Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Just received spam to an address only used at Amazon?
121 points by OJFord on Sept 30, 2022 | hide | past | favorite | 75 comments
Like many of us I have an email address for Amazon (.co.uk) which I don't use anywhere else.

A few minutes ago, I received a pretty nonsense spam mail to that address.

I contacted Amazon support who said 'we're investigating' in a way that made me think I might not be alone.. and advised I forward it on to stop-spoofing@amazon.com.

Just curious if anyone else has recently had similar?

(To head it off: no it shouldn't be third-party sellers - they don't get your email, any disputes etc. are through a unique-id@marketplace.amazon.co.uk address in my experience.)




Not sure if it's the case elsewhere as well, but at least in India, email address on amazon orders are accessible to sellers if you made a purchase from a seller. I have had sellers reach out to me right after buying something from amazon, offering an incentive for a review.

Further, customer support agents can pull up your details as well. At least when there is an active ticket. I was reached out by one of the support executives confronting me from his personal mobile number after I left poor feedback for a chat interaction.

Amazon has little or no respect for data privacy especially in regions where there are no strict regulations that can cause them monetary loss through fines.

Since you mention it's in UK, I am surprised this is the case.


> To head it off: no it shouldn't be third-party sellers - they don't get your email, any disputes etc. are through a unique-id@marketplace.amazon.co.uk address in my experience.

I have received 2 emails from an Amazon seller's personal email to my personal email asking me to remove a review about a cartridge of printer ink. The review was written by my father but using my account.

They did also email me 3 times through Amazon's email forwarding. But the 4th and 5th time was directly to my personal email which the Amazon account is registered under. They offered me a full refund and a $20 gift card.

He signed his review with his first name, and in the email they address him by that name. Yet my personal email is MY name plus some numbers.

I never responded to their messages or anything that would give them access to my real email. The only acknowledgement of their emails I gave them was changing it to 1-star and adding in that they are offering to pay people for 5 star reviews.

P.S. don't buy any printer ink from JARBO. Aside from the email spam, the cartridges run dry after a couple dozen pages.

Here is the first direct email

> Dear Customer, This is Lexi from Jarbo. I apologize for my delay contact. In order to match your order ID, I have searched it within thousands of orders.

> We received your review that the toner cartridges are not working properly and have caused you so much trouble. I understand your feelings, and hope that you can give me a chance to rectify this.

> Therefore, we'd love to compensate $20 to make up your loss. Will that be okay?

> Because I am only an after-sales service staff, in order to better apply for a refund to the finance department, Could you remove the review first? I will get the refund back to you within 72 hours.

> Here is the link to your review for your convenience:

> [ link to review they want removed ]

edit: I'm in the USA, amazon.com domain


I saw an article on HN a while ago about services that sell Amazon user e-mails - basically Amazon employees leaking data, such as here: https://techcrunch.com/2020/01/10/amazon-employees-email-add...


Yep, same here - still getting spam from them offering to pay me off to remove my reviews. Complaints to Amazon "CS" did jack-sh-t - it is frustrating.


In my experience (europe) delivery companies get access to my unique email address that I also only use to buy things on amazon. They use this email address to send me information about deliveries directly to my inbox.


Are you sure those emails are directly from those companies? I only get messages sent through Amazon forwarding addresses, which exist precisely for the purpose to not disclose your own email address to third parties.


I get an influx of phishing SMS every time I have a parcel arrive through those systems.

All the info is being skimmed and sold at some point. It often mentions the parcel company it arrives through which confirms this to me.


Seconded—perhaps a third-party seller or shipper who's been compromised.


Amazon specifically does not want third party sellers contacting customers through side channels other than Amazon itself, and thus does not typically give out emails directly.

Third-party sellers are typically given an address like <gibberish-hash>@marketplace.amazon.com to which they can reply, and correspondence is then forwarded by Amazon to the actual customer's email.


If they actually cared I'm sure there would be a way to report these kind of issues. I got physical mail about submitting review for a product that I bought from Amazon (sold by company X, shipped by Amazon) in exchange for Amazon Gift card. The mail did contain name of the product. I tried to report it and

* there was no obvious way to do it. Closest thing was by reporting issue on product.

* there was no way to show the customer service agent a picture of the mail. Chat did not support sending pictures & they were unable to open imgur link.

* agent recommended me to leave a report it by leaving review to the seller page. I did that and next day review was deleted.


