DonHopkins on Nov 14, 2016 | parent | context | favorite | on: The NHS's 1.2M employees are trapped in a 'reply-a...
Back in the days of ARPANET mailing lists, there used to be an "educational" mailing list called "please-remove-me", that was for people who asked an entire mailing list to remove them, instead of removing themselves, or sending email to the administrative "-request" address.
So when somebody asked an entire mailing list to remove them, somebody else would add them to the "please-remove-me" mailing list, and they would start getting hundreds of "please remove me" requests from other people, so they could discuss the topic of being removed from mailing lists with people with similar interests, without bothering people on mailing lists whose topics weren't about being removed from mailing lists.
It worked so well that it was a victim of its own success: Eventually the "please-remove-me" mailing list was so popular that it got too big and had to be shut down...
...Then there was Jordan Hubbard's infamous "rwall incident" in 1987:
In more modern times, within the last couple months, there was the Epic/Unreal Engine Github Email Storm[0][1] at minium 60m emails, because a few hundred thousand people were getting over a hundred emails within a minute or so thanks to a user trying to get a minor patch pulled in so they could get some credit/resume line/who knows. They "@"tted the whole membership of the organization. There was a few repeats of the occurrence immediately afterwards as well by some trolls.
A fun aside is the article on wikipedia [1] begins with Jordan Hubbard and ends with Epic:
The person who @'d the Epic org owns very little of the blame, in my opinion. If you have a button that causes 60m+ emails to be sent, and you leave it in a public place with no warnings and no confirmation dialogs, that's your bad choice. The person who presses the button is incidental; someone was going to.
They are not to blame for the email storm they caused. But they are still to blame for aggressively @-ing those developer groups not once but twice in a row for an insignificant PR. That's bad form, no matter if it causes an email storm or not.
Something similar happened (multiple times?) when I worked at AWS when someone decided to send a mass email to literally the entire company and people inevitably reply-all enough to clog the system and bring it to its knees. Many confused people were replying "UNSUBSCRIBE" (again, to the whole company) as if it would take them off
This happened to the entire US federal government in 2014. Someone reply-all'd a mailing from the General Fund Enterprise Business System notification asking to be taken off the list, and it escalated as then thousands of people who didn't realize they were on this list did the same thing, then got worse when smart asses reply-all'd telling other people not to reply-all.
Part of the problem is from admins creating lists and putting users on them without user knowing anything about it. Can you blame users for being confused and seeking to get off a list in the only way they know how? IT Admins bare blame in these incidents. The users just make it fun for everyone but IT, but IT hopefully sees the fun later when they aren't running around putting out the fire
May I amend this to say "IT policies" are to blame?
Thinking back to my own days in the IT Department, I would have LOVED to say "No" to the requests to make yet another distribution list for a Senior Manager or Director, full of everyone and their assistants for the very same reason as you (plus a few other reasons), but that was just one of the many things I had a lot of power to execute but next to no power to actually influence-at least if I had any expectation of keeping my job and not getting chewed out for balking at such requests.
Memory goes back to the two worst IT Admin positions I held, both were in high volume calling environments, both involved people constantly moving between teams, managers renaming teams, trading personnel, moving people between groups, hot desking--all of which involved the constant creation and distruction of distribution groups, ring groups, hunt groups etcetera in ADUC, hot phones, not to mention the nesting of groups within groups within groups, and no amount of "showing my work" to the Director or IT Management to show how nothing was getting done except beating our Exchange Server into a bloody mess got any movement from anyone in leadership
Then you get a group of people panicked about the panic who start replying all saying please stop replying all to this email, and then people replying to them to point out how they are just making the problem worse...
I LOVE reply-all email storms. Used to happen a lot more in the 90's and 00's. I was on one in an investment bank and in the end the Chief of Staff for the division replied-all with "The next person to reply-all to this email chain will be sacked."
I work at a large healthcare company and we also lost email for an afternoon because of this. The funniest thing is that you get responses like: “All, I know I’m replying to all as well, but let me be the last and let’s just stop it.” … Not realizing that all those similar emails have been send in the hours before and are just now finding their way through the clogged system. It’s like a DOS attack driven by Human amplification.
