[HN Gopher] Ask HN: Just received spam to an address only used a...
___________________________________________________________________
Ask HN: Just received spam to an address only used at Amazon?
Like many of us I have an email address for Amazon (.co.uk) which I
don't use anywhere else. A few minutes ago, I received a pretty
nonsense spam mail to that address. I contacted Amazon support who
said 'we're investigating' in a way that made me think I might not
be alone.. and advised I forward it on to stop-spoofing@amazon.com.
Just curious if anyone else has recently had similar? (To head it
off: no it shouldn't be third-party sellers - they don't get your
email, any disputes etc. are through a unique-
id@marketplace.amazon.co.uk address in my experience.)
Author : OJFord
Score : 96 points
Date : 2022-09-30 16:10 UTC (6 hours ago)
| ggregoire wrote:
| > Like many of us I have an email address for Amazon (.co.uk)
| which I don't use anywhere else.
|
| Out of the loop, what's the purpose of having a separate email
| address for Amazon?
| 300bps wrote:
| I don't do it for every vendor but I have a separate email
| address that I use just for Amazon.
|
| The primary reason is because Amazon has a huge security hole
| by way of chat and call center reps.
|
| There used to be a way to hack into someone's Amazon account
| that went like this:
|
| 1. Call Amazon and say I'm 300 bps and my email is
| 300bps@gmail.com
|
| 2. Tell the rep you want to add a credit card on your account
| and give them the credit card
|
| 3. Do a forgot my password. One of the MFA questions was "What
| are the last 4 digits of any credit card on your account?"
|
| So to hedge against this particular exploit and any unknown
| ones that come up caused by Amazon's giant target and their
| accommodative customer service, I just use a unique email
| address on their site.
| layer8 wrote:
| The purpose is exactly this, to know that it must have been
| leaked via Amazon. And you can change to a different email
| address for Amazon (and redirect the previous one to your spam
| folder) without having to change your email addresses on any
| other accounts.
| ggregoire wrote:
| Do you have a separate email address for every service you
| create an account for?
|
| Do you use email aliasing to achieve that? (e.g.
| your.address+amazon@gmail.com)
| arbitrage wrote:
| > Do you have a separate email address for every service
| you create an account for
|
| yes, i run my own email server.
| layer8 wrote:
| I have my own domain and operate my own email server with
| rule-based localparts filtering (basically regex-based
| whitelists and blacklists, plus automatic sorting into
| different mail folders based on localparts). I use a
| different localpart for each online shop and each
| service/social account/mailing list I'm registered with.
|
| There are email providers that let you use your own domain
| (i.e. you don't need to operate your own email server) with
| any number of localparts, i.e. a catch-all (without needing
| to use "+"), and which usually also allow you to set up
| filtering rules, and let you auto-forward to a different
| email address (e.g. GMail) if you like. You can then use
| whatever@yourdomain at your whim, without having to first
| register the localparts you use.
| inanutshellus wrote:
| I've done this for years but... recently killed most of
| it.
|
| Remembering when I've put a custom email
| (amazon@mydomain) vs a plus (me+amazon@mydomain) not to
| mention remebering both _that_ I 've used something fancy
| _and_ , how exactly I customized it has just caused a
| bunch of headaches. I have warranty purchases across
| multiple email addresses for sites, figuring out what to
| type into the "forgot my password" box is a pain...
|
| I even have a Steam login that I can't for the life of me
| recall how to get into. I only know the username, but I
| don't know how to request the reset email associated with
| it. None of my guesses have worked. So ... I just made
| another Steam account.
|
| ... and ironically the email address I give to close
| friends is the one that's all over haveibeenpwned.com.
|
| /facepalm
| layer8 wrote:
| My password manager usually remembers which address I use
| on which site, and otherwise I can quickly look it up in
| my email archive. For the most important accounts (ISP
| etc.) I write the credentials down separately. I always
| used consistent patterns for mapping domain/service names
| to localparts, so normally I can also guess right on the
| first try.