Right. So why does anyone business with such a crap company?

(I must admit I created them approx 100 USD/EUR turnover last year and 20 USD/EUR this year. Sometimes all alternatives are so much worse.)


I have similar, but, in my case, it's because I have an account with the delivery company, and they associate the email with my address, so I get emails, whenever a package is to be delivered at my address, regardless of its origin.


That doesn't seem relevant to the subject of whether or not delivery companies get your address from Amazon, nor to the main topic of an Amazon-only email getting leaked?

But yes, some couriers do let you tie an email address to a physical address to get notifications.


I wouldn't say it "not relevant." The symptoms are similar; but the cause may well be different.


Not similar, but related, once I made the mistake of paying with "pay with amazon" on a website, I foolishly thought that amazon would hide most of my details, instead of it they immediately shared my email with this website, without even asking me to confirm it, since I use a proper email with my amazon account, I was mad.


If it's obviously-named, it might be brute forced. I have an alias (amazon@ and aws@) on my domain that I never used to sign up for Amazon and was never used at all, but it receives spam on a daily basis (and AWS phishing emails - it was never once used at either service).


Sounds like such emails should be mnemonic-salt@domain just to rule out such brute-forcing.


Or possibly even salt_hmac(mnemonic)@domain, to both make the address un-brute-forceable and also cover businesses going "why are we emailing business@yourdomain" and potentially getting huffy (apparently this happens?!).

Only potential issue is that if it's a real HMAC like HMAC-MD5[:16] the nonsense address might give spam middleboxen very bad indigestion.

Or maybe the crazy service addresses used in cloud infrastructure have actually inoculated everything to a reasonable extent and this might work?


> cover businesses going "why are we emailing business@yourdomain" and potentially getting huffy (apparently this happens?!)

It very much happens, I had a business owner lecture me that they owned their domain and I shouldn't be able to use in any part of their domain name in my email address.


Thanks, that mixed my thoughts of inferiority for the day.


Whoops, that was supposed to read *fixed.


"Acktchually, sir, unless you own the NFT of the domain, you don't actually own the domain! Also, that's not how resource naming works; RTFRFC, n00b."


> and potentially getting huffy (apparently this happens?!).

It does...

I've had signups blocked using business@domain.tld, (some Samsung service is one I recall) and in one case I had legit sales queries completely ignored until I used an alternate email.


Samsung will return "contains banned word" if your email includes samsung


Okay now they're samsucks@


Ha. The more obscure the better, I guess. But you'd want some tooling to make it reasonable to handle.

I have a catchall and it's interesting what type of rubbish appears.

I have gotten phishing that pretends to be an AWS support case ticket reply about how my instances in us-east-whatever are about to be terminated due to a host node going out of commission sent to aws-iam-root-user@domain - a domain that has never used or touched AWS and a left hand side mailbox that has never been used once. If it's anything obvious it's probably made it onto some type of dictionary list.


I do this. I use the same protocol as https://blame.email/ (so that I can use their site). The nice thing about having the name in the clear is that it is easy to map it back to the sender at a glance, rather than having to loop up old messages.


I've also had this recently, I had an address which was `amazon.co.uk@mydomain` and I've recently started getting spam to this address where I wasn't before.


It could make sense to obfuscate the localpart a bit more, e.g. add some prefix or suffix. Some spammers combine localparts of one address with the domain of another address, and there are probably quite a number of people using amazon.co.uk@theirdomain; it’s sufficient that one of them leaked their contact list/address book.


What a crazy idea. I have .com too :)


What does your email server reply with to `RCPT TO:`? Always 250 OK, or does it leak existing inboxes to brute force scrapers?


It's actually a catch-all, I tag things that aren't a known alias, but that's on my end.


I think this is the answer.


What do you mean it's the answer? I meant that the server can't be listing mailboxes that exist in response, because it's not set up like that.

(It could theoretically capture the historically seen addresses, store those, and list those back out I suppose... I'm pretty sure there's no reason for that to be the case though. It's SES if you want to check.)


Can someone explain, please?


If you used this email to register for a third party warranty, a rebate, or clicked on a link sent by a third party an Amazon merchant can get your email that way


Email addresses can be brute forced as others have mentioned, so it's not a guarantee that Amazon leaked your email.

I also think that the kind of hoops tech-savvy folks go through to protect their main email account from spam are more time and effort than dealing with spam in the first place.

