseja
Maybe he means "comprehensive frameworks". The kind that do everything. The
kind you probably shouldn't mix together.

------
Zenbit_UX
Story time: I never considered my email to be OG as it contains at least two
digits after firstLast but I've experienced the same thing. A man very well
off man from Texas has assumed my email as his own, shared it with his entire
extended family and booked hotels and flights using it.

At some point both his wife has asked me what I thought about a forwarded
message from their mortgage broker and his brother in-law asked me my input on
buying a 30ft yacht and what to name it.

I always ignore the serious ones for obvious ethical reasons but can't help
myself with the more innocent cases. I've found I quite enjoy giving non-
commital responses to these emails that won't give up the gig but also don't
help them either, things like: "that seems pricey" or "cool! What are you
going to name her?", and "she's a beaut!".

I suspect it will go on for a while.

~~~
RandomBacon
I bet you if you replied, "we need to talk..." it might stop. That might be
too mean though, or at least give the man a warning to stop or else.

------
brazzy
Oh god yes. I have a 6 character pronouncable gmail address as my main email
address. Some highlights:

* Several people from (I think) Mexico City have sent me requests in Spanish asking for medical prescriptions, including photos of their current medication.

* I started receiving receipts for an Italian parking fee app. After I contacted their support about the problem, I received an email addressed to their user asking them to confirm the email address.

* Someone signed up for Comcast DSL and there was no way to opt out of those emails, support didn't react and logging into the account would have required additional information not in the emails. I finally made a complaint to the FTC under the CAN SPAM act - _that_ got their attention and they managed to fix the issue.

* Someone signed up for some rewards program and proceeded to collect points by signing up for about 10 different newsletters.

~~~
croon
I have my 6 letter surname at gmail as well, and I've had this issue for
decades. Everything from wedding invitations to banking to schools etc.

I have answered some helpfully if I had the time, but mostly ignored them and
put them in a folder as "mail for others".

One in particular, some kid in Arizona who shares my last name has signed up
for everything from golf to Epic Games. I found him on facebook and friended
(since we shared our last name) and politely asked him if he could try to not
use my email for things. He told me it was his, called me a creep and blocked
me.

It's kind of hilarious how many people insist the email I (or Google I
suppose) own is also theirs, despite the technical impossibility of that
scenario. The same has happened with my phone number.

~~~
mywacaday
Please tell me you shut down a few of his "accounts"

~~~
croon
Yes, specifically the Epic account, but I might've hijacked his Instagram from
before they used email verification (just assuming they do now).

~~~
brazzy
Yes, Instagram definitely uses verification now and doesn't let you use the
account until the verification is completed.

------
OkGoDoIt
I own the domain name for my last name, so that I have the email address
[firstname]@[lastname].com. But when signing up for services I like to use my
domain as a catchall so I can have unique email addresses for each service. Of
course that means I receive all emails sent to anything at [lastname].com.
Even though my last name is not that common, there’s apparently a ton of
people with my last name who sign up for services using their first name
@[lastname].com, even though they obviously don’t have access to that email
address and haven’t for at least the 8 years that I’ve owned the domain name.
I’ve never understood what compels a person to type in an email address for
service if they don’t actually have access to that email. And yes, I see
plenty of bank accounts and other important accounts as mentioned in the
article. It’s mind-boggling. I also get plenty of personal email as well,
intended for people with that first name and last name. In those cases I
usually reply to tell them they have the wrong email address, and more than
once someone has responded back again asking me if I could pass the message
along to that person as if I’m supposed to know them.

~~~
gscott
I used to use a catchall but every few months spammers will use my domain in
their spam from line and I would get thousands of bounces.

~~~
lorenzhs
You might want to set up a DMARC policy for your domain. Since I set mine to
"p=reject" I haven't had any such issues. DMARC extends DKIM and SPF, and you
(typically) need to pass at least one of those to pass DMARC.

------
Baeocystin
I was so happy when I was able to get my (exceedingly common) full name as my
gmail address.

1.x decades later, I regret it. I get people's medical information, legal
documentation, all of it. It is stunning to me the quantity of PII that flows
into my inbox daily. Back when it was a trickle, I used to try and contact the
people involved to let them know of the issue. It almost never worked out, and
I got tired of getting yelled at.

At this point, I keep my account simply because if I were to close it, I don't
trust whomever might have it next. It is what it is.

~~~
theshadowknows
I share a name with a famous person and my first and last name are also my
email address (@ a certain mail service) and I often get receipts for things
he’s purchased as well as personal correspondence. When it’s a person I always
respond and say that unfortunately I’m not the person they’re looking for just
so they know.

~~~
peteri
Ah my friend Rupert Goodwins got a lot of email via gmail for Rupert Grint and
he wrote about it here back in 2004.

[https://www.zdnet.com/article/rupert-goodwins-
diary-30391728...](https://www.zdnet.com/article/rupert-goodwins-
diary-3039172865/)

------
1of1
I was recently in an Xbox party with 3 char anime/Japanese theme tags. I asked
them why there weren't any numbers after their tags and they went on for two
hours teaching me about OG tags and that his $750 tag was a steal as it wasn't
just random letters, but an actual word. The other guy paid $1,500 and at one
time paid $12,000! They explained you can buy them on IG or a site called
ogusers, but that you should always use an intermediary who holds the account
and your bitcoin, and acts as a security check middle man for a small fee.

They also told me about an MS website hack, where you could enter spaces into
your name by changing the client-side javascript and entering about 500 spaces
between each character and then filling the field with spaces until maxchar.

~~~
smillbag
Reply all did a great episode which went into these OG markets. One of their
best: [https://gimletmedia.com/shows/reply-
all/v4he6k](https://gimletmedia.com/shows/reply-all/v4he6k)

~~~
1of1
Yikes, probably a nightmare for the average netizen

------
zwayhowder
For three years in a row I received an amazon gift card on father's day.
Always intended for as far as I can tell the same person who has the same
first initial and last name as me.

I contacted Amazon about it the first time and they wouldn't cancel it or
issue a refund because I was the recipient, not the purchaser. I worry that
someone has been written out of their Dad's will because he thinks they have
forgotten father's day 3 years running.

~~~
gowld
Doesn't amazon have a "thankyou" feature to email the sender?

~~~
laurieg
I worry that putting "I am not your father" in the thank you message might
cause even more trouble.

~~~
saagarjha
Noooooooooo…wait a second.

------
uptown
I've got one of these. I've been invited to golf tournaments, received medical
records, been included in family reunions for many years running. I've had
power bills sent my way. I've seen tons of SS#'s and bank account routing
numbers. Countless password reset attempts. A long time ago I decided I'd
never interact, reply or respond to any mail I received apart from opening.

Tangentially related -- catch-all email accounts also get a ton of mail when
the domain name they're tied to is close to something that many people send
messages to. If you own a domain one keystroke away from a high volume domain
- you'll get access to all sorts of things you shouldn't be seeing.

------
igetspam
I own a four char gmail account that is a common word. (I was employed at G in
2004.) I get _everything_. If I don't have an account on a service, I try a
password reset and it usually works. I have bank info, hundreds of AT&T cell
phone contracts, pro baseball player contracts, mortgages, taxes, paypal,
investment accounts. You name it. I get thousands of spam messages a day that
are correctly filtered and I mark dozens as spam on top of it. I can tell you
about tons of companies that don't do email validation. I was once offered
5BTC for it but it is much more valuable to me (also I didn't know just how
high BTC would go).