Once upon a time that was the accepted albeit snarky way to inform senders they were misusing the to field and that the recipient was not interested in the message
I would definitely still use it for that, albeit wouldn't use it within a reply all.
when you are oncall and people who are not oncall keep replying to the oncall email in response to the not-incident making pager duty go off like a frog in a sock ..stop it.. I say.. but not reply-all.. 'cause then you footgun again
Once I got on some internal distribution list of a client. I was not needing those emails, plus they were all in Hungarian I do not understand a word. I tried multiple times to contact the sender and asked to remove me to no avail.
The ultimate thing that helped immediately: reply-all to hundred recipients. (Also got my account blocked from sending emails for a while. Fun)
> ...Then there was Jordan Hubbard's infamous "rwall incident" in 1987
Not as large, but reminds me of a new freshman when I was a senior in college back in 1993 that got the great idea to "cd /home; mail *" on the main undergrad machine. Complaints to us admins were flooding in for days.
> Back in the days of ARPANET mailing lists, there used to be an "educational" mailing list called "please-remove-me", that was for people who asked an entire mailing list to remove them, instead of removing themselves, or sending email to the administrative "-request" address.
If someone sends an email with most of the words just being "unsubscribe" or "remove me" then at the least you don't send it on. Added points for auto-replying unsubscribe instructions or even just do it.
I run marketing email databases. This is cute, but it doesn't actually do anything in most systems - either the employees all already get the marketing emails or there is a system-wide rule to suppress against the email domain.
If you actually want to (potentially) break something, try submitting some obscure characters or malformed html into some fields. Blank spaces in emails can particularly be a nuisance.
And if you want some real fun, some systems only enforce validation rules via client-side javascript. If you block them, you might be able to submit some real chaotic entries.
I think Log4shell was about the closest we got to this. It’s still crazy to me you could exploit an unknown machine by leaving a string of text somewhere and waiting for a vulnerable client to process it. I imagine many spammers are running a lot of insecure PHP and Perl scripts to support their operation. That was certainly the case back in ~2006, and I imagine most “new entrant” spammers are not using email but rather social media tactics and the like, so I doubt email spam infrastructure improved.
That said, the real guilty spammers are the companies doing it under the flag of a sales tool. RIP your email if you put it in a git commit.
not my fault you haphazardly inserted <whatever I crafted> into an HTML field in some browser at some point in the future.
DNS records, facebook statuses, titles of apps on the playstore, Wifi SSIDs, BIO's on obscure forums, names of children, recipe ingredients, your TV's network nick name...anything that can hold the input of a user, that a scraper or content mechanism will eventually naively come across...
eventually it will get added to the DOM of some unknownst messenger, and I will receive a ping, letting me know that someone, somewhere, somewhen, sniffed my digital fart.
So, for the email industry (both marketers and client developers) "Spam" is used to specify emails that are not compliant with the CAN-SPAM act - they don't have a way to unsubscribe or report abuse.
ITT people are using Spam to cover all sorts of junk email, but in my mind there is a difference between companies engaging in annoying methods to get your consent and organizations engaging in bad faith breaches of CAN-SPAM.
I’m not sure if your comment is meant to defend the practices of the companies I’m referring to - maybe you work at one of these spam houses, I won’t judge - but frankly, I don’t care what the definition of CAN-SPAM is. Clearly everyone thinks they CAN-SPAM me and I’ve never heard of anyone actually being fined under any anti-spam law except at the highest, most absurdly industrial volumes of spam.
If my email is public because it’s in a Git commit or a Gravatar or even an intentionally public “email” field in my profile, that is not consent to send me unsolicited, automated messages followed by a multi-day campaign of emails guilt-tripping me for not responding to the first one. Maybe they have an unsubscribe link at the bottom. I don’t know, because I don’t open unsolicited emails that may contain malicious zero-days targeting my device. But if they do include the unsubscribe link, it doesn’t make me think any better of them and it doesn’t absolve them of any moral wrong-doing.
If you’re a founder or employee of a company that revolves around sending automated emails to non-customers, just be aware that your target market is a group of self-anointed “hustlers” who send unsolicited email messages to people who slowly grow to rightfully despise them. If your “marketing database” is a scraped list of emails, you should delete it and shut down the company. In the future, consider using your skills to work on problems that have a positive impact on the world.
In most of my professional career (B2B), we didn't use any scraped data in our marketing system. We relied strictly on opt-in forms or in-person event data (some gray areas existed here).
However, you've unwittingly touched on one of the philosophical divisions that exist in most organizations between Marketing and Sales: Sales departments in general have a much more "liberal" idea of who is email-able. The idea being, "what's the rule against me just emailing someone about something"?