I'm personally not going to register for things with a thousand different + addresses just to try and find out what company leaked my email. Even if I manage that with a password manager it just seems like an extra chore.

Spammer's got me email address? I don't really care. The spam is going to the spam box.

Am I opening myself up to a larger attack vector? I guess so, maybe. There are more important things in life than locking down my online life like it's fort knox.

Like, think about it, OP. You got a piece of spam mail and you contacted Amazon, and then made a post on HN about it. Is this really worth your time and headspace? I get hundreds of pieces of spam email a month and I don't notice or care.

I don't really think email addresses were designed to be private pieces of information in the first place. Enabling two-factor authentication is the effective protection against account seizure.


This kind of stuff is as low effort that even apple is doing it for people. You might need to jump some hoops to not be locked into apple, but once you use a password manager, this is mostly transparent. The largest hurdle I have to deal is puzzled looks whenever I have to give my details to customer service or people in person.

Which by the way, for me is more than just dealing with spam. It's more about dealing with a breach of trust. If my info got leaked or sold by a company, I might want to review what kind of business I would like to have with them. I mean, I even got spam on an email I gave to a company I was contracting with. After some research, it seems like it was for a company owned by a high exec's son. Keep in mind that this is was post GDPR and the company did business in Europe.


Ah yes… the classic “do you work for dell?”. No, because I’d have a dell email address wouldn’t I? not one that starts with dell@


> no it shouldn't be third-party sellers

It definitely is. In 2021 a seller directly emailed me and a bunch of other customers all listed in the "To" field of the email (!) after I returned & got a refund for their product. It definitely caught me off-guard, but it clearly shows me that they get access to your email in some cases.


This has been going on for years, wired covered it a while back…

https://www.wired.com/story/amazon-failed-to-protect-your-da...


> Like many of us I have an email address for Amazon (.co.uk) which I don't use anywhere else.

Out of the loop, what's the purpose of having a separate email address for Amazon?


The purpose is exactly this, to know that it must have been leaked via Amazon. And you can change to a different email address for Amazon (and redirect the previous one to your spam folder) without having to change your email addresses on any other accounts.


Do you have a separate email address for every service you create an account for?

Do you use email aliasing to achieve that? (e.g. your.address+amazon@gmail.com)


I have my own domain and operate my own email server with rule-based localparts filtering (basically regex-based whitelists and blacklists, plus automatic sorting into different mail folders based on localparts). I use a different localpart for each online shop and each service/social account/mailing list I’m registered with.

There are email providers that let you use your own domain (i.e. you don’t need to operate your own email server) with any number of localparts, i.e. a catch-all (without needing to use “+”), and which usually also allow you to set up filtering rules, and let you auto-forward to a different email address (e.g. GMail) if you like. You can then use whatever@yourdomain at your whim, without having to first register the localparts you use.


I've done this for years but... recently killed most of it.

Remembering when I've put a custom email (amazon@mydomain) vs a plus (me+amazon@mydomain) not to mention remebering both that I've used something fancy and, how exactly I customized it has just caused a bunch of headaches. I have warranty purchases across multiple email addresses for sites, figuring out what to type into the "forgot my password" box is a pain...

I even have a Steam login that I can't for the life of me recall how to get into. I only know the username, but I don't know how to request the reset email associated with it. None of my guesses have worked. So ... I just made another Steam account.

... and ironically the email address I give to close friends is the one that's all over haveibeenpwned.com.

/facepalm


My password manager usually remembers which address I use on which site, and otherwise I can quickly look it up in my email archive. For the most important accounts (ISP etc.) I write the credentials down separately. I always used consistent patterns for mapping domain/service names to localparts, so normally I can also guess right on the first try.


The issue I have is not remembering them, as the password manager does that. The issue is more when companies rely on your email address being the same for different parts of the service or they take my PayPal email address and use that as my email address.

One of the most annoying is when contacting customer support by email and they reject andy@ at and now I have to find a way to send an email to them from ocado@ or whatever email address I chose.


The PayPal problem can generally be prevented by registering an account first, i.e. don’t use guest checkout.

I use an email client that lets me specify an arbitrary From address, and also that automatically derives the From address either from the recipient of the message or from the To of the message being replied to, so it generally fills in the correct From address by default.


> Do you have a separate email address for every service you create an account for

yes, i run my own email server.


why not add AmazonSpam+your@email.com


I don't do it for every vendor but I have a separate email address that I use just for Amazon.

