For an organisation that often does deeply intelligent things, they spend such a lot of time treating their users unnecessarily poorly because obvious implications seem not to occur to them.
I have a separate email I only use to get government and public services (gas, electricity) stuff and it still receives a few hundreds of spam a week. At this point I kinda feel whitelisting the mail I want to read is the only sane option, so getting hundreds or thousands of spam mail makes little difference, while managing a portofolio of addresses is a chore.
name+service@gmail.com or service@myowndomain.com
...to figure out where the spam originated?
On Gmail foo+bar@gmail.com is an “alias” for foo@gmail.com. So if you give someone foo+randomstring@gmail.com hoping that will help you map random string to that particular sender, you’re fucked - because anyone who sees foo+randomstring@gmail.com knows it’s an alias for foo@gmail.com, they can just email that directly and bypass your cleverness.
If you’re using a sane alias provider like you described, then it’s likely not an issue.
Just be aware that this may be very confusing to customer support agents: https://news.ycombinator.com/item?id=32475178
I’ve had way more problems from systems that think TLDs are two or three characters (which has never been true).
I can't rely on iCloud Mail anymore due to its overly aggressive silent spam filtering. Not great if you're trying to log into an account, and you can't receive the recovery emails for that account.
FWIW, Firefox's Relay integrates into Bitwarden so you can generate emails on the fly when creating new accounts. Downside and upside is that I never know what my email address or password is.
The huge benefit is I can write down an email that'll work because I own @somedomain.mozmail.com and it'll always redirect. I do the same thing with cloudflare because I also own myrealname.com
But honestly I hate all this because the real problem is that email is a bottleneck and it is stickier than phone numbers. But my email is floating around on a bunch of lists because I've had it for years. Frankly, gmail is pretty bad about removing spam. There's a lot of spam I catch using simple filters from Thunderbird.
The extra benefit is that I'm planning on moving away from gmail and all these relays make it easier to redirect everything to a new location. So I still recommend it. You can shutdown addresses that are being abused or shared more easily but that's hard to do with your long term email address.
Usually by that point you catch them, but your recruiter screen might not etc. So now all the main HR tools are using “age of email” as one possible signal to detect fraud.
I’m sure you’re fine if your email is real (in my experience they all resolve to Onvoy LLC instead of a real cell provider), but just something to watch out for. Wouldn’t want to get overlooked because your email is brand new.
(If you’re curious about motive as I was, since of course it’ll be obvious when you start—in a lot of cases it’s that procuring an offer letter helps you obtain a visa.)
> I’m sure you’re fine if your email is real (in my experience they all resolve to Onvoy LLC instead of a real cell provider),
Email is expected to be resolving to "a real cell provider"? Wut?
There are services that let you do that. Imperfect ofc as they rely on data brokers like you said. You can thank all the spammers and carders for that
(It’s too late to amend my comment)
Lost a decade and a half of correspondence dating back to my teenage years. I had imported my phone number I'd had since I was 16 into voice, and it doubled as my Signal number. I even had a Gsuite subscription so I could use their (admittedly decently) UI to power my firstname @ lastname dot com email address.
I will never use their services again, I was really digusted by this failure.
As an example Anthropic and OpenAI don't let you change your email address.
1. You have to own that domain forever, until or at least until you're 100% confident that an email intended for you will never be sent to that domain ever again. Even then, there are security risks with giving up the domain.
2. You give up some privacy. You can use mailbox aliases but it doesn't really matter if all the mailboxes are tied to a domain registered to your name and address.
This issue goes far beyond email alone. The ICANN domain system effectively rents a string out to you on a temporarily basis and mandates that an Impressum be attached to it. It's a deeply flawed scheme when viewed from the context of both historical hacker culture as well as the fundamental values of a free and open society.
2. Whois privacy solves this. Free from any decent registrar.
Note that I'm not even talking about trying to send email FROM a self-hosted account, but trying to get someone else to send email TO such an account.
Maybe we should just panic less.
I use protonmail now -- I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue)
I also have paid services a lot of money where customer service was nonexistent until I did a credit card chargeback or raised an issue with government regulators.
I'm trying to figure out exactly what I want to push my state legislature to encode into law with regards to customer service minimums that would cover anyone doing business in the state, free or paid.
And as you correctly note, there I'd no "user service" department.
You can of course push for any law you like, but I expect laws protecting "users" to be toothless. Basically the TOS will boil down to "we can do anything we like" - which I guess is more or less what they say now.