Well, you give a mouse a cookie and before you know it Sales has an entire email automation system to themselves. So if you look at an expensive sales tool like Outreach or Salesloft and ask, "what's the difference between this and a normal email automation tool" the answer is a lot of money and a lot of looking the other way.
So to give you a window into the politics of a GTM organization, most companies keep kind of a curtain of plausible deniability between their "inbound"/optin-based marketing and their outbound sales systems.
This is something legislation could fix. Harvesting emails for spamming from GitHub commits is not much different from taking parked cars for a joyride: they might be in the open, but not for you.
I assume the CAN-SPAM Act is a law in whatever country you're in. But as a member of the "email industry" in a different country, no, that's not how we define spam.
There's not a big difference between skirting the rules of CAN-SPAM with annoying junk emails and email list sales to whoever will pay and violating it outright. There's a pretty clear line between useful work and scummy opportunism which is crossed constantly by "legitimate" email marketing.
List purchases are a whole thing in the industry. It's actually a big line to cross. But it's far from a universal behavior that organizations deal in.
So I will say I have witnessed some amount of "grey market" lists (Tech Target, Experts Exchange, etc). But in my professional opinion, all these seem to do is generate garbage leads and unsubscribes.
This is actually kind of clever, but only if you give us a real email address.
We will often take your name and insert them into emails (for some dumb reasons around personalization supposedly increasing opens). But an email being stuffed full of spam words is a good way to get it flagged by anti-spam software and potentially hurt our sender reputation score.
You would probably have to do it en masse and use real inboxes. A couple other names you could use would be "free", "lovers", "singles", or any sort of mid word character substitution.
There is some year, between 1980 and 1992 perhaps, where people stopped saying "pussy" and meaning "cat". Until then, both meanings and their double entendres were used (cf. Octopussy).
One of my favorites was in Leather Goddesses of Phobos. Something like:
LGOP: ... there is a painting of a cat.
> LOOK PAINTING
LGOP: It's a very nice painting of a pussy, but is it art?
Most of my job is gathering data to explain to managers and executives how ineffective our email programs are and that we need to stop emailing customers so much.
Not all email marketing is bad - most of it isn't, really. 90% of stuff you likely subscribed to at some point for whatever reason (Free gift, discount, purchase, interested in their content, whatever) - and most things have an unsubscribe so it's a simple matter to remove yourself.
Most of the other 10% goes to spam anyway and I never see it. Apart from the obvious spam that I never see anyway, I very rarely get emails that I didn't intend to receive.
The extent that this bugs us though is pretty minimal. Any publicly facing form is going to have to handle massive amounts of garbage data as it is (if not just from people, from bots as well) so records that cleanly identify themselves as garbage save us a ton of time.
What they should do is put in a non existing email eg: foobar323992382@gmail.com . These are great since email senders get hit hard with bounces which kill your send rates.
If it's an public email address we actually care about, it's likely flooded with OOFs or noise anyway.
There's a product we use called SiftRock that automatically sorts through noisy inboxes and detects real human responses so we know which ones a service person actually needs to respond to.
Would it work if I create a mail alias on my domain that forwards to the CEOs mail? Assuming I only do that for one address per company and they're not all hosting with the same provider, it could take a while until my box ends up on a blacklist.
I used to get spam from a Chinese exporter who conveniently included their actual address in the emails. One day I happened to be visiting their city and went to their office and asked them to unsubscribe me in person. The lady was very confused and first thought I wanted to buy something. I showed her the spam on my phone and she agreed but didn't bother actually removing me. Just seemed to think I was a bit stupid for travelling so far (I was also a foreigner) to complain about a spam. It was interesting to see what those companies look like in real life though - an office filled with piles of widgets and cartons of deliveries everywhere. These Chinese exporter spammers do tend to be legitimate businesses and they can actually provide good cheap access to manufacturers but they harvest emails from everywhere if there's any hint you might work in a related industry.
There's no better motivater than having an upset customer in your presence. I have camped outside the office of someone until a situation was resolved.
Agreed. Great motivator. Slightly different twist is if you have kids - rambunctious kids are even better. We had an issue with a home renovation project that was not completed (we had stupidly paid the final invoice on time, lesson learned- always hold back 10% until you’re 100% satisfied)
My wife got pissed at their lack of response. She took our two boys to their office, sat down, and instructed them to feel free to touch and play with everything (tile, wood samples, etc.) Salesperson notices and approaches “can I help you?” She explained the situation and the salesperson said no problem we will send someone next week.