| majikandy wrote:
| The issue I have is not remembering them, as the password
| manager does that. The issue is more when companies rely
| on your email address being the same for different parts
| of the service or they take my PayPal email address and
| use that as my email address.
|
| One of the most annoying is when contacting customer
| support by email and they reject andy@ at and now I have
| to find a way to send an email to them from ocado@ or
| whatever email address I chose.
| devteambravo wrote:
| why not add AmazonSpam+your@email.com
| cuspycode wrote:
| I use a different email address for every web shop I do
| business with, for the obvious anti-spam purposes. Amazon is
| just one of them.
| majikandy wrote:
| I have done the same for years but I don't think I actually
| had much benefit in the end. I don't ever remember getting
| spam sent to dodgy-company@mydomain and then needing to block
| it, in all the 20 ish years I've done this.
| chunk_waffle wrote:
| I have a domain registered with Gandi, that does free email
| forwarding (free for up to something like 1000 aliases) I
| create a new one for every signup and forward them to my "real"
| email address.
| forty wrote:
| You can also create a single "catch all" alias and be done
| with it :) (create an alias *@yourdomain)
| Radeo wrote:
| It must have been brute forced. I used to create aliases on gmail
| for different services - eg. john+twitter@gmail.com and it
| happens that alias is targeted by non-twitter mails.
|
| In general in last year or two (wfh? hehe) I realised that I
| receive more and more spam for email addresses I don't share at
| all.
|
| I've also created a small email-forwarding service [1] that I and
| few friends use for public sharing like conferences or sketchy
| services (of course I don't mean Amazon here ;) )
|
| [1] https://non-public.email
| gzer0 wrote:
| Or you could use the newly announced Bitwarden + Fastmail email
| alias integration.
|
| It also works with 1Password. Neat stuff.
|
| [1] https://bitwarden.com/blog/use-bitwarden-to-generate-
| email-a...
| doe88 wrote:
| Not similar, but related, once I made the mistake of paying with
| "pay with amazon" on a website, I foolishly thought that amazon
| would hide most of my details, instead of it they immediately
| shared my email with this website, without even asking me to
| confirm it, since I use a proper email with my amazon account, I
| was _mad_.
| Daviey wrote:
| I've also had this recently, I had an address which was
| `amazon.co.uk@mydomain` and I've recently started getting spam to
| this address where I wasn't before.
| layer8 wrote:
| It could make sense to obfuscate the localpart a bit more, e.g.
| add some prefix or suffix. Some spammers combine localparts of
| one address with the domain of another address, and there are
| probably quite a number of people using
| amazon.co.uk@theirdomain; it's sufficient that one of them
| leaked their contact list/address book.
| majikandy wrote:
| What a crazy idea. I have .com too :)
| randunel wrote:
| What does your email server reply with to `RCPT TO:`? Always 250
| OK, or does it leak existing inboxes to brute force scrapers?
| OJFord wrote:
| It's actually a catch-all, I tag things that aren't a known
| alias, but that's on my end.
| exac wrote:
| I think this is the answer.
| secondcoming wrote:
| Can someone explain, please?
| OJFord wrote:
| What do you mean it's the answer? I meant that the server
| can't be listing mailboxes that exist in response, because
| it's not set up like that.
|
| (It could theoretically capture the historically seen
| addresses, store those, and list those back out I
| suppose... I'm pretty sure there's no reason for that to be
| the case though. It's SES if you want to check.)
| goodpoint wrote:
| Is that a question of a statement?
| OJFord wrote:
| I omitted 'have you also' or 'has anyone else', yes. I typed
| the latter at first then edited it out to be quicker to the
| point.
| raggi wrote:
| Are you sure that email is always delivered over TLS?
|
| If it is not, then are you sure that you trust every ISP between
| Amazon and your mail server?
| tjpnz wrote:
| How easily guessed is it? Does it follow a similar format to your
| personal email address?
| m463 wrote:
| This happened to me once about 3 (?) years ago.
|
| I do not send emails directly to vendors. Email from them comes
| through the amazon intermediary system. I would reply to
| necessary vendor communications using the web interface.
|
| The spam email I got was for a seller asking for me to review
| some product.