I find it helpful to think of users as distinct from customers because it let's you understand the provider company motivations.
For example, Google's customer's are advertisers. Hence they cull services not conducive to advertising.
Most startups see VCs as the customer. Their business model is to sell shares to VCs in round after round. Seen in that light their attitude to users is rational and users only exist as props to VC sales.
VCs (and founders) are chasing an exit, which is usually acquisition or aquihire. Your use of the service will thus rarely survive the exit.
These are not things to be outraged about. They are all completely rational and predictable outcomes. When you use a service, these are factors you should evaluate.
I agree, but what do you do when a large player like Google kills the competition by making their service available for free? I used to pay for email hosting with good customer support. That company went out of business when free GMail wrecked their business model. I moved to another hosting service, which almost immediately went out of business for the same reason.
Something similar happened with YouTube. It's chock full of ads and/or subscriptions now because they subsidized it long enough to ensure competitors couldn't gain a foothold.
Obviously the short answer, for you personally, is "nothing". You cannot affect either the closing business or Google.
The somewhat longer answer is that there are certainly other mail services that currently exist. So there are still options. And yes, those services will need to differentiate their offering.
[Some will no doubt mention the option to self-host. I did that myself for about 15 years. It's a lot of extra work to do that though.]
Obviously some services (like YouTube) are double-sided. Consumers go there because producers are there and vice versa. But, as you point out, even there you have choices - free with ads, or subscription. (Not that you'll get any "customer support" from Google.)
your paid email address would now always end up in people's spam folder by default, because the big 2 don't trust any email not originating from the big 2
Isn’t this inherent to not choosing an (EDIT: external) account-recovery method?
The flip side to allowing account recovery at Google’s discretion is lessened security for everyone. (Obviously not black and white. And I agree Google should have flexibility for old accounts. But it’s an odd thing to reject a major provider over.)
Another phone humber only works if you didn't lose that phone.
AFAIK once 2FA is up, you can remove your phone number from GMail.
I know it takes time to set up a recovery account (in case the account is inactive for x months), to remove a phone number, etc. but if one's GMail is important it could be worth doing both now if it hasn't already been done.
The point is (it's not my account) that unless you religiously update the phone number in all your accounts you will at some point lose access to some of them despite being able to prove with all the other details it's you who created and used them.
Just because.
Because phone number is a very valuable identifier for the ad company.
It's a deliberate misnoner.
When you set up TOTP on a new account, copy the TOTP seed to paper then and there, resist the "I'll do this later".
Corollary (likely unpopular I'd hazard) - hardware token implementations that I can't back up to paper don't exist as far as I'm concerned.
Even Facebook supports totp it's just well hidden.
Without such measure anyone with your password could "reset" your 2FA.
The solution to "I may lose my 2FA" is not to make GMail a 1FA: it is to configure beforehand your GMail so that if your account is inactive for 6 months, access to your account is given to a person of your choice. It's so that a death spouse (for example) can eventually access the account.
Never ever rely on Gmail.
If it’s a PAYG sim card then you’re out of luck without the PUK code, which, if you’ve lost the sim then you have most assuredly lost (or never had).
PAYG is a lot more common in parts of western Europe than contracts.
People associate contracts with “overly expensive” phone deals.
Its a much more losable bit of plastic, and without it (or a contract) why would an operator give you the PUK code for a number they can’t prove you used to have access to? It would be impossible to tell if you are trying to steal someones number.
The grandparent does not have his sim card.
which is not necessary for transferring your number to a new SIM. when you lose your phone here, you don't lose your number.
I had the same problem with GitHub's backup codes not working: https://news.ycombinator.com/item?id=35735996
Logging in doesn't solve your problem. It gets way worse after you log in [0]. At least now you still have hope.
Was there ever really an agreement that they'd be storing your cherished memories for decades? I still treat email the same way I've done since the 90s. Your email provider is just a cache but you download and backup the messages yourself.
Hopefully this has been a wake up call for you. If you care about data then you need a copy that you control and have a good backup plan.
Story is I started a new job. I tried to add a corporate address for a corporate card to Google Wallet. This tripped some security indicator requiring me to upload government-issued ID. I did so twice without it working despite first/last/address match. I have tried also submitting an employment verification letter with the corporate address. Haven't heard back on the last attempt.
I have also written but I have low hope that'll work. (Update: Nope, "Billing and Collections" isn't "Payments" but at least they wrote back).