Unsatisfied with this answer- we had already experienced many weeks of “soon” - she said ok no problem, we will just sit here until someone shows up at our house to finish the job.
Sure enough a worker showed up later that day and installed the three punch list items we had identified. Worked like a charm!
Hahaha ! My dad did mostly the same thing with his home builder. Except he went to their exhibition stand at some local event. He just stood calmly there, talking with every potential customer coming in to share his story with the company in front of the boss, who was in the stand. They tried to get the security to take him out but since he paid to enter, that he was calm and stayed nice, they did nothing.
Eventually, he got what he wanted to get : some 30k€ of construction work that weren’t estimated up front and that they tried to make him pay once back to the wall. And as a plus, the company’s boss took directly the management of the project.
It's really not that interesting of a story. The business manager for the apartment complex I was at was not being prompt on responding. So for 2 days, I sat in the lobby so every time he stepped out of his office, there I was just waiting. I also got to have a little chat with anyone and everyone about why I was there. This included new prospective residents coming to visit the complex as well as existing residents.
Most of the issues get resolved like this if they are not used to such things constantly by many people, in which case you may need an organised crowd of people with similar issue gathering for one thing. Perhaps that is called a protest.
Atlassian Statuspage used to set tracking cookies on their customer status pages. Of course me as a single customer asking to remove the tracking cookies had minimal if any effect. So I crawled a list of Atlassian Statuspage customers, contacted them asking to also open support tickets. And indeed it worked, the tracking cookies got removed :-)
I don't know if this snippet is really effective, can be improved a little, especially that I noticed a couple of new crawlers that ignore `User-agent: *
Disallow: /path` in robots.txt, and do not fix that even after reported.
archive.org is the worst offender for me; not only do they ignore robots.txt, there is absolutely no way to get something removed once they archived it (despite the data including accidentally leaked PII for example - which can cause actual harm to someone).
I want archive.org to ignore robots.txt and make it as difficult as possible to remove pages from it; it would be a broken archive tool if this were not the case.
Sometimes there's a legitimate need to remove archived content. Back in the early days of running an ISP, I had some users hide links to copyrighted content with "map name" in a hosted image. Eventually the search engines began indexing these links and my net traffic exploded. I was not happy.
Interesting, I've heard of the exact opposite issue with archive.org. That they take down archived pages at the request of the domain owner, even if registration lapsed and was picked up by somebody else since the snapshot was taken.
Are you mixing up archive.org (the Internet Archive, a nonprofit company headquartered in San Francisco) with archive.is/archive.ph/archive.today, which ignores robots.txt, and is a for-profit company with unknown owners and an unknown location?
Just send them a DMCA request, that's their takedown mechanism. Is it a good one? No, but that's how they do it. You see it posted about all over in their forums.
They ignored all emails sent to info@archive.org from the actual domain in question which I owned, with a link to a URL on the domain asking them to remove it. Don't know what the DMCA process is, I presume it involves lawyers and such.
I did just that for a while with a spare server I had. I set it up to literally only respond to bad bots. I know the crawlers don't care but it amused me at least. I tried to also keep redirecting slowly before it could time out. There was one bot that seemed to create a new instance each redirect so I could keep it in a loop for essentially ever. Just about every other bot only followed a few redirects before giving up. Fun times.
You can, but most bots do timeout. If you get a lot of bad bots that are vulnerable, then you'll probably waste a lot of resources on those connections.
I guess the prevalence of dark patterns in today's websites has blurred the lines here so completely that even the "technically solicited" are grouped in with unsolicited mail if the means by which they were solicited are sufficiently manipulative, annoying, deceiving or briberous.
"Briberous"? As in, "You can't have this service unless we can add your email address to our newsletter"?
There is no dark pattern that will persuade me that typing in my email address isn't going to result in commercial email. If doing that is a condition for receiving service, then I have to decide how much I want the service. If I go ahead and sign up, I certainly can't complain that the resulting newsletter is spam.
Online shops often require an email address when I order. They send it an order confirmation/invoice or whatever. Is that manipulation or briberousness?
This phrase "technically solicited": I suppose if some company gets my email so they can send me an invoice, and then proceeds to send me newsletters daily, with no means to unsubscribe, well, I solicited the order-confirmation, not the newsletters. That's not technically solicited; it's unsolicited (and it's a shop I won't be using again).