|
| I contacted amazon but got no satisfaction. I had to change the
| email address I used for (only) amazon.
|
| I figure someone inside amazon was bought out.
| [deleted]
| philip1209 wrote:
| Could a third-party merchant access the email when fulfilling
| your order?
|
| It's also possible that a browser extension accessed it.
| [deleted]
| raviparikh wrote:
| Is it pretty short / guessable? Maybe spammers are brute-force
| guessing email addresses.
| OJFord wrote:
| You might guess it if you had one of my others, but I find that
| avenue _fairly_ unlikely, simply because this is the only
| address affected - that hasn 't happened before. (Though I
| realise as guesses go, Amazon would be right up there.)
|
| I've had other spam to aliases that aren't anything I use, and
| it didn't follow a format similar to that. (For some reason I
| get a lot to archos@ for example, even though I'm pretty sure
| through bug tracker, AUR, etc. I have public Arch-related
| addresses that I do actually use! I'm not sure why that came
| about.)
| Lealen wrote:
| In my experience (europe) delivery companies get access to my
| unique email address that I also only use to buy things on
| amazon. They use this email address to send me information about
| deliveries directly to my inbox.
| ChrisMarshallNY wrote:
| I have similar, but, in my case, it's because I have an account
| with the delivery company, and they associate the email with my
| address, so I get emails, whenever a package is to be delivered
| at my address, regardless of its origin.
| swores wrote:
| That doesn't seem relevant to the subject of whether or not
| delivery companies get your address from Amazon, nor to the
| main topic of an Amazon-only email getting leaked?
|
| But yes, some couriers do let you tie an email address to a
| physical address to get notifications.
| ChrisMarshallNY wrote:
| I wouldn't say it "not relevant." The symptoms are similar;
| but the cause may well be different.
| ericbarrett wrote:
| Seconded--perhaps a third-party seller or shipper who's been
| compromised.
| dwringer wrote:
| Amazon specifically does not want third party sellers
| contacting customers through side channels other than Amazon
| itself, and thus does not typically give out emails directly.
|
| Third-party sellers are typically given an address like
| <gibberish-hash>@marketplace.amazon.com to which they can
| reply, and correspondence is then forwarded by Amazon to the
| actual customer's email.
| buzer wrote:
| If they actually cared I'm sure there would be a way to
| report these kind of issues. I got physical mail about
| submitting review for a product that I bought from Amazon
| (sold by company X, shipped by Amazon) in exchange for
| Amazon Gift card. The mail did contain name of the product.
| I tried to report it and
|
| * there was no obvious way to do it. Closest thing was by
| reporting issue on product.
|
| * there was no way to show the customer service agent a
| picture of the mail. Chat did not support sending pictures
| & they were unable to open imgur link.
|
| * agent recommended me to leave a report it by leaving
| review to the seller page. I did that and next day review
| was deleted.
| layer8 wrote:
| Are you sure those emails are directly from those companies? I
| only get messages sent through Amazon forwarding addresses,
| which exist precisely for the purpose to not disclose your own
| email address to third parties.
| whywhywhywhy wrote:
| I get an influx of phishing SMS every time I have a parcel
| arrive through those systems.
|
| All the info is being skimmed and sold at some point. It often
| mentions the parcel company it arrives through which confirms
| this to me.
| ev1 wrote:
| If it's obviously-named, it might be brute forced. I have an
| alias (amazon@ and aws@) on my domain that I never used to sign
| up for Amazon and was never used at all, but it receives spam on
| a daily basis (and AWS phishing emails - it was never once used
| at either service).
| myself248 wrote:
| Sounds like such emails should be mnemonic-salt@domain just to
| rule out such brute-forcing.
| exikyut wrote:
| Or possibly even salt_hmac(mnemonic)@domain, to both make the
| address un-brute-forceable and also cover businesses going
| "why are we emailing business@yourdomain" and potentially
| getting huffy (apparently this happens?!).
|
| Only potential issue is that if it's a real HMAC like HMAC-
| MD5[:16] the nonsense address might give spam middleboxen
| very bad indigestion.