It's annoying but I'm still striving for inbox zero. :)

------
ObsoleteNerd
Yeah I've got a 6 digit semi-common name Gmail account (from the invite-only
days) and the amount of junk I get to it is mind blowing. Not "spam", that
gets filtered pretty well by Google these days, but emails specifically sent
to me but not for "me" personally like TFA talks about.

100+ emails a week in my primary inbox that are from people signing up to
random stuff in my name, basically any/every service you can imagine where I
don't already have my own account (large social networks and sites in
countries other than me own, online shopping sites, etc).

The other interesting thing is I seem to get a LOT of email for addresses that
"almost" match mine, as though Gmail is doing fuzzy-search for addresses? Eg
lets say my email is "david@gmail.com", I get dozens of emails a week for
"david.17@gmail.com" and "davidab@gmail.com" and stuff like that. I can't
explain this one, and everyone I bring it up with says it shouldn't be
possible.

It's gotten to the point where I've created a more normal fullname@gmail.com
and then do some filters/forwarding on the old one for the more important
emails, then just check the old one every couple weeks to see if I missed
anything, because it's just not usable anymore with notifications on.

~~~
CamperBob2
Same here. My GF at the time received a couple of the earliest GMail invites
from someone she worked with, and I remember thinking, "Wow, this'll be great,
nobody will ever forget my email address."

15 years later:
[https://i.imgur.com/FlCi3xT.png](https://i.imgur.com/FlCi3xT.png)

Almost none of that is actually spam. Mostly list/membership subscriptions,
reminders that my $(VEHICLE) is due for service at $(DEALERSHIP), and
misdirected personal emails ranging from amusing to upsetting.

------
isolli
It reminds me of how the owner of the @N account on Twitter had it stolen from
him [0]

[0] [https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd)

~~~
Sebb767
> A coworker of mine was able to connect me to a GoDaddy executive. The
> executive attempted to get the security team involved, but nothing has
> happened.

That part was really shocking. I can see why you might be stuck with a low-
level support tech that can't and won't help you, but not being helped despite
having this level of attention is horrible.

------
geocrasher
I am really glad that I do not have one of these email accounts. While I
cannot speak firsthand of some of the shenanigans that are mentioned in the
article, I have worked in the web hosting industry for 20 years. I have seen
some of the horrible security practices in use by customers and, surprisingly,
people in the industry.

I've seen many people locked out of their hosting accounts because they have
their primary account email address as one of the hosted email addresses on
their accounts, and suddenly they've lost access to their web hosting control
panel because their domain expired or their email was otherwise taken offline.

I think what all of this boils down to is that people don't receive any actual
training about how these things work. They pick up a phone and start using it
and figure it out along the way, or they buy a computer and set it up the way
Microsoft says and never think twice about anything else. The amount of
training that people receive is dismal at best and most the time it's not even
that.

There's also a contingent of the public that doesn't want any training and
their main argument is "well this is how I've always done it!"

~~~
bleepblorp
> I've seen many people locked out of their hosting accounts because they have
> their primary account email address as one of the hosted email addresses on
> their accounts, and suddenly they've lost access to their web hosting
> control panel because their domain expired or their email was otherwise
> taken offline.

This is a surprisingly difficult risk to effectively mitigate.

If you have a domain and tie your domain registration and hosting accounts to
an email address hosted by the domain, you could get locked out if something
goes wrong with the domain registration.

If you tie your registration and hosting accounts to a third-party email
account, you could get locked out if the third-party decides to nuke your
account for any arbitrary reason (cough, cough, _Gmail_ ).

If you tie your registration and hosting accounts to a cell phone number, you
could get locked out if someone attacks your phone account (unauthorized
porting, SIM swap, etc) or if the cell phone network goes down (think
California fire protection blackouts, or hurricanes).

If you tie your registration and hosting accounts to TOTP or Webauthn 2FA, you
could get locked out if you lose or damage your 2FA device.

There's no good way to authenticate domain registration and hosting accounts
unless your registrar and host have the foresight to allow multiple
authentication paths.

~~~
ValentineC
> _If you tie your registration and hosting accounts to a third-party email
> account, you could get locked out if the third-party decides to nuke your
> account for any arbitrary reason (cough, cough, Gmail)._

This is interesting. I usually point all my WHOIS info to <something>@<other-
domain>, but <other-domain>'s WHOIS goes to one of my personal Gmail accounts.

I'm going to switch it to a domain where I control the DNS, so I can change
the MX record if a provider decides to nuke my account.

Now I'm wondering how this works with any registrar's domain privacy feature —
technically, they're the "owner" of the domain in the WHOIS record.

~~~
joveian
Just be careful that your DNS is sufficiently restricted; I've heard of DNS
being the weak point for taking over accounts involving custom domains.

I'm surprised there aren't more in person or by mail verification options
available. I guess partly due to the "who pays for it" aspect (and people
moving, etc., plus no verificaion method is completely accurate), but the
current state of authenticating online accounts is rather worrying in general
and allows anyone anywhere in the world to try to take over your accounts.

------
matsemann
Someone used my email to sign up for Instagram ~10 years ago or so. I never
got a mail or any kind of verification, so I didn't know. Only found out when
I tried to sign up myself a few years ago, and "the address is already in
use". So I took forgot password, and got the email. I tried to get support to
move the other account so I could create my own, but they never responded.
Luckily the account linked to my mail had like 3 pictures and 5 followers, so
not to big a loss when I deleted it and created my own.

I also got signed up for some kind of dating service I cannot remember the
name of (before Tinder etc), and after being getting some weird messages in my
inbox I felt I had to delete his profile. Sorry about the matches you lost.

Given the nickname he's been using on some sites when signing up, I managed to
track down his real email some time ago. Basically mine + a number. Asked him
to stop using my mail, and what services he wanted we should try to move to
him before me closing them. All I got in reply was something along "why are
you in my inbox".

~~~
fencepost
I suspect this happens most with people using a full size keyboard and the
numeric keypad - when numlock is off, they miss that the numbers didn't get
entered and boom, there's your address instead.

I suspect you never see this with people whose number-after-name was 4 or 7,
because they won't be entering a valid email address.

------
samcrawford
An amusing anecdote from someone on the other side of this story...

A friend of mine has first@fullname.co.uk, and he's forever getting email
intended for first@fullname.com (who is someone entirely different, also in
the UK, and works in the military).

One day my friend books a flight and accidentally uses first@fullname.com. He
doesn't realise anything is wrong as the flight still shows up in the app.
However, the owner of first@fullname.com also sees the flight confirmation and
thinks there's some identity fraud going on, so phones it in to the police. So
my friend gets to the airport and scans his passport at the boarding gate, but
is met with a big red exclamation mark. Next thing he knows, he's flanked by
two armed officers who take him away for questioning for an hour!

After working out the mix-up, my friend sent a note to first@fullname.com
thanking them for the welcome committee.

------
ldd
So I own a domain that is very similar to a ballet company for children in
Florida and once, a mid-sized CEO emailed me PDF images with credit card
details!

I tried reaching out, but my email was probably ignored because they thought
it was a scam.

