3 billion - we live in an age where half the population of the earth can exist on a service, and everyone is vulnerable.
Yes, a good chunk of these are probably duplicates for business / spam / anon accounts, but this is where the world is trending. How long is it until facebook or google have a massive breach?
waayyyy back in the days, like 2002, Yahoo Pool was pretty big and people used bots to make many many accounts that played with themselves (in something like pyramid structure) to boost accounts score. They were usually used with proxies to avoid yahoo protections.
I don't remember if i did it, but I knew how to do it.
There were also 2 big auto-aimers, hell they were fun and tourneys were fun too :)
+1. I did the same. At the time I had to do this (around 2015), Yahoo was the least concerned about identifying duplicate accounts. I was testing for an actual paying job, not some side interest investigation, mind you. Some of the services I had to test were clever enough to reject fakeinbox accounts so I used Yahoo.
> I was testing for an actual paying job, not some side interest investigation
What difference would it make?
Do you mean to imply that creating test accounts is a little bit "wrong", and would be wrong for an individual to do at home, but it's OK to do it if someone else is paying you for it?
If so, I disagree on both counts: it's not wrong to create test accounts, but if it was, it would still be wrong even if someone is paying you to do it.
We've created a catch-all *@test.company.com with AWS SES & Lambda, all forwarded to a single test@company.com (a GApps group where the QA staff had access). Took a few tries to get right, but worked flawlessly from then on, saving testers' time every single day.
I know a guy who uses a service that creates a unique email account for every service he signs up for. That way, he tells me, if he ever gets any spam, he can delete the account and it doesn't affect any of his other email accounts.
This can be done easily if you own a domain and use a service that lets you specify a catch-all address. I do this with my own domain and G Suite. Then, you don't even need to do any preparation before giving out the address.
It does sound weird to the person writing it down and I've had more than one person say something like "well, if you're just going to give me a fake address, then don't bother" before I explained myself.
One other down side is that it is not as easy to reply to mail as the other, generated identity (in gsuite, you need to create a new account in the domain to write as that username and also maybe jump through a hoop or two). Replying casually can often reveal your main identity, which is often the one you are trying to strongly protect.
+1. I also use *@mydomain.com feature in G Suite, and it's very convenient to understand which companies sell/pass email databases to others w/o my permission.
In some cases, you need to reply from that "aliased" address -- in this case, I do go to the Settings, add an alias, got a confirmation code, and confirm it. Then this new "address" is available in GMail in drop-down "From:" menu when you write a new email.
username+anything@mydomain.com is also a useful feature (as well as u.s.er.nam.e@mydomain.com – dots are all ignored in GMail; some services don't allow "+" in email address field, so you can use finite number of variants with ".").
These little tricks make GMail convenient for geeks :)
I’ve run a fair amount of email campaigns where we strip out the + if gmail is the domain to ensure it doesn’t end up in some weird filter.
Dick move, I know. Tell marketing that though.
I personally use gmail through a vanity domain and have a catch all rule, so I end up signing up with a fake email account for every domain (hn@mydomain.com) and then the catch all forwards it to my real account (me@mydomain.com).
> I’ve run a fair amount of email campaigns where we strip out the + if gmail is the domain to ensure it doesn’t end up in some weird filter.
At which point you should wind up in the "how widely can I advertise that you're a spammer and all your outbound email should all be routed straight to /dev/null for sending mail to an email address you were never given" filter.
Depends on your isp and which email provider they use. The big marketing email services generally do have the feedback loop setup with Gmail though, so yes, you are right.
> I’ve run a fair amount of email campaigns where we strip out the + if gmail is the domain to ensure it doesn’t end up in some weird filter.
Which works, until the Gmail users who bother using + addresses with filters start giving all legitimate senders + addresses and sending everything thst doesn't have one and doesn't come from Google straight to deletion (possibly with a stop by “mark as spam” en route.)
The problem is not all legitimate sites/sources will actually accept '+' as a valid email character even though the RFC says it's a valid email character.
I wonder if it could be argued that this violates anti-spam regulations. Depends on how “plus” addresses get interpreted. Are they a different recipient?
It really baffles me that people are still suggesting this as advice for spam reduction. All it takes is a third of a brain and a couple seconds of thought to realize that spammers know this is a thing and can adapt.
Well, not exactly. That would only work if your address was registered as foobar@gmail.com but not if it was registered as foo@gmail.com. Essentially, periods don't matter in gmail addresses.
Adding a . in between any of the characters (or removing, if you registered the account to have .'s included) will still go to the same email address.
But you can't add .anystring to your address and still receive the message as you can with +anystring.
This always blows the mind of the average gmail user who thinks they registered first.last@gmail.com when they find out that firstlast@gmail.com also works.
My favorite is one site I encountered that let you create and login with such an email address, but the forgot password form couldn’t handle it and would 500.
A lot of services don't allow + in email addresses. With gmail you can also insert a . anywhere you like which works more often. But sometimes, catch all addresses really help to test.
I don't think there's a standard which says that "X+Y delivers to X" - it's a configurable option in exim and you could equally well make it "XqY delivers to X" if you were wilfully perverse.
I'm not being snarky, but do you think they would tell us if they did? We have to assume they are prime targets. They might have slightly better personnel, but is that enough to out do the nefarious and the determined? And can we discount a rouge employee?
I would go further and say 3b is an order of magnitude too large. Bots aside, If there are only 3 accounts per user, our estimate is at 1b. Now, we take into account malicious agents like bots and spammers, easily carrying a bloat factor of 3-5. The closer estimation might be 100s of millions of unique human users, and maybe half of those users actually care.
TLDR+Edit: Didn't see your other post and accidentally straw manned you. Anyway, I agree it's gonna be "a lot lot less" than 3b unique human accounts.
Well 'smaller' and 'close to 50%' will have different effects, and I'm willing to bet that the number of individuals affected will be a lot, lot less than 3bn.
Serious question: at what point do we reach the "everyone is vulnerable so no one is vulnerable"?
EDIT: Or maybe not "no one is "vulnerable", but just that everyone's information is assumed compromised and our current societal infrastructure accounts for it.
Yes, a good chunk of these are probably duplicates for business / spam / anon accounts, but this is where the world is trending. How long is it until facebook or google have a massive breach?