I want to see their pdfs, but I don't want to have to sign up for their newsletter in order to get it.
If I find something interesting I will contact the owner of the website or share what I find (using https://links.l3m.in/ :P), but I don't want to receive an email per day/week.
Except for the "beautiful webfront" bit, that was my experience too - no popups/banners/ads while waiting patiently for it to finally load the "Connection timed out" page.
If you're speaking about l3m.in I removed unused chars from the font I load (using the super tool on fontsquirrel website) in order to make it lighter. I save the banner images in webp format too (with a liiiittle bit of gaussian blur in order to reduce the size even more) :P
The real problem here is my internet connection ; my top upload speed seems to be something like 100-200ko/s, which isn't very much when there's a lot of people loading various parts of my self-hosted websites :(
Oh, ok. On this folder (https://misc.l3m.in/txt/) there is a link to my main website (won't post the link here in order to reduce the load) and I thought you were talking about it :P
Keep refreshing like anyone (I guess), my server is at 1.5% of load average, you should be able to access this txt file, if my slow connection is allowing you to reach my server :/
I always use plain text for HN-related content (it preserves my connection if the link becomes viral (didn't work yesterday)), but for my "official" blog (in french) I only use html/css + my open source php backend (no js, no fancy framework...).
I saw this comment yesterday and it bugged me that text/plain doesn’t support links. But maybe we could provide links in headers if we popularized the following HTTP standard [1] [2]?
Similarly, when a store annoys me for an address or phone number, and won't take "no" for an answer, I look it up on Google Maps and give the clerk the store's information.
Edible Arrangements is the most recent place this happened. The store wouldn't sell anything to me without an address and phone number, even though I was paying cash. The manager said the POS wouldn't even let him start a transaction without collecting the information.
So Edible Arrangements' marketing department is now spamming my local Edible Arrangements store.
1212 Main St, City, St
(area code) 515 1212 for phone
I gave up trying to explain why I prefer not to have that info, so I just give them obviously bogus info that I can remember. Most people don't even realize what you're telling them. They just robotically enter the numbers. They just want to get on with their day as much as you do, and really don't want to hear your diatribe about big brother tracking blah blah, can you hurry up the line is backing up.
Yup. When I was signing up at MEC I gave the clerk a fake number but accidentally included both the area codes for my city as the first six digits: “Whoa that’s weird, never seen them together like that before.” It’s easy for me to remember now at least.
I always do this, but I don't give them back just what they sent (minus anything with an ID or name on it) - I'd stuff it with all kinds of other junk mail, cardboard - anything to bulk it up. Once I dropped in a scrap of floor tile. I don't know if it arrived or not, but I really tried to take "junk" mail to a new level.
(And if they do, if anyone is actually reading the mail coming to those addresses.)
I used to but I got so much spam and 0 actually legit mails to these addresses on my own domains so I stopped accepting externally incoming mails for those names/aliases.
I still run those names for many domains I operate. Only info@ gets the spam. The others are quiet - but I've actually gotten real emails (in 2022 even) to postmaster and hostmaster.
These types of addresses are actually used by corporate anti-spam software and they are called "honeypots". The idea being you setup a inbox with no public email address and report any IP Addresses sending it emails. There is no legitimate reason someone should be emailing these addresses, so it's an obvious flag that someone is being naughty.
> Denial of service attacks (flooding a mailbox with junk) will be easier after this document becomes a standard, since more systems will support the same set of mailbox names.
I've managed a number of RFC 2142 mailboxes and while they all got spam (the dumb spammers would even send to abuse@!) it wasn't any worse than the other published email addresses on those systems and the volume was spam was still less than what our typical user would see (since nobody using postmaster@ used it to sign up for everything under the sun).
The spam we got was often useful for abuse handling and spam filtering too. It was a good thing!
Every network should have an abuse@ address. Web forms are pretty popular these days too, but every extra hoop you force reporters to jump through can cut down on the reports you get of problems on your network. It's worth dealing with the spam to make sure you're getting notified as quickly as possible.
Those addresses are role addresses; depending on what services you are providing, you should have have those addresses, and you should read them. They are often aliased to root@. They are not called "honeypots".
A honeypot is an email address that should never get email, typically because the only way a spammer can capture the address is by scraping a web-page. Role addresses don't need to be scraped; they're well-known.