I'm sure that sending that info insecurely at least... violates mastercard
agreements? I dunno. I just hope people checked and double-checked what emails
they send.

~~~
curiousfab
I own a domain name that is a generic word but is also an one-off of a medical
company (and a very "likely" typo).

My catch-all mailbox has received an insane amount of highly sensitive medical
records over the years. Most of these mails were coming from employees of the
company itself, not external correspondents.

I have since modified the catch-all mailbox to reject mails from the medical
company, so they get a bounce message. This has not reduced the number of
messages, but at least they will know something went wrong...

People are not very careful, even with highly sensitive data...

------
dahdum
I get a steady flow of misdirected email for UK and SoCal namefellows, going
on 10 years now. SoCal guy got roped into Scientology but the UK fellow has
had a stellar military career, at least according to the intros I’ve seen.

The most interesting ones were about a trial where the defendants sold
substandard steel to the military. I got added to the thread with their
lawyers discussing strategy and sending attachments. I deleted it all after
notifying them, their case made it into some national news stories.

~~~
ben_w
Someone I used to know had the Lawyer experience too, only the namesake was a
high ranking UK banker and the topic was the late-2000s financial crisis.

------
technophiliac
I still own 'sys' and 'wheel' at one of the big ISPs in the US. I used to get
a lot of syslog-type messages back in the day.

------
kelnage
I believe this is in part a failure of Google and other large email providers
to provide clarity in the UI when registering a recovery email address. At
least when this feature was first introduced, as I remember it, it was
relatively easy to misinterpret the feature as signing you up for
additional/alternative email addresses, rather than specifying an email
address you already had access to that would be used for recovery if access to
the main account was lost.

This may have been rectified since, and I'm still not sure how so many of
these people haven't noticed that their "new" email address is not working -
but I guess they put it down to spam filtering or similar.

------
speakspokespok
Not an og public account but my first name starts with the first letter of the
English alphabet twice. By quiencidence so does the first letter of my last
name. That puts me dead top of any and every AD corporate email list. I get
CCed on so many things. I think the worst, not the worst but it was the first
time and I was brand new in my tech career and didn’t say anything until
waaaaay after I should have. The CEO of a small NASDAQ was using his work
account, my employer, to discuss the building of his mega house with his
contractors. Specifics like cost, the address, window choices.

------
ben_utzer
There are so many big service providers that do not verify emails and start
spamming anyway.

And there are also companies like Epic Games that got my email via a (failed)
Playstation registration something. When I wanted to register to buy a game it
did not allow me to create my account. I had to use another temporary email
while I entered the account with my correct email and deleted it.

We should make a support group for the endless frustrations.

I should also point out that I connected with one of the similarly-named-email
guy. When I recognize that it was directed to him, I'll just forward the email
now.

------
nemetroid
I have the equivalent of billg@gmail.com, with a common first name (but an
uncommon spelling, at least for English-speaking countries).

Nowadays there's a lot of different people who try to use my address, but for
a long time, most issues originated from a single person. At one point I
received a Christmas wishlist from his nephew, to which I responded that I was
not planning on giving any gifts this year, and would instead donate to
charity. I didn't receive any response, but from what I remember, he didn't
use my address after that.

------
ggop
Didn't realise this was a common problem. My gmail address has about 9 filters
with ~100 terms each. Would be nice if Google automatically had an allow list
with countries where I will accept account recoveries requests from.

Worst though is that PayPal created an account for another person with my
email address. Apparently they don't send out the initial prove-your-ownership
email. Still unresolved because PayPal refuses to believe me that I own the
address, even though they don't even want to send a test email.

~~~
lern_too_spel
I get multiple account recovery requests per day. Google should have a good
idea that they are not coming from me based on where I'm declining them from
and where I log in correctly from, but they still spam me with those requests.
I don't know if Advanced Protection blocks those requests, but I'm not willing
to give up access to F-Droid just because Google can't be bothered to fix its
account recovery process.

------
narag
My email address is nothing too original (in the profile if you want to check)
but it contains a dot. As you might know, gmail ignores dots in the addresses
so nico.aragon and nicoaragon are basically the same.

Well it seems that Paypal decided recently that why bother confirming email
addresses. Just let anyone use any email address. They send a confirmation
email, yes. But then accept the address no matter if they receive the answer
or not.

So I start getting notices of some not very bright namesake that is making
tens of cents with some online store. The spanish paypal office is totally
useless, they just suggested to contact Google.

I sent a mail message to the European Paypal delegate for data protection, but
no answer and I still get more notifications later. It's quieter now, after
another confirmation email (that I obviously didn't answer) but no idea if
they did something or it's just that the account owner is not selling so much
later.

Edit: years ago I got a "nico" account in a very popular local provider, so I
had experienced the og problem before. Some other namesake is gay (maybe he's
the pornstar that I see in Google) and received some explicit pictures.

~~~
ValentineC
> _Well it seems that Paypal decided recently that why bother confirming email
> addresses. Just let anyone use any email address. They send a confirmation
> email, yes. But then accept the address no matter if they receive the answer
> or not._

Hah, I don't remember receiving a confirmation email. Unfortunately, there's
no way to disavow an email address from someone's account either, which means
I can't use that particular email for PayPal.

------
ipython
My wife has an old gmail account which is her first initial and last name. She
set up email forwarding to another account several years ago promptly forgot
about it. Unfortunately she picked her original password before I introduced
her to password managers and so now her original account has been taken over
by someone.

Interestingly enough that email forwarding she set up still occurs and she has
all of the received email for her attacker(s) including all the security
notices. I figured it would be a bunch of people emailing angry that they
received spam from the account. Instead it’s a bunch of disjointed English
talking about the weather - back and forth messages such as “in Tuesday we
will have windy”. There are several iOS devices now logged into it. I am
baffled yet insanely curious.

Unfortunately even though this email forwarding has been set up for more than
a decade, googles automated account recovery does not recognize her request
and we can’t get the original flast@gmail.com address back.

Anyone at google have thoughts? I can drop my personal contact info if so.

------
Polylactic_acid
Its pretty ridiculous that web services still allow you to sign up without
verifying your email.

~~~
frabcus
It’s even more ridiculous that it is 2020 and the only method to get a
verified email is by sending an email with a link.

There should be a standardised protocol and flow which makes the experience
much better for both users and developers.

~~~
eythian
Technically there is, I think SMTP has 'VRFY' or similar to check if an email
address exists. However I recall reading (like, over a decade ago) that it's
often not supported as it makes it easier for spammers to validate real email
addresses.

------
MH15
My GitHub is four letters which is quite convenient. Recently a friend and I
ran a script on the GitHub API to find the shortest available names and found
that there are no three letter names and very few four letter names remaining.

Of course I got rate limited in this, as you can probably imagine given the
factorial complexity of checking every name.

~~~
Something1234
The question is if any of those short accounts actually have anything
interesting as contributions or just name squatting.

~~~
skeoh
Anecdotally: I have a 2 character GitHub user
([https://github.com/j-](https://github.com/j-)) and I like to think I do more
than name squat. I missed out on the 1 character user
([https://github.com/j](https://github.com/j)) by only a matter of weeks!

------
bane
I have an original gmail address, going back to August of 2004 (gmail launched
in beta in April, 2004). The username is a word in a non-English language that
at the time had zero hits on Google. Even today, a search for that username
nets < 175k results. I never signed up for anything with it and have only ever
used it for email to a few close friends.

Until about 3-4 years ago, I basically didn't get any spam or these kinds of
accidental "put the wrong email in the signup box". Then one-by-one, I started
getting them. Facebook account request, bank signups, tinder account
verification emails, twitch, the works.

Sometimes I'll get half a dozen emails clearly initiated by somebody trying to
get access to some account somewhere and my email address was provided as a
backup. Occasionally, I'll get notifications that somebody is trying to rest
my password.