|
| Or maybe the crazy service addresses used in cloud
| infrastructure have actually inoculated everything to a
| reasonable extent and this might work?
| cube00 wrote:
| _> cover businesses going "why are we emailing
| business@yourdomain" and potentially getting huffy
| (apparently this happens?!)_
|
| It very much happens, I had a business owner lecture me
| that they owned their domain and I shouldn't be able to use
| in any part of their domain name in my email address.
| ThePadawan wrote:
| Thanks, that mixed my thoughts of inferiority for the
| day.
| kevincox wrote:
| I do this. I use the same protocol as https://blame.email/
| (so that I can use their site). The nice thing about having
| the name in the clear is that it is easy to map it back to
| the sender at a glance, rather than having to loop up old
| messages.
| chunk_waffle wrote:
| > and potentially getting huffy (apparently this
| happens?!).
|
| It does...
|
| I've had signups blocked using business@domain.tld, (some
| Samsung service is one I recall) and in one case I had
| legit sales queries completely ignored until I used an
| alternate email.
| ev1 wrote:
| Samsung will return "contains banned word" if your email
| includes samsung
| ev1 wrote:
| Ha. The more obscure the better, I guess. But you'd want
| some tooling to make it reasonable to handle.
|
| I have a catchall and it's interesting what type of rubbish
| appears.
|
| I have gotten phishing that pretends to be an AWS support
| case ticket reply about how my instances in us-east-
| whatever are about to be terminated due to a host node
| going out of commission sent to aws-iam-root-user@domain -
| a domain that has never used or touched AWS and a left hand
| side mailbox that has never been used once. If it's
| anything obvious it's probably made it onto some type of
| dictionary list.
| ars wrote:
| I searched years worth of Amazon messages, and DHL, and a local
| freight shipper have my real amazon address.
|
| Have you ever ordered anything heavy, or international?
| gz5 wrote:
| I haven't and don't believe this is systemic. You may have been
| brute forced?
| barelysapient wrote:
| I think you also have to consider the entire chain of custody for
| the address: Do you have any browser plugins that might have
| grabbed it? Have you used a VPN while accessing Amazon? Have you
| accessed it with a Mac or Windows computer?
| honestduane wrote:
| Report it as a GDPR violation?
| jpswade wrote:
| This has been going on for years, wired covered it a while
| back...
|
| https://www.wired.com/story/amazon-failed-to-protect-your-da...
| terminalcommand wrote:
| Contact the Information Commisioner's Office for them to
| investigate. Regulatory authorities are the only viable defense
| we have against conglomerates such as Amazon.
| that_guy_iain wrote:
| I'm pretty sure they do give out your email. It's just most go
| through amazon's system. The reason is, this is not the first
| time in the past 12 months I've heard of this happening and last
| time I think it came out that markertplace sellers get all your
| info
| squeaky-clean wrote:
| > To head it off: no it shouldn't be third-party sellers - they
| don't get your email, any disputes etc. are through a unique-
| id@marketplace.amazon.co.uk address in my experience.
|
| I have received 2 emails from an Amazon seller's personal email
| to my personal email asking me to remove a review about a
| cartridge of printer ink. The review was written by my father but
| using my account.
|
| They did also email me 3 times through Amazon's email forwarding.
| But the 4th and 5th time was directly to my personal email which
| the Amazon account is registered under. They offered me a full
| refund and a $20 gift card.
|
| He signed his review with his first name, and in the email they
| address him by that name. Yet my personal email is MY name plus
| some numbers.
|
| I never responded to their messages or anything that would give
| them access to my real email. The only acknowledgement of their
| emails I gave them was changing it to 1-star and adding in that
| they are offering to pay people for 5 star reviews.
|
| P.S. don't buy any printer ink from JARBO. Aside from the email
| spam, the cartridges run dry after a couple dozen pages.
|
| Here is the first direct email
|
| > Dear Customer, This is Lexi from Jarbo. I apologize for my
| delay contact. In order to match your order ID, I have searched
| it within thousands of orders.