I will often provide the email address postmaster@hashbang.com for people insisting they need an email address who have no legitimate reason doing so. (hashbang.com resolves to localhost. Thanks twocows...)
I suspect spammers might have given up on that. I get almost nothing for webmaster at a domain that receives plenty of spam and phishing attacks on other email addresses, and a constant barrage of spam into the web contact form.
What would explain my experience? My first guess is that spammers aren’t proactively probing these anymore, and just hit them if they’re found like any other address.
Hardly, and especially no to the GDPR. As a US citizen operating my own US site, doing no business with the EU, I do not care nor am I required to comply with EU law that has no bearing on a US citizen like me.
> As a US citizen operating my own US site, doing no business with the EU, I do not care nor am I required to comply with EU law that has no bearing on a US citizen like me.
It's actually a bit more complicated than that. Our expensive GDPR lawyers have made it clear there is still some amount of risk.
The example was of a German citizen booking American hotels for their vacation. Under the wording of the GDPR law, if their data was breached, the hotel could be held liable under a German court.
Now, the realisticness of this actually going to court or there being any meaningful penalty has not really been tested, but it's our corporate policy not to be the first ones to do so. So even for signup forms targeting Americans for American events, legal has asked us to specify to always collect country information (so we know what GDPR rules to process this person under) or include a dumb disclaimer that people from certain countries should not sign up.
Reminds me of a colleague who used to input "president@whitehouse.gov" into all of such mandatory fields (early 2000's). When I asked why, his response was: "If anyone is able to do something about all that spam, it's probably him". :D
This reminds me of a trick a friend used to do: he'd collect the email addresses of spammers who'd targeted and put them into file on his website. Not sure whether that worked or not, but it's fun to imagine that it did.
Some french blogger did this to people contacting him for putting sponsored content on his website.
The text on his contact page literally start with "warning: if you want to pay me to put something on my site your email address will be leaked on this page". Funny how many people won't read any content of a website but still want to pay in order to put content on them :P
This does nothing to them. You’re better off giving them a real address that you own (can be a garbage secondary account), waiting for them to email you, letting a FEW emails pile up… then marking them ALL as spam in one go. Hurts their sending IPs much more than spamming an inbox they never even check.
I've wondered if thats why I can't always sign up for a webpage using their domain before the @ (ex. ycombinator@personaldomain.com). In that somebody else already signed up using webmaster@ycombinator.com and so in response they reject any emails containing "ycombinator".
When I get spam from a local-ish company I always send an abuse mail to their ISP or email provider. Sometimes it's ignored and I keep getting spam from that particular bunch of shitheads.
So I set up my .forward to bounce spam from that company right back to any email addresses I can find for them and their ISP. Every spam I get, I add another copy to the list. The folks at xertog.com currently get 8 copies each to their noc@, sales@ etc for every spam they send me.
As a bonus - write yourself a little browser script that accumulates companies you do this to so that you can sign every spammer up for every other spammer's mail.
Now every website has this obnoxious subscribe now pop-up before showing anything useful. Imagine someone compiled a list of website that shows this pop up, and some email associated with the domain, would the web be a better place?
I basically do this too, though I just put in some random gibberish (or "admin" or "info" or something) before the domain. I figure they probably have some catchall email address, and if not, nothing wasted
On the other hand, if you do want a one-time piece of email, but don't want to be subscribed to a mailing list, check out sharklasers.com. It's a free temporary email service that works pretty well
I use mailinator, but their domains are blocked by many services. Fortunately, they don't check if the provided domain resolves to one of the blocked domains... So I created an MX record on a domain I own that points to a mailinator domain. Works like a charm.
I remember in '09 or thereabouts there was a tool called SpamItBack that literally would just send spam all day to known spam addresses while you let it run.
Speaking of annoying email lists, spammers are using government state/federal email lists that dont need confirmation. Trolls can just sub people up to hundreds of daily emails. How about spam someone all the train/bus schedules for a city? DOT updates, parks and rec, health updates, DHS, ICE, weather, etc.
You cant just remove yourself with replying either, you have to go to a website and remove them, either 1 at a time or if lucky a unsubscribe all.
But its ironic the government email lists are being abused to such an extent to annoy people.
I had users get caught in such an attack, but easily enough to just spam their domains. Hammer solution, but quick fix.
I've been entering in short complaints as email addresses for a while now.