I wonder sometimes, with email and the internet being so ubiquitous and for so
long, how is it that people don't honestly know their own addresses? And then
I'll get peaks into the lives of these people every once in a while. Pictures
from their facebook account, emails from real estate brokers, from "hookups"
and so on.

Every once in a while, if there's an obvious way to contact somebody, and the
emails seem like they're from legitimate people, I'll respond and say
something like "wrong email address." or something. About 1 out of 20 times
the person on the other end will fight back informing me that I, in fact, "am
wrong about my email address and yes I can't avoid making my childcare payment
this lamely."

It's gotten frustrating, the Eternal September has now impacted one of the
oldest continuous ways I've used the internet, a way I've jealously guarded
and preserved from spammers, scammers, and all other form of miscreant, only
for that judicious and careful defense to be washed effortlessly away by
people who aren't even aware what their own on-line identity is.

------
Stratoscope
I don't have an OG@popularservice.com account, but I do own the .com for my
last name. It's not a common name, but not too uncommon either.

So I do get fairly regular emails addressed to people who share my last name
and forgot that their domain may be the same as mine but is a different TLD
and not the .com. I don't have a wildcard catchall email set up but I do have
the common ones like info@mylastname.com.

The most recent was someone who ordered business cards from Vistaprint and
used my info@ address. I figured out who it was and emailed them at their own
info@ address. (No, I didn't sign into their Vistaprint account, though I
could have easily done a password reset.) Haven't heard back yet. I just hope
they didn't put my domain on the cards. They probably did - time to reorder!

------
iJohnDoe
As you read through all of these comments you hope that there is some pattern
of why all of this happens. Then, unfortunately, you come to the conclusion
that there are hundreds of reasons why this happens.

People on the other end of the counter just type in what’s easy because they
make minimum wage and don’t care, people on the other end of the phone that
didn’t hear something and just type in what’s easy because they truly don’t
care, people that truly don’t understand the internet and really think that
their family members first name or last name, or any combination there of will
magically get to them via email because no else has the same name.

Life is truly random and the truth is rather boring once you find out what
really happened.

------
presspot
I feel sorry for the guy who registered foo@bar.com

~~~
krebsonsecurity
I actually wrote about that guy not long ago. His name is Mike O'Connor, and
he owns bar.com, grill.com, place.com, and television.com, among others.

Probably his most famous domain was corp.com, which was recently bought by
Microsoft because it turns out that older versions of Windows and other
Microsoft products actually invited people to use corp.com for their internal
Active Directory names. Problem is, when those machines are outside the
internal network, they're constantly trying to share passwords and other
sensitive data with corp.com.

More here:

[https://krebsonsecurity.com/2020/02/dangerous-domain-corp-
co...](https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-
for-sale/)

[https://krebsonsecurity.com/2020/04/microsoft-buys-corp-
com-...](https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-
guys-cant/)

------
xahrepap
Tangent to what I’m seeing in the comments. I have a Google Voice number. When
I signed up they let me choose an available number of my choice. So I found
one with lots of repeating numbers to make it easy to remember.

Turns out it’s the same number as a major medical insurance support number.
Just a different area code. I get calls in waves, it seems. This week I get 3
or 4 a day. I ignore them. Occasionally I get voicemail “I have a question
about a patient” or whatever.

If I answer and try to explain it, it confuses people and they usually get
frustrated. Not worth my time anymore. Basically I ignore all calls that
aren’t from people I have saved.

------
chrismeller
I own the domain doesnthaveone.com, so I've also gotten a ton of these types
of emails. It really is shocking.

Just scrolling through the catchall for the last couple of days I see AT&T and
Verizon bills, several doctor's office reminders, some medical patient portal
emails (including "new test results available"), a Navy Credit Union account
notice, a surprising number of reminders and test results from veterinary
offices...

The only one I ever bothered trying to get sorted out was when I discovered
that I seemed to be getting any HP corporate purchase order without an email
address on file.

------
ghaff
One of the schools I went to introduced alumni email forwarding fairly early
on and allowed you to pick your own user name. I have a not rare but not
super-common first name and was able to grab a user name with just my first
name.

I haven't had it happen for quite a while, but for a fairly long period when
email was relatively new to a lot of people I received a fairly regular stream
of mail intended for other (presumably alumni) with the same first name,
including some fairly sensitive emails with board meeting minutes and the
like.

------
chris_overseas
I have this problem, and I've lost count of the number of people who've either
signed up for services using my account instead of their own, or alternatively
people who send me emails that are intended for someone else after
(presumably) miss-hearing an email address that was read out to them over the
phone or whatever. Some of the highlights:

\- People have bought iPhones, XBoxes, Playstations, ... and created the
respective accounts using my email address. \- Holiday bookings, flights,
accommodation bookings. \- A PayPal account that was created using my address
five years ago that I'm _still_ trying to get PayPal to resolve. \- I've been
sent death certificates, wills, lawsuits, confidential legal docs. \- Someone
bought a car. I received all the transaction details and was signed up to a
variety of free services that appear to have been bundled with the car.

One of the most frustrating things about this is that it's generally
impossible to contact the person who make the mistake directly, so resolving
it often involves jumping through lots of hoops and explanations to third
party websites or other individuals. The other huge frustration is the sheer
number of sites that don't validate email addresses. Or perhaps worse (and I'm
looking at you PayPal), send a validation email but then create the account
and assume everything's fine regardless, with no way to opt out or reject the
verification.

------
petercooper
I was a very early Gmail user due to being a Google Answers researcher so I
got an 'OG' name (which I still own but don't use as my main inbox) and it
gets lots of mind boggling stuff as covered in the article. Even a Facebook
account (which I could log into) and tickets for major shows (which I could
cancel/change seat at, if I had wanted to).. Since I don't use the account
myself other than for YouTube anymore, I just let it fly by and look at it in
amazement every now and then.

------
yabai_yatsu
I know a guy who owns a domain in my country equivalent to user.com or
test.com or something like that. He frequently knows what new tech companies
are about to launch because devs doing local testing sometimes put the email
as blahblah@user.com and he gets all the onboarding emails.

He received one while we were working on a project together and opened it up
to show me. I thought it's kinda hilarious that some dev is just chucking that
in their sign up page but he actually gets a real email because of it.

~~~
JoBrad
I get a surprising amount of personal email from several people who mistype
their own email quite consistently. Everything from mortgage info to job
offers and updates from teachers. And I don’t have a special mailbox name or
domain. Can’t imagine how much someone with a domain like that might actually
get.

------
pmlnr
I'd break them all. Let them burn.

Seriously, people need to learn how to deal with the internet, and I'm utterly
tired of the let's dumb it down movement - it doesn't work.

------
snarfy
> let’s just say the account name has something to do with computer hacking.

My guess is it's bob@gmail.com

------
pugworthy
Sort of like having a 1 digit Steam ID I suppose. I used to get kicked off
servers because it must be fake, and get offers to buy it. Never been taken
over though.

------
prepend
I don’t have an “OG” account but a common first, last and middle initial and I
get about 1-2 new signups for stuff every week.

It’s amazing how many services will not confirm email addresses and just send
sensitive info (and make it hard to unsub).

Many years ago I had a CEO who made us keep one of those “retype your password
to confirm” that I thought was stupid, but we did it. I think of how right he
was every time some Uber driver signs up with my email.