|
| > We received your review that the toner cartridges are not
| working properly and have caused you so much trouble. I
| understand your feelings, and hope that you can give me a chance
| to rectify this.
|
| > Therefore, we'd love to compensate $20 to make up your loss.
| Will that be okay?
|
| > Because I am only an after-sales service staff, in order to
| better apply for a refund to the finance department, Could you
| remove the review first? I will get the refund back to you within
| 72 hours.
|
| > Here is the link to your review for your convenience:
|
| > [ link to review they want removed ]
|
| edit: I'm in the USA, amazon.com domain
| Aulig wrote:
| I saw an article on HN a while ago about services that sell
| Amazon user e-mails - basically Amazon employees leaking data,
| such as here: https://techcrunch.com/2020/01/10/amazon-
| employees-email-add...
| abawany wrote:
| Yep, same here - still getting spam from them offering to pay
| me off to remove my reviews. Complaints to Amazon "CS" did
| jack-sh-t - it is frustrating.
| gnopgnip wrote:
| If you used this email to register for a third party warranty, a
| rebate, or clicked on a link sent by a third party an Amazon
| merchant can get your email that way
| counttheforks wrote:
| tangoalpha wrote:
| Not sure if it's the case elsewhere as well, but at least in
| India, email address on amazon orders are accessible to sellers
| if you made a purchase from a seller. I have had sellers reach
| out to me right after buying something from amazon, offering an
| incentive for a review.
|
| Further, customer support agents can pull up your details as
| well. At least when there is an active ticket. I was reached out
| by one of the support executives confronting me from his personal
| mobile number after I left poor feedback for a chat interaction.
|
| Amazon has little or no respect for data privacy especially in
| regions where there are no strict regulations that can cause them
| monetary loss through fines.
|
| Since you mention it's in UK, I am surprised this is the case.
| dangus wrote:
| Email addresses can be brute forced as others have mentioned, so
| it's not a guarantee that Amazon leaked your email.
|
| I also think that the kind of hoops tech-savvy folks go through
| to protect their main email account from spam are more time and
| effort than dealing with spam in the first place.
|
| I'm personally not going to register for things with a thousand
| different + addresses just to try and find out what company
| leaked my email. Even if I manage that with a password manager it
| just seems like an extra chore.
|
| Spammer's got me email address? I don't really care. The spam is
| going to the spam box.
|
| Am I opening myself up to a larger attack vector? I guess so,
| maybe. There are more important things in life than locking down
| my online life like it's fort knox.
|
| Like, think about it, OP. You got a piece of spam mail and you
| contacted Amazon, and then made a post on HN about it. Is this
| really worth your time and headspace? I get hundreds of pieces of
| spam email a month and I don't notice or care.
|
| I don't really think email addresses were designed to be private
| pieces of information in the first place. Enabling two-factor
| authentication is the effective protection against account
| seizure.
| licebmi__at__ wrote:
| This kind of stuff is as low effort that even apple is doing it
| for people. You might need to jump some hoops to not be locked
| into apple, but once you use a password manager, this is mostly
| transparent. The largest hurdle I have to deal is puzzled looks
| whenever I have to give my details to customer service or
| people in person.
|
| Which by the way, for me is more than just dealing with spam.
| It's more about dealing with a breach of trust. If my info got
| leaked or sold by a company, I might want to review what kind
| of business I would like to have with them. I mean, I even got
| spam on an email I gave to a company I was contracting with.
| After some research, it seems like it was for a company owned
| by a high exec's son. Keep in mind that this is was post GDPR
| and the company did business in Europe.
| majikandy wrote:
| Ah yes... the classic "do you work for dell?". No, because
| I'd have a dell email address wouldn't I? not one that starts
| with dell@
| neogodless wrote:
| Similar post about Comcast yesterday:
|
| https://news.ycombinator.com/item?id=33020571
| segmondy wrote:
| email goes through relays which are not secure. neither you nor
| amazon controls those in the middle relaying your email, a
| spammer could grab all email addresses in the middle if they have
| access.
___________________________________________________________________
(page generated 2022-09-30 23:01 UTC)