Because of the incomplete verification, all Google service payments are rejected right now. I am presently frantically emptying my Google One storage to get back under the free tier before my paid One subscription runs out. Literally, because I cannot submit a $2 payment I am right now removing attachments from 20 years of correspondence.
This stinks. I just need a human to review what I submitted given the above context. There should be some middle ground between rejecting a new credit card address and de facto locking down someone's entire collection of Google services via manufacturing an inability to pay.
I use Thunderbird on my laptop precisely so that I have a copy of all my email. I can consult it while offline, I can switch providers, change my mail address, without losing anything and without having to rearrange anything.
So I can have email aliases under that domain, and even choose the alias for outgoing email.
However! This creates an extra security hole. Once I was SIM-swapped (when the attacker calls up a phone company and convinces them to redirect sms to their SIM). I had used it as a second factor at GoDaddy and had to act fast. GoDaddy had already allowed the attacker to authenticate with the sms (dumb!) and port the domain name. I realized what was happening only because the attacker sent “test” emails to my email at the domain. Had they not done that, I might have been none the wiser. I called GoDaddy and got them to cancel it, thankfully. Otherwise they’d have reset passwords armed with email AND phone number.
Since then I use the non-SMS SECOND FACTOR on most services, as NIST had been recommending for a decade now.
I personally recommend using a username+alias@gmail.com which gmail and others support, with a different but easy-to-remember alias per site, so social attackers can’t even correctly say your email to the dude on the phone.
Michael Terpin, a guy I know, got $27 million dollars in crypto stolen a decade ago by a SIM Swapper and sued AT&T for it. Not sure if he won… he moved to Puerto Rico to avoid taxes and brought Brock Pierce and other crypto bros with him LOL.
In my case, many years ago I changed my last name. (Turns out a lot of women also do this when they do things like... get married. But also for a progressive company everyone's purchases being permanently locked to their deadname seems... bad.) But all of my Android apps, my entire digital life at the time, was permanently locked to my old name. I had another account I created as a mail forwarder but if people sent an invite to it for a Google thing it wouldn't connect to my real account, and obviously there was an added security risk of someone stealing my forwarding account.
I remember talking to Yonatan Zunger about this problem during the Google+ era and it seemed to be renaming an account wasn't something the company was capable of.
Not true at all. You can trivially have two family names in a full legal name. In fact many cultures do exactly that to this day.
Also worth noting that the male's name being preferentially propagated makes a lot of sense in a society where the best off frequently inherited their vocation from their fathers.
Keyword being "practically". Just because there is an alternative doesn't mean society will adjust.
And hyphenation isn't a solution, it only works for one generation.
"It isn't practical to do" and "society at large didn't go this direction" are very different statements.
Hyphenation is two names in a trench coat. Maintaining two names indefinitely works just fine as long as you discard rather than endlessly compound. Presumably the only requirement is that it be straightforward to trace any given lineage.
The traditional approach is for women to keep their maternal name and discard their paternal name on marriage while men do the opposite. But of course any scheme could work, up to and including each person arbitrarily choosing which name to discard (not sure how they decide on ordering in that case).
Another historical approach is the Foo Barson, Baz Fooson (Barson) approach. That scheme treats the male and female lines as being entirely separate so it doesn't quite match what you're after but it was quite practical.
Discarding names doesn't preserve lineage. If you need a book to trace the names, then the point of using a name for lineage has failed.
> The traditional approach is for women to keep their maternal name and discard their paternal name on marriage while men do the opposite
It sounds like this scheme is "men keep one name lineage, women keep another".
Which, IMO, has the practical drawback of not identifying the current family unit. Lineage was important, but so was gathering all folks together into a household. When taxes, religious ceremony, etc. occurred, there was one household name on the roster responsible. This was particularly important in societies where men held certain rights for the household.
In the country where he lives (Belgium), the parents get to decide which family name the kids get.
let motherLastName = "Carter Hughes"
let fatherLastName = "Miller Thompson"
let childLastName = "Miller Carter"
let childFullName = "Jean Paul Miller Carter"
You might ask, —“Why does the father’s last name go first and the mother’s second?”— That’s an old tradition, and it can change whenever enough people in our society agree. As it stands, the father’s family name tends to persist down the family tree, while the mother’s family name often disappears in each generation.
Or so that is how it works in many countries around the world.
The names of their grandmothers get dropped.
Only a partial improvement over just dropping the mother's name.
I don't think Belgium's feelings will get hurt, besides wait until you learn about all the other things that Leopold II did.