------
sp332
A friend of mine made [https://guide.mlz.me/](https://guide.mlz.me/) "The
Complete Idiot's Guide to Correctly Validating Customer's Email Addresses". He
doesn't send it to everyone who typos an email address, but for businesses -
especially ones that send him financial data unsolicited - the level of snark
is appropriate.

~~~
ninkendo
This guide advocates for some pretty silly best practices.

It’s very hung up on making sure the user types the right email address on
account registration, having them type it twice, making them provide some sort
of security question ( _before their account is created_ , mind you!), making
sure the question is answered correctly by the person clicking the link, etc
etc.

None of that is necessary. Your signup form can literally be a single email
field. You validate that it looks enough like an email, and send a unique link
to it to continue signup. _Then_ you ask whoever clicked that link questions
like “please create a password”, “select a username”, whatever personal
information you require.

What happens if they type the wrong email? Well, you send a signup link to the
wrong person. Big whoop. Worst case, someone else will get a link to create
_an_ account on your system. (Not to create the original person’s account!
Because you didn’t ask for anything but an email yet! They would be creating
_an_ account, with their own email, even.)

The email validation link only tells you that the person who followed the link
owns the email address that was typed. Just don’t do anything permanent (like
actually creating an account) until the link is followed, and you don’t need
to worry about whether the email was correct.

Now, this still has issues where people can type all sorts of emails into the
signup form without friction to make your service spam them with signup links,
but I’d argue that the advice in the article has the same problem, just with a
trivial amount of additional steps (like having to type the email twice and
set up some security question.)

~~~
g4rret
> It’s very hung up on making sure the user types the right email address on
> account registration, having them type it twice, making them provide some
> sort of security question (before their account is created, mind you!),
> making sure the question is answered correctly by the person clicking the
> link, etc etc.

No, it's saying you can do this, this, _or_ this. It's giving you options, not
telling you to do everything on it.

~~~
ninkendo
> Me: "I will NEVER..."

> You: "I will NEVER..."

>

> Me: "...send the user a simple clickable link in an email and assume that
> the clicking of the link establishes validity."

> You: "...send the user a simple clickable link in an email and assume that
> the clicking of the link establishes validity."

It doesn’t seem like it’s giving an option here at all.

I certainly want to send the user a simple clickable link in an email and
assume that the clicking of the link establishes validity. It’s how I know
they actually own the email address they typed! (And that they are capable of
receiving email I send them.)

I just wouldn’t use that validity to assume anything other than: “The person
who clicked this link is allowed to create an account with the email address I
sent the link to”. In other words, it must happen _prior_ to account creation,
not after. But the section of the guide is entitled “validating email
addresses during new account creation”, so it’s pretty obvious that is this
before the new account is created.

------
ziml77
I have [firstlast]@gmail.com. I definitely don't get the amount of crap that I
would if I had only one of those names alone, but I still wish I had picked
something else.

Definitely not worth telling people that they messed up because chances are
they don't care, won't know what to do, or will get angry. The only time I'll
correct someone is if the email was entered incorrectly by a sender.

------
JonathonW
I have firstname@{major email service that isn't google} and, even though my
name's a relatively uncommon variant spelling, the account is still pretty
much completely unusable because of all the misdirected email and spam it
receives-- I can't use the account even as a throwaway "sign up for crap"
email address, much less for personal correspondence, because any mail
directed at _me_ would be buried in all the other junk it receives.

Just signed into it for the first time in a while, and it looks like it's
gotten some better than it was-- now it's mostly mailing list stuff and actual
spam (of the "your paypal account is locked" variety); seems that most
legitimate services are doing better about email verification these days. At
one point a few years back, someone had managed to actually create working
Apple ID, Facebook, and Paypal accounts against it without access to the email
(was still receiving "verify your email"-type messages at the same time as
transactional emails indicating real activity).

~~~
AnonHP
If my guess that you’re referring to Yahoo Mail is correct, I’ve seen the same
problem but with spam. With all the hacks and data leaks that happened over
the years, one of my mailboxes there receives a lot (like a whole lot) of
spam. Yahoo’s spam filters have also seemed terrible for not detecting spam
and not learning from mail market as spam by me. I have similar anecdotes from
a few other people I know.

On this topic, I do get some mails intended for others, including bank
statements with passwords that are trivial to crack, account signups for
social media platforms, delivery services, etc. I’ve also seen that there’s no
way to rectify this in many cases — the entity sending the email (or the
appropriate group within the company) isn’t available to contact and resolve
the situation. In other cases they just don’t care even after they receive the
emails about the information leaks form their systems.

------
userbinator
I have one of these, and sometimes I wonder if the stuff I get is really from
someone who registered somewhere with my account, or just some highly
elaborate phish/spammers' "live account detection" (register for a service
using the target's email, then watch for signs of that service being touched,
such as the target attempting to unregister itself from the service.)

------
stennie
When I joined Yahoo! Australia & NZ in 1997 I had the OG account
<firstname>@yahoo.com.au. We later launched Yahoo! Australia & NZ Mail and
moved the company accounts to a yahoo-inc subdomain, so the natural thing to
do was redirect our former yahoo.com.au email addresses to the equivalent corp
inbox. The OG address was on my business cards, and it was nice having some
continuity. Briefly.

I never realised how many friends I had on the internet, and at first I gently
replied to a few that I wasn't the `<firstname>` they were looking for. This
was a more utopian era where email spam was in a more infant stage, and most
of these friends were real people trying to connect rather than bots and
scammers. However, there were a lot of new users joining Y!Mail and apparently
quite a few were looking for me.

Some of my new friends were pretty insistent (and oversharing), so it didn't
take long for me to abandon the OG forwarding address and associated
nostalgia. So many friends, so little time for real conversation.

------
arexxbifs
As a former owner of an apparently popular gmail address: can confirm.

The really sad thing about it is that it exposes major flaws about the way we
think about users and techonology.

* Lots of highly profitable and seemingly reputable sites give zero fucks about unsubscribe requests, don't require email verification and have no reasonable way of getting in touch with support staff.

* Considering the amount of errors stemming from failure to understand the concept of unique email addresses, lots of people who shouldn't use the net still insist on doing so. No clever app design or UX patterns can withstand the failure to grasp the most common uniquely identifying online token we have.

* A lot of the people mentioned above probably insist on using the net because they don't have a choice: Everything comes with an app or a web site and requires online registration just to harvest whatever is the desired user data du jour. Depending on where you live, even using official government services might require going online.

------
stevesearer
Similarly, on Office Snapshots, we regularly receive contact form messages
from people who search stuff like ‘NFL headquarters’.

A lot of them are people releasing some political steam and we can usually
tell if a company has been in the news based on the type of messages that come
in.

I still don’t really understand how people make the mistake given the nature
of our site, but it is what it is.

------
donalhunt
I've had lots of similar experiences...

Favourite ones are:

Getting a copy of a AirBNB booking that just happened to be 5mins down the
road from me. I resisted the urge to check-in as the person with the same name
(emailed their friends on the booking to alert them).

I was also included in a neighbourhood spat somewhere in the states at one
point. It took considerable effort to get across I was not their neighbour
(they thought I was ignoring the issue). Eventually the person's wife engaged
and it's been quiet since.

My wife has a fairly uncommon irish name but gets accounts created on
platforms all the time by someone with the same name. Doesn't beat showing up
to work and finding your boss has the same name. My wife was not happy when
she decided to go on a sabatical. Payroll added the salary sacrifice to my
wife's payroll account (they never checked employee IDs because surely two
people in the same organisation wouldn't have the same name!!). :0

------
MrGilbert
I can relate to that. I own a <two-letter>@outlook.de mail address - It has
been signed up for Piola, Snapchat, Instagram, UMG Gaming and Dropbox. I also
received some german correspondence, which should have gone somewhere else,
but ended up in my account.