The primary reason is because Amazon has a huge security hole by way of chat and call center reps.

There used to be a way to hack into someone's Amazon account that went like this:

1. Call Amazon and say I'm 300 bps and my email is 300bps@gmail.com

2. Tell the rep you want to add a credit card on your account and give them the credit card

3. Do a forgot my password. One of the MFA questions was "What are the last 4 digits of any credit card on your account?"

So to hedge against this particular exploit and any unknown ones that come up caused by Amazon's giant target and their accommodative customer service, I just use a unique email address on their site.


I have a domain registered with Gandi, that does free email forwarding (free for up to something like 1000 aliases) I create a new one for every signup and forward them to my "real" email address.


You can also create a single "catch all" alias and be done with it :) (create an alias *@yourdomain)


I prefer to create them individually. If one starts getting spam, I'll delete that specific alias.


I use a different email address for every web shop I do business with, for the obvious anti-spam purposes. Amazon is just one of them.


I have done the same for years but I don’t think I actually had much benefit in the end. I don’t ever remember getting spam sent to dodgy-company@mydomain and then needing to block it, in all the 20 ish years I’ve done this.


the reason gmail gets so much spam relative to our individual domains is apparent if the mailer the spammer uses forgets to BCC everyone and you get a list of usernames in the CC: field.

They just iterate over every dictionary word and bolt on numbers and extra letters, or you'll see stuff like genewitci@gmail.com henewitch@gmail.com, etc. I haven't paid attention to gmail in a couple of years since i now use my own domain and fastmail (for $5 a year, even), so i have no idea if the mailing lists are more refined now or not.

Nearly everyone on earth knows about the dot separators and the +whatever that gmail allows, and will just trim that before they sell your email address, nullifying the usefulness. having someuniqueID@example.com is much nicer. you cut down on spam a lot, however it does open you up to a lot of spam to admin@ and webmaster@.


Similar post about Comcast yesterday:

https://news.ycombinator.com/item?id=33020571


I searched years worth of Amazon messages, and DHL, and a local freight shipper have my real amazon address.

Have you ever ordered anything heavy, or international?


This happened to me once about 3 (?) years ago.

I do not send emails directly to vendors. Email from them comes through the amazon intermediary system. I would reply to necessary vendor communications using the web interface.

The spam email I got was for a seller asking for me to review some product.

I contacted amazon but got no satisfaction. I had to change the email address I used for (only) amazon.

I figure someone inside amazon was bought out.


Are you sure that email is always delivered over TLS?

If it is not, then are you sure that you trust every ISP between Amazon and your mail server?


How easily guessed is it? Does it follow a similar format to your personal email address?


I think you also have to consider the entire chain of custody for the address: Do you have any browser plugins that might have grabbed it? Have you used a VPN while accessing Amazon? Have you accessed it with a Mac or Windows computer?


Contact the Information Commisioner's Office for them to investigate. Regulatory authorities are the only viable defense we have against conglomerates such as Amazon.


Could a third-party merchant access the email when fulfilling your order?

It's also possible that a browser extension accessed it.


Is it pretty short / guessable? Maybe spammers are brute-force guessing email addresses.


You might guess it if you had one of my others, but I find that avenue fairly unlikely, simply because this is the only address affected - that hasn't happened before. (Though I realise as guesses go, Amazon would be right up there.)

I've had other spam to aliases that aren't anything I use, and it didn't follow a format similar to that. (For some reason I get a lot to archos@ for example, even though I'm pretty sure through bug tracker, AUR, etc. I have public Arch-related addresses that I do actually use! I'm not sure why that came about.)


I haven't and don't believe this is systemic. You may have been brute forced?


email goes through relays which are not secure. neither you nor amazon controls those in the middle relaying your email, a spammer could grab all email addresses in the middle if they have access.


Is that a question of a statement?


I omitted 'have you also' or 'has anyone else', yes. I typed the latter at first then edited it out to be quicker to the point.


Report it as a GDPR violation?


[dead]


Or you could use the newly announced Bitwarden + Fastmail email alias integration.

It also works with 1Password. Neat stuff.

[1] https://bitwarden.com/blog/use-bitwarden-to-generate-email-a...


I’m pretty sure they do give out your email. It’s just most go through amazon’s system. The reason is, this is not the first time in the past 12 months I’ve heard of this happening and last time I think it came out that markertplace sellers get all your info




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: