For an organisation that often does deeply intelligent things, they spend such a lot of time treating their users unnecessarily poorly because obvious implications seem not to occur to them.
I have a separate email I only use to get government and public services (gas, electricity) stuff and it still receives a few hundreds of spam a week. At this point I kinda feel whitelisting the mail I want to read is the only sane option, so getting hundreds or thousands of spam mail makes little difference, while managing a portofolio of addresses is a chore.
name+service@gmail.com or service@myowndomain.com
...to figure out where the spam originated?
Just be aware that this may be very confusing to customer support agents: https://news.ycombinator.com/item?id=32475178
I can't rely on iCloud Mail anymore due to its overly aggressive silent spam filtering. Not great if you're trying to log into an account, and you can't receive the recovery emails for that account.
FWIW, Firefox's Relay integrates into Bitwarden so you can generate emails on the fly when creating new accounts. Downside and upside is that I never know what my email address or password is.
The huge benefit is I can write down an email that'll work because I own @somedomain.mozmail.com and it'll always redirect. I do the same thing with cloudflare because I also own myrealname.com
But honestly I hate all this because the real problem is that email is a bottleneck and it is stickier than phone numbers. But my email is floating around on a bunch of lists because I've had it for years. Frankly, gmail is pretty bad about removing spam. There's a lot of spam I catch using simple filters from Thunderbird.
The extra benefit is that I'm planning on moving away from gmail and all these relays make it easier to redirect everything to a new location. So I still recommend it. You can shutdown addresses that are being abused or shared more easily but that's hard to do with your long term email address.
Lost a decade and a half of correspondence dating back to my teenage years. I had imported my phone number I'd had since I was 16 into voice, and it doubled as my Signal number. I even had a Gsuite subscription so I could use their (admittedly decently) UI to power my firstname @ lastname dot com email address.
I will never use their services again, I was really digusted by this failure.
As an example Anthropic and OpenAI don't let you change your email address.
1. You have to own that domain forever, until or at least until you're 100% confident that an email intended for you will never be sent to that domain ever again. Even then, there are security risks with giving up the domain.
2. You give up some privacy. You can use mailbox aliases but it doesn't really matter if all the mailboxes are tied to a domain registered to your name and address.
Note that I'm not even talking about trying to send email FROM a self-hosted account, but trying to get someone else to send email TO such an account.
I use protonmail now -- I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue)
I also have paid services a lot of money where customer service was nonexistent until I did a credit card chargeback or raised an issue with government regulators.
I'm trying to figure out exactly what I want to push my state legislature to encode into law with regards to customer service minimums that would cover anyone doing business in the state, free or paid.
Isn’t this inherent to not choosing an (EDIT: external) account-recovery method?
The flip side to allowing account recovery at Google’s discretion is lessened security for everyone. (Obviously not black and white. And I agree Google should have flexibility for old accounts. But it’s an odd thing to reject a major provider over.)
So I can have email aliases under that domain, and even choose the alias for outgoing email.
However! This creates an extra security hole. Once I was SIM-swapped (when the attacker calls up a phone company and convinces them to redirect sms to their SIM). I had used it as a second factor at GoDaddy and had to act fast. GoDaddy had already allowed the attacker to authenticate with the sms (dumb!) and port the domain name. I realized what was happening only because the attacker sent “test” emails to my email at the domain. Had they not done that, I might have been none the wiser. I called GoDaddy and got them to cancel it, thankfully. Otherwise they’d have reset passwords armed with email AND phone number.
Since then I use the non-SMS SECOND FACTOR on most services, as NIST had been recommending for a decade now.
I personally recommend using a username+alias@gmail.com which gmail and others support, with a different but easy-to-remember alias per site, so social attackers can’t even correctly say your email to the dude on the phone.
Michael Terpin, a guy I know, got $27 million dollars in crypto stolen a decade ago by a SIM Swapper and sued AT&T for it. Not sure if he won… he moved to Puerto Rico to avoid taxes and brought Brock Pierce and other crypto bros with him LOL.
In my case, many years ago I changed my last name. (Turns out a lot of women also do this when they do things like... get married. But also for a progressive company everyone's purchases being permanently locked to their deadname seems... bad.) But all of my Android apps, my entire digital life at the time, was permanently locked to my old name. I had another account I created as a mail forwarder but if people sent an invite to it for a Google thing it wouldn't connect to my real account, and obviously there was an added security risk of someone stealing my forwarding account.
I remember talking to Yonatan Zunger about this problem during the Google+ era and it seemed to be renaming an account wasn't something the company was capable of.
I’ve received some sensitive/PII content over the years.
I’ve wondered if this person has access to any of my information?
Not necessarily related to this post, but wonder why and how this could happen.
No. They have just told someone your email address and that someone has sent you stuff. Anyone can do that, if they dream up your email address. People having the same name are a lot more likely too.
More likely their email address is firstlastnumber@gmail.com or firstlast@otherprovider.com though, in which cases the types of mistakes people make are likely asymmetric.
Yes, and you've received email that was addressed like that ... so what's your issue?
> I’ve wondered if this person has access to any of my information?
Yes, because "this person" is you.
nytesky•2h ago
i could gave moved my google voice number, but it seems like a convoluted process and have had my number since about Grand Central acquisition.
jonway•1h ago