On another note - I've got several <firstname>.<lastname>@<providername>.tld
mail addresses, and also a <firstname><lastname> domain. They get mixed up
quite often:

There is someone with almost the same name as mine, except that my last letter
is "t", and his is "g". Because these keys are so close to each other on a
keyboard, I receive a lot of stuff which was meant for him. I always forward
it.

Then there is someone with the exact same name in my country, who has
<firstname>-<lastname>@<provider>.de, whereas I have
<firstname>.<lastname>@<provider>.de

Needless to say I got to know a lot about him in the last 10 years.

------
Fradow
While my personal OG account has been very tame so far compared to other
stories here (6 letters gmail account from beta period), I got a far more
interesting one from my company domain.

Since people are routinely misspell my coworkers email, I decided early on I
would be the catch-all of the company domain.

Excluding the droves of email from various services from former coworker,
there has been a very interesting one: someone that never worked for the
company decided to use [firstname].[lastname]@company. That guy was in my
country military, serving on a military boat. For some time (before I found
how to block any email addressed to that particular email at the domain
level), I received what seemed to be very sensitive military information.

I can't be too sure, as I did exactly what was outlined at the end of the
emails: destroy them as soon as I received them, since I was not the intended
recipient. Luckily, nothing ever came out of it.

------
numlock86
You don't even need an 'OG' email account. I remember a while ago I was making
a weird claim to someone: "Hey, bet I can get access to a random online dating
account within 5 minutes?" Well, sure enough it wasn't the first time. The
process is simple: Go to any dating platform, register with a throwaway email,
check the email body and switch over to your favorite search engine. Now
search for throwaway email providers (domains, names etc.) with web UIs (that
require no login but only require knowing the address) in conjunction with
keywords and phrases from the email body. Yes, some search engines actually
index these. Once found, copy the inbox' email address and do the "forgot
password" process and you are almost done obviously ... Surprisingly enough,
this also works for PayPal and the like and not just for dating platforms.

------
snissn
there used to be a "hack" where you'd look up profiles on AIM (Aol instant
messanger) by email address and just type things like asdfhl@hotmail.com and
if it were to come up with results, sometimes multiple, you'd check to see if
you could register that address at hotmail and then take over the account.

------
plorg
I have an old Hotmail address that I signed up for while taking high school
Spanish. It consists of the Spanish equivalent of my first and middle names
and my HS graduation year. I haven't used it as my main email in years, but it
still is connected to my Gmail. For a long time I was getting account messages
for iTunes and Xbox Live. Eventually that petered out.

I'd forgotten about this until last week I started receiving messages from a
cluster of contacts as if I were the member of an online continuing education
course. None of the addresses had the domain of an educational institution,
but the content mostly tracked. I managed to communicate to the group that
they had the wrong after, but it took a few repetitions, because they were not
all members of the same thread.

------
Cro_on
Apart from the joys of having an OG email address of my first and last name,
which is neither a very common or uncommon name, I have also created handles,
for the sake of privacy, using slight variations of my name. It has always
been easy, with a slight creative twist, to be able to create quite short and
plain english versions without all the extra numbers and letters.

I also had in the early days of facebook the username 'qetuo' which was very
convenient. Though has since been picked up years later by some chancer, after
my having deleted my initial account. Though I did introduce the idea to some
friends, who then created usernames such as 'tyghv' or 'rtfgv' which are sort
of OG qwerty convenient usernames.

------
ummwhat
I don't know where else to tell this story, but I got the most amazing piece
of spam the other day. According to the sender, an unnamed person had told
them to contact me. They allege that over the past 50 years the CIA has been
investigating life itself and the sender wanted me to see some bombshell
revelation that world governments and large corporations had known about for
the last 17 years. I was given a shortened link where I could find out the
truth and learn how I play a role in fighting the nebulous yet nefarious
powers. In the final part of the call to action I was informed that I better
hurry up because unnamed powerful people are going to censor this information
from the internet soon.

~~~
wyxuan
Garden variety, I’ve seen worse

------
irrational
I have at least three people that have used my address for things as random as
harbor freight and Redbox. Every month or so I’ll get an email receipt and it
is always interesting to see what these other people are buying at harbor
freight or renting from redbox. My wife has another woman who apparently
doesn’t know her email address because she gets notifications about this
woman’s spa appointments (it’s interesting how often this other woman gets
Botox and lip injections), ballet lesson invoices for her two daughters, etc.

The crazy thing is that we don’t really have any way to contact these people.
None of the invoices include identifying information other than what state the
businesses are located in.

~~~
larrywright
I get Harbor Freight as well. I’ve been getting someone’s AT&T bill for years.
No amount of trying to convince AT&T to fix this has been successful. I agree
that it’s maddening that there’s often no way to tell these companies that
they have the wrong person.

For a while, any time I got signed up for something where they provided a cell
phone, I’d use my Google Talk number to text the cell phone and inform them. I
don’t really bother any more, as generally people are just confused and it
ends up being a lot of back and forth.

A sampling of the other emails I’ve received over the years:

\- Nude photos from a woman who, when I informed her that I wasn’t the person
she meant to send them to, got quite offended that I didn’t want her pictures.
After a little back and forth she realized her mistake (and I deleted the
email and the pictures).

\- Pictures and video of a baby, along with emails criticizing me for not
wanting to see my baby, and not supporting her.

\- There’s a man in Texas and a man in Florida who have both used my email
address to sign up for what could only charitably be described as dating
sites. These sites all seem to use the same base software, and have no way to
remove your account. With these I’ve taken to resetting the password and
deleting the account. Sometimes I’ll have a little fun and change the bio to
something like “I hope you like STDs, because that’s all I’m bringing to the
table”.

\- Receipts for web purchases. Mostly these are boring, clothes, home goods
and the like. However one person used my email address when purchasing several
hundred dollars in sex toys. The email included his name (same as mine) and
his address, along with a detailed accounting of his purchase. I was tempted
to print that and mail it to the address with a nice note advising him to use
his own email address next time.

\- Job search emails. Sometimes it’s scheduling interviews, sometimes it’s
notification of a start date and some paperwork. I’ve also gotten an email
with the results of a background check that wasn’t favorable.

\- The absolute craziest one was an email exchange that lasted over a year.
This man in California would send texts from his phone to a bunch of different
email addresses complaining to his wife, who had left him (and was included on
the emails). He would rant about her new boyfriend, complain that she had
stolen money from him and wouldn’t visit with his kid. It was a bit sad but I
tried repeatedly to convince him that I wasn’t the person he thought I was,
even going so far as to send him a selfie and asking him if I looked anything
like the person he thought he was emailing (his response: yes, but you’ve
gained a few pounds! Jackass.). I never did convince him, and he refused to
stop sending emails. He told me I should just block him. I suspect he was
having some mental health issues and perhaps wasn’t all there. The emails
finally stopped. I kind of wonder if he passed away or ended up in a facility
without access to his phone.

------
lllr_finger
My emails/handles are almost always just first initial, last name but that's
short enough (6 chars) these days to get weird things as well - most notable
was a few months of communications from JSOC
([https://en.wikipedia.org/wiki/Joint_Special_Operations_Comma...](https://en.wikipedia.org/wiki/Joint_Special_Operations_Command)).