My hope is that the right person will see "whythehhellwouldisignupforyournewsletterafter10seconds@nevercoming.back" and get the message.
I have a catchall for my domain, so most sites get a unique website@mydomain.com email and a unique password. Not only does is help against password leaks but I also can find out very quickly if someone sells the unique address.
I have a 3 character plus tld domain for this purpose. I used to run my own server with Postfix and Dovecot, I was able to deliver mail and it all worked but Microsoft can do the same thing for less money and effort.
The best part of running Postfix was I could add domains and addresses to a denylist and it would bounce the email and the senders server would often put a REJECTED message in their inbox. The email equivalent of slamming the door.
In the 90s I was at a little internet startup, and the product guys _insisted_ that a verification loop for registered emails would be catastrophic and lead to a massive dive in registrations. Engineering pushed back, it went all the way to the CEO, and he sided with product. So we built the damn thing, and it went live, and the CEO got signed up for _everything_ we could think of. Wasn't more than a few days of this before verification suddenly became a good common-sense idea.
Funny. From a "business" point of view the original decision may have been better (but evil). However the CEO made a decision for the business for his personal convenience.
I have seen this done before where we were forced to use technology that would support both Mac and Windows because the CTO had a Mac (and that was the only reason). So Silverlight it was :-/. Yes you can guess the year probably!
I can't help but think of Skip the Dishes and how they have zero verification of account emails. I don't use the service and never received any spam, but I did start receiving order confirmations from someone on the other side of the country. Eventually I reset the password and accessed the account to find their phone number and sorted the whole thing out over SMS.
> published: 26/07/21 (dd/mm/yy)
> updated: not yet
> A little trick to spam the spammers.
> When I find a "get X free" button on a website that then asks for my email address, I like to search
for the email of the company behind the website (sometimes it's on the legal page, or the privacy policy
page) and I submit their email.
I also make sure to check the "sign me up for the newsletter" box, to make sure the spammers get at
least one of their messages.
> I don't really know why I do this, it seemed funny a few months ago when I started and now I do it
out of habit.
> I now keep a list of emails from these spam sites, and subscribe them all to the various newsletters
I find if I have 5 minutes.
Usually I’ll add +myfeelings on the local part in case their MTA does subaddressing. And making it unique increases the chances of adding a new entry to their list.
OK now let's do SMS spam. I get daily reminders from recorded idiots telling me that I qualify for a low-rate business loan! How exciting! I dream of exploring who's actually behind these and wasting their time ala Giovanni Ribisi in Boiler Room. but then I do nothing and go back to what I was doing.
Why is "Get X Free" on someone's website bad? If you don't want it, then exit. Just because they have an offer available for those who subscribe doesn't immediately mean they're going to be a bad user of your email.
When I run into something like what the person who posted this describes, I usually put in a non-existent email address. At least, one that I hope is non existent like me@inter.net or homer@compuglobahypermeganet.info.
I used to run a mud back in the late 90s. When we nerfed something a disgruntled player signed up all the admin emails for every piece of spam they could find.
It was a huge pain in the butt. Nowadays we would probably barely notice.
Their main contact e-mail can already be unsubscribed but you can try extra emails (after +) like user+spam@company.com Those often arrive to user's inbox but behave like a different address in their spam database.
And of course, as others suggested, you can also subscribe sales, hiring, website staff, abuse@ and other departments.
For marketing spam where unscruplous marketers send spam using bought address lists, you will usually find a subscription form for their lists. Sign up every single spam trap you find. Their ESP will make short work of the marketers after that.
DonHopkins on Nov 14, 2016 | parent | context | favorite | on: The NHS's 1.2M employees are trapped in a 'reply-a...
Back in the days of ARPANET mailing lists, there used to be an "educational" mailing list called "please-remove-me", that was for people who asked an entire mailing list to remove them, instead of removing themselves, or sending email to the administrative "-request" address.
So when somebody asked an entire mailing list to remove them, somebody else would add them to the "please-remove-me" mailing list, and they would start getting hundreds of "please remove me" requests from other people, so they could discuss the topic of being removed from mailing lists with people with similar interests, without bothering people on mailing lists whose topics weren't about being removed from mailing lists.
It worked so well that it was a victim of its own success: Eventually the "please-remove-me" mailing list was so popular that it got too big and had to be shut down...
...Then there was Jordan Hubbard's infamous "rwall incident" in 1987:
http://everything2.com/title/Jordan+K.+Hubbard