You can do hyphenated last names for a kid and let the kids decide what names they want to carry forward for the next generation. Or they can make up their own. The point is it’s up to them and they can choose whatever they want and not be coerced to do something because of some tradition that is rooted in sexism.
AND: Hope gmail will rollout this feature asap, so I can FINALLY adjust my email address too.
There have been matriarchal societies in history, but they all ceased to exist. Make of that what you will.
Honestly the one who is at fault here is Google. If first.last and firstlast are treated as aliases, they straight up should not allow people to create them once the first exists, rather than just send emails to someone else. I've tried to respect my Australian brother's privacy (like not reading his therapist's emails and such), but not everyone is gonna do that.
I remember a decade+ ago when this was discovered as some issue and caused a bunch of drama in the blogosphere.
The dots are ignored.
I had to give up using the address.
I used to also think that Google were screwing up by allowing a 'clash' of firstname.surname and firstnamesurname, and maybe they did a bit in the 2004-2009 period, but with lots of testing over the years (sending test emails to both), I'm confident now it's 'just' other people's emails getting 'simplified' too much when being told, and it ends up being sent to me.
I do however think Google shouldn't have allowed that alias situation to arise.
I also think (based on the fact that my 'un-dotted' email alias has been successfully used to sign up for various services for the other people) that many online services just have very poor sign-up validations of emails.
I’ve received some sensitive/PII content over the years.
I’ve wondered if this person has access to any of my information?
Not necessarily related to this post, but wonder why and how this could happen.
No. They have just told someone your email address and that someone has sent you stuff. Anyone can do that, if they dream up your email address. People having the same name are a lot more likely to do that.
Happened to me as well. I was the first one of the 50 people or so carrying my name to register "first[.]last@gmail.com" back in 2004. At least two of my namesakes have since mistakenly used my email address. Some people just aren't very detail-oriented.
More likely their email address is firstlastnumber@gmail.com or firstlast@otherprovider.com though, in which cases the types of mistakes people make are likely asymmetric.
I have a first.lastname@gmail.com, and my namesake has firstmlastname@gmail.com (with middle initial, and I think they originally created the GMail username without periods).
So, I sometimes receive emails intended for him, by people who saw firstmlastname and think it's firstlastname.
Maybe around a hundred emails so far, over the years.
I've gotten good at telling at a glance that an email is for him, without reading it, and forwarding and deleting.
Fortunately, my namesake is a very accomplished good-guy, so I'm happy to help.
Yes, and you've received email that was addressed like that ... so what's your issue?
> I’ve wondered if this person has access to any of my information?
Yes, because "this person" is you.
I expect that someone else with the same name as you occasionally (or all the time) forgets that their actual email address is flast@gmail.com or lastfirst@gmail.com or some other similar combo, and enters your email into signup forms. Or has friends who guessed their email address and got it wrong. Or something.
That other person doesn't have access to your information.
The results are more boring than you think. Almost no one leaks my address. A couple have been hacked, but almost all of those are widely known. (I did discover one early and help Troy Hunt validate a leak.) At least one Kickstarter campaign has shared my address, as has a local business. But that seems to be the extent of it.
I still do it, because I did manage to catch those things, and because it reduces cross-site correlation. But yeah, there's less skeevy behavior than you might think.
I hate that 90% of the effort on the internet is about stealing information from users and serving invasive ads.
> After changing, Google details that your original email address will still receive emails at the same inbox as your new one and work for sign-in, and that none of your account access will change.
I feel seen in threads like this one.
My … favorite tclancy is the one in Australia because I can sense the change in seasons when he gets to rutting and signs up for a rather specific sort of adult dating site each year.
And gmail.com isn't "running low" on addresses, I don't even know what that means. Whatever TLD you'd prefer, just append it to your username instead. Exact same amount of uniqueness.
Wonder if this will be used for that at some point
Although I primarily use a Gmail for my personal email, I still have a Hotmail address from the 90s.
For at least 10 years now Outlook.com and Microsoft accounts have supported multiple aliases.
This has allowed me to keep my old cringey box name at Hotmail address, but also have a name.surname@outlook.com on the same account, which looks nicer for Microsoft services I use, like Windows login with OneDrive.
you could be first_last@yahoo.com but also have rando_waldo@yahoo.com or ymail.com receive emails in same mailbox. And you could choose the "From" address form a drop-down when sending outbound emails or replies.
nytesky•1mo ago
i could gave moved my google voice number, but it seems like a convoluted process and have had my number since about Grand Central acquisition.
jonway•1mo ago