Thankfully nothing seemed super secretive, but I got a lot of PowerPoint
presentations and other things that I definitely should not have been seeing.

Not to mention the countless password reset requests, 1₽ added to accounts
from kiosks, etc.

------
stormdennis
I get emails occasionally for I think 3 people in America all of whom have the
same name as me. One is always to do with tires (tyres) he's bought, another
is for a guy who buys a lot of expensive consumer goods in Costco and the
third is for a guy who's involved in a charity. I don't get any for the latter
for any more but I do for the first two, despite emailing all three repeatedly
about it. The last email I got about the charity was a disrespectful one about
a wealthy couple who they were expecting to receive a large donation from. He
took action after he realized that one had escaped into the wild.

------
TonyTrapp
My GMail account (that I don't really use for anything apart for having a
Google account) apparently shares its name with a Brazilian game store chain.
I have received a number of complaints (in Portuguese) that were apparently
about games not running properly. Someone also tried to send some money to it
via PayPal, and it was clearly not directed at me. Luckily a quick call to
PayPal resolved this issue.

Edit: Apparently some guy found it funny to sign up using that GMail address
on a Brazilian dating website. And no, the address itself isn't a Portuguese
term or anything.

~~~
TonyTrapp
Another anecdote: I have another email address (first_last@isp) and my last
name is one of those that are very common but exist with several different
spellings. One day I got a message from a freshly-wed lady, and she intended
to send the mail to her husband. From the mail it seemed like she took his
last name when they married, which made it even funnier that she mistyped it
in the email address she sent the mail to. :)

------
dredmorbius
See Gus Andrews, "Anatomy of an Accidental Honeypot" frome HOPE 2020:

[https://scheduler.hope.net/hope2020/talk/79JKLA/](https://scheduler.hope.net/hope2020/talk/79JKLA/)

Video:

[https://archive.org/details/hopeconf2020/20200726_1800_Anato...](https://archive.org/details/hopeconf2020/20200726_1800_Anatomy_of_an_Accidental_Honeypot.mp4)
(you may have to go through the video selector at Archive.org)

On the joys of owning gandrews <at> gmail <dot> com.

------
dehrmann
I have an uncommon last name OG email address. One time, I got someone's
rental car reservation. A few months later, I got something from the agency
about the car being in a crash. A few months after that, I got an email from a
collection agency.

Luckily, I didn't have any issues. I just wrong a short, blunt email saying
this is the wrong email address, I have no relationship with this company, and
they realized the mistake and left me alone. That said, this was a European
rental car company (and a European collector, I assume). The American ones
might have been more aggressive.

~~~
stormdennis
There are plenty of scummy European car rental agencies trying to fleece the
customer at every turn

------
robinduckett
Barnes and Noble don't do email confirmation, I know this because of all the
Bible receipts I have, bought with my email account on the sale by a geriatric
in Utah with my name. I don't really mind, but Barnes and Noble wouldn't
cancel the account. I had to put my foot down when I had an email from some
other service that sent one of his passwords plaintext. I emailed the company
in question and changed some setting in the account to "this person does not
use this email address" but I still routinely get Barnes and Noble emails :/

------
tenryuu
I also have a short common word for my email address. I don't often get
signups for it, but there's always one service with the same name that I get
registration emails for.

On one occasion though, a user from Tumblr had set their account name to my
email. I think I forgot about it for a year, until the system emailed me about
account inactivity. Upon talking to their support team about the issue, they
told me just to reset the password and deactivate the account. Feels weird
closing an account that I don't own and the owner has no access to.

------
mywacaday
I got my gmail account in Sept 2004 and manged to get my my relatively common
name in my country firstname.lastname@gmail.com I have been asked to review
CVs for Doctors, received invoices for companies, received somebodies power
bill on a regular basis even after advising the company its not me and quiet a
few emails f some guy touring Australia who spent the whole time giving people
the wrong email address. I had a nice conversation with a friend of his
explaining that I wasn't really him pulling a prank.

------
gwbas1c
I have (my legal name)@gmail.com and I occasionally get mail for people with
the same name.

Usually I just send a polite response or flag it as spam; but the time I got a
Covid-19 test order I called the doctor.

~~~
arsome
Yikes, that seems like it could slip into a patient privacy violation of some
sort pretty easily. What did the doctor say?

~~~
kstrauser
Not really. If the patient asked the doctor to be contacted at that address,
the doctor’s not on the hook for obeying their wishes.

~~~
gwbas1c
It came from the doctor's phone. I suspect there was a miscommunication
somewhere.

I've only done "polite" replies if there's clear innocence. One was to a
teenager trying to guess email addresses for people involved in a college
program they wanted to attend. Another was a Canadian regional employment
authority trying to collect back wages from a deadbeat employer.

But someone uses my email address at a repair shop, salon, ect? Ignore.
Someone puts my email address into a group discussion? Spam.

I also own my own domain. (legal name)@gmail.com sat idle for years until I
found that it's easier to say "(legal name)@gmail.com" instead of
??????@(legal name).com Then I switched.

------
LordKano
I have an OG account that's my first_name.last_name and I keep getting all
kinds of other people's stuff.

Apparently, one of them is a doctor with a caribbean bank account. I was
getting monthly balance updates for years.

I get confirmations of automobile service appointments and a bunch of other
things.

Once, I even got an email from someone saying "This is MY name."

Occasionally, I get alerts on my phone that someone tried a password recovery.
I gleefully decline and go about my day.

My name is neither common nor uncommon but I'm glad I got here first.

------
kzrdude
I usually just vigorously unsubscribe. In the rare case it hasn't been
possible, I've deleted the account that someone created with my email. To stop
the messages coming in.

------
letier
I have one like this. It’s horrible. I constantly get invitations to some
other people’s kids birthday parties. Invitations to random peoples weddings.
Drafts for real estate sale contracts. Even Microsoft’s HR sent me onboarding
details by accident. I also get some official looking emails by some US
administrative institutions. The list could be continued...

The worst thing is that people continue to accidentally sending these mails
for me, even if i ask them to stop.

------
tomatocracy
I have firstname.lastname@gmail.com. My name is not very common but not
totally uncommon and I've had very similar experiences to the article and
others here.

The most surprising thing I had was someone who signed up to an Amazon account
using the address (my own amazon account has always used a different email
address). Whoever did that literally gave a complete stranger access to their
credit card. (I contacted Amazon and got them to remove my email from the
account).

------
kofejnik
From early invite days, I have a super OG gmail account (so OG that it is
often mistaken for a system account), and I get a lot of random resumes,
driver licences mostly from people all over Asia, job applications, some
people decide to use it for Uber, gaming, and of course a few individuals used
it to sign up for their banking services.

I did exploit this exactly once, someone signed me up for Spotify (free tier)
which wasn't available in my area then.

~~~
quickthrower2
How does someone else sign you up if they need to click the confirmation link?

~~~
boring_twenties
GP wanted the service, so they would probably confirm it themselves.

------
ChrisMarshallNY
My wife and I have OG mac.com accounts (registered a few minutes after Steve
announced it). She got her first name. I had to settle for a slightly modified
one, as I'll bet that "chris@mac.com" is probably Chris Espinosa.

We get _lots_ of interesting stuff. Ironically, most of it is because Apple
routes icloud.com and me.com to mac.com, and there's no way (short of a mail
rule) to reject that.

------
kenneth
I have a 3 letter Twitter username (@kob) and the amount of spam I get is
rather ridiculous. I've thought about changing it a few times but not yet.

