from Hacker News

Ask HN: Someone's using my email to sign up to newsletters. What should I do?

by cupofjoakim on 3/24/22, 9:56 PM with 8 comments

I woke up this morning to a mountain of newsletters in my primary inbox that I did not sign up for. A lot of them were for "earn money by surveys"-websites, but some were job listing pages and I even got some from regular, reputable, companies like Huggies (an american diaper company). The only common denominator I've found between all these companies is that they're US based, or the US version of the brand.

I'm not quite sure what's going on and why someone would do this, but it's not a good feeling. I started contacting companies about removing my account and associated data as per GDPR law, but truth be told I'm not quite sure if that applies. It's also way too time consuming.

This is my personal main email with gmail. I'd rather not swap, but it's hard to wade through all the unrelated crap.

Has anyone been through this before? How did you solve it? What steps should I take to protect myself?

  • by fhrow4484 on 3/24/22, 10:44 PM

    > I'm not quite sure what's going on and why someone would do this

    I read somewhere (here on HN?) that hackers would do this when stealing your credit card info and using it to make a purchase.

    Like, they didn't break into your email account, so their best bet for making the purchase is you not seeing the order confirmation email. So they flood you with a ton of crap newsletters. (Otherwise if they had access to your account, they'd just delete that order confirmation email)

    It's not quite clear why they would need to associate the purchase with your real account - maybe they took control of one of your accounts where your payment method is saved. But be on lookout for weird charges

  • by SLSMan on 3/24/22, 10:51 PM

    I had this happen to me a few years ago. The point of the newsletter spam was to try to hide a confirmation e-mail from online order using my account on an online store. The attacker gained access to the my account at the store using a password from an old data breach. They signed up for hundreds of newsletters in the span of a few minutes, then placed an order using the stolen credentials. The confirmation e-mail was buried in a mountain of spam, making it almost impossible to discover that the attacker had placed an order using my account. Fortunately, I hadn’t used that store in ages, so all of the billing info they had on file was out of date and the order was cancelled automatically. Try searching your email for “order” or something similar and see if anything came in during the newsletter bomb.

  • by c22 on 3/25/22, 7:58 AM

    As far as solving your immediate problem I'm pretty sure gmail will automatically ferret out unsubscribe links and offers an easy button located in the same place at the top of each email. It seems like this could be ripe for automation, either using gmail's api or locally using something like puppeteer.

    Oh look, here is a script that might work: www.github.com/labnol/unsubscribe-gmail

    Going forward I recommend ditching the one-email-address-to-rule-them-all mindset as it is a liability. For a few bucks a year you can rent a domain name then make a wildcard rule to forward every address@your.domain to an account you check. Then generate a unique address for every sender. Some people will use a hash or keep some other secret sender<->address database, but sender-name@your.domain is a simple system that has worked for me in the past.

    After you get that set up you can create some filters so you only hear from senders you've authorized. Then if an address gets compromised or abused not only can you simply blackhole and burn the address, but you immediately know what party let you down.

  • by __d on 3/24/22, 10:25 PM

    As an aside, this is why mailing list signups should always have a confirmation step.

    I've had the same public email address since 1995. I get a ton of spam in my raw emails.

    The only approach I've found helpful is to use a white/grey/blacklist system: known good are whitelisted, known bad are blacklisted, and you have to manually review the greylist emails. With the usual "this looks like spam" filter, I found I was missing a lot of real mail in the mountains of junk: the ML/algorithmic spam detection just got overwhelmed by the diversity of what I receive to the point it was much less useful.

  • by MerelyMortal on 3/25/22, 1:19 AM

    Unless it's an email asking you to click a link to confirm your subscription, report them as spam.

    Also, check your credit card accounts to see if anyone tried charging your card. (In addition to checking your email for an order confirmation.)

  • by Komodai on 3/25/22, 2:00 AM

    Maybe you pissed someone off?