~~~
ValentineC
Twitter seems to have gotten better at filtering out messages from accounts
one doesn't follow.

I used to get an insane amount of mistweets around the start of every year.

------
dleslie
I've resorted to setting a vacation response that tells everyobe who emails my
Google account that it is mine and that it is not used for email; and I
consider the account a backhole for email, and only use it for google
services.

It still seems to get daily private communications, including private
information between lawyers and their partners and cients, and doctors and
clients. It's kind of amazing.

------
metalliqaz
I also got into Gmail in the beta, and my account is a plain first-initial-
last-name address that is used by many other people with the same last name as
me. Either they don't know their own email address or they are just intending
to use it as a spam dump, I get an incredible amount of mail for other people.
Including financial records and invitations to all sorts of things.

------
madprops
Tip: Don't use generic names like johnsmith@whatever. It might be your name
but a lot of John Smiths are going to use that account on a variety of
services they use, for some reason. If you do that prepare to receive a bunch
of registration and password reset emails. I even got linked with some guy in
another country who did a very expensive Uber ride, which was kindof scary.

~~~
lern_too_spel
If someone signs up for Uber with your Gmail address, you can log into their
account without changing their password using Google login. This is a very old
Uber vulnerability that I know at least a few people have taken advantage of.

------
robaato
I set up a domain for family and created an email for my aunt
<auntie>@<family>.<domain>

She was in a retirement community and in her 80s was Chair of the Computer
Club and used to do orientation for new people. She quickly realised that she
needed a yahoo account as when she showed them her one they all asked - "how
do I get one of those!"

------
rbritton
I've had my own share of this. Among the emails I've received, there have been
some from within the New Zealand Parliament, a fire department in Oregon, an
OB/GYN on the east coast of the US, car loans, home loans, concert tickets,
plane tickets, and other less consequential things.

------
pluggles
A few years back reply all had a podcast episode about some hacking groups
that focus on taking over and selling of accounts:
[https://gimletmedia.com/shows/reply-
all/v4he6k](https://gimletmedia.com/shows/reply-all/v4he6k)

------
tmearnest
My email is a domain hack spelling my name using a three letter ccTLD. You’d
think telling people my email address is just my name with the a circled and a
dot between the e and s, but you’d be wrong. Way wrong. It’s a cool address at
least...

------
palad1n
Weird, I _think_ I have an OG account (on Gmail), but I generally don't get
too much spam.

~~~
Jaruzel
I have my username @ gmail which is kinda OG as it has no numbers etc., and I
got in early via an invite to secure it. I get fair amount of spam on it, but
as I don't use it as my main email, I'm not that bothered.

------
ubermonkey
Wild.

I have never understood the cache or appeal of having a particular address at
Gmail or Yahoo or Outlook or whatever. By the time Gmail happened, I was
already many years into using my own domain for email. Why would I want an
address at an advertising company?

Still, amusing tales.

------
sacks2k
I used to have an OG hotmail account. I created it when hotmail was a really
small operation.

I used to receive 1000s of email per day for the wrong person, including chat
requests from MSN messenger.

I eventually traded for 10 invites in a forum when gmail.com was invite only.

Best trade ever.

------
rekoros
I own a <major city in Russia>@gmail.com account - I don't get that much
random mail there - maybe one per month or so - but what I do get is amazing.
All sorts of PDFs with plans, proposals, bids, and requests to reconsider.

------
marban
I own my firstname @icloud/me.com — Stopped using it after getting up to a
thousand more or less legit emails, incl. bank receipts, phone bills, etc. a
day. The fact that Apple sucks with spam filtering doesn't come handy either.

~~~
probably_wrong
While I don't have an opinion on the quality of Apple's spam filtering, your
case seems particularly interesting (and hard!) because it is _not_ spam - it
is send by legitimate people with legitimate intentions.

I mean, sure, it is spam to _you_ , but I doubt you could train a decent spam
filter for this situation. Maybe a whitelist, but that's about it.

~~~
marban
I was speaking of two separate cases — Spam + legit mails; but no matter
which, the sheer amount of mails make it unusable.

------
westondeboer
I changed the password once for someones bank account because I didn't want to
keep getting their bank info every month.

That is the only time I have done that.

Add I Get a forgotten password once a week for some random account that isn't
mine.

------
wiradikusuma
Not only username, domain names also. I have many @ShortEnglishWord.id and
from time to time I receive emails related to the domain. salad.id -> people
want to buy salad, @sweets.id, @blazer, bonsai, etc you get the idea.

------
aqme28
My dad was an early adopter of the internet so in the early 90s the whole
family had firstname@aol.com addresses.

They ended up being completely overtaken by spam, but I wish I still had
"alex@aol.com" if just for the novelty.

------
colechristensen
I have more or less followed the lives of several other people with my same
name through years of misaddressed email. Most of the time I simply ignore it,
occasionally I will respond, it is not much of a burden.

------
luxurytent
Heh. My Facebook username is one of the most common male names in Poland with
no additional characters.

Until I blocked them, I was receiving password resets about 7 times a day,
every day.

But I like to sit on it, just in case :)

------
terr-dav
What if you simply changed all your accounts to use a + variant (e.g.
johnsmith+official@gmail.com) and filter out everything sent to you without a
+ in the address?

~~~
irrational
I’ve learned that there are a lot of places that auto remove the +official (or
whatever you have after the + sign). I assume there is a common email library
out there that auto strips this information.

~~~
tempestn
Perhaps adding dots then? They shouldn't normally be stripped, but are also
ignored by gmail. john.smith would obviously still get a ton of spam, but
something like j.ohn.smith might not. (If we were literally talking about the
name John Smith I expect it still would, but for other names that should
work...)

------
sealthedeal
I wonder if the people at Hey thought about this, and what the experience is
like for their users that are getting destroyed by spam like this, or will be
like.

------
fullstop
I have first initial + surname @ gmail, and I get invoices for someone who has
a similar name but with "rn" instead of "m".

------
ffggvv
my account on twitter is simply my sirname. however, i unfortunately share it
w/ some random politician in another country. i get at least one notification
a day from someone trying to tag them and harass/troll them. the most annoying
thing is when they are replying directly to a tweet from the politicians
account but still manage to tag me instead of them.

------
sbisson
It's not even OG; just initialsurname@bigmailprovider is enough to get your
account filled with people's personal information.

------
napolux
Happens every day to me with a name.surname email.

------
techslave
i owned root@pobox.com for many years before they realized they shouldn’t have
allowed that to be registered. that was fun.

------
markkat
I won a bid on a lawnmower in the UK with my OG gmail.

I get a bit of that stuff.

Occasionally, I also get a bit of skepticism when people ask for my email.

------
C1sc0cat
Back when I worked on OSI email for the uk's main ADMD I could have had an
address at the top level

C=UK CN="NAME"

My Boss had the set up BTW

------
quantified
Curious: does anyone still have one of those numbered Compuserve addresses? If
so, does this happen to you too?

------
liveoneggs
I get zelle sent to me pretty often at my email for similar reasons. Don't use
zelle.

------
dcanelhas
I have an "OG" ICQ account, some bloke in russia offered to buy it.

------
rendall
I have such an account. I get lots of misdirected business emails.

------
silentprog
I wonder if the owner of example@example.com experience the same.

~~~
tempestn
No one owns example.com; it's reserved as an example domain.

------
MauranKilom
Surprised that the Reverse Identity Theft xkcd has not been linked yet:

[https://xkcd.com/1279/](https://xkcd.com/1279/)

