Part One:
At first, the email subject line was only mildly alarming: It said, “Security alert for your linked Google account.” That usually signals some minor event, such as a new login from an unrecognized device.
But this was different: The body of the email began,
“Your Google Account has been deleted due to Terms of Service violations…”
What!?!
I felt a flash of panic: The notice had arrived at my primary business emailbox. If my primary account was being deleted for some reason, I was in deep trouble — I’d lose my mail, calendar, my Drive files, access to a couple Google-hosted domains and web sites, and more. Yikes!
I took a closer look:
Waitaminit! I didn’t recognize the name on the offending Gmail account that was actually being terminated (I’ve blurred it here, for privacy.) Why was I getting the takedown message for a total stranger? Why had that person given Langa.Com for their account-recovery address? (I’m the only one at Langa.Com.)
Normally, I would have shrugged it off. But that account-termination notice turned out to be just the leading edge of a flood of similar emails that I began receiving; including thousands of emails that contain some truly personal and private information.
I’m not talking about spam. This was real, honest-to-god email.
Among the errant personal emails I’ve gotten, many include bank account information; loan approvals and rejections; credit card bills and receipts; job and school applications; scholarship info; copies of passports; tax forms; hotel, restaurant, and airplane reservation confirmation and changes; reports from track-your-spouse spyware apps; and security alerts and password-change emails from every major online service and business, including Google, Microsoft, Amazon, Apple, and a ton of others.
On the corporate side, I’ve gotten private business email containing construction proposals and detailed plans and blueprints for large municipal projects (shopping centers, highway bridges and interchanges, river rerouting plans…); a quarter-million dollar invoice (with account numbers attached) for the final payment on a million-dollar engineering contract; proofs of insurance (also with account numbers); proofs of bonding and security clearances for government contracts; and lots more.
I get agendas and meeting details for businesses I’ve never heard of; internal emails regarding various corporate projects, policies, payments, and people. In one case, a professional organization in Pennsylvania — one I’ve never belonged to — sent me a spreadsheet containing the names, titles, and the physical and email and addresses of all their members.
Again, none of this is spam: These are real emails from and to real people, all over the world — emails that in many cases the recipients were expecting, or that contain information they’d want!
A few examples:
Here’s just one page from a series of fully-detailed blueprints for a formal proposal for highway bridge construction in Spain. (I’ve made it small and blurry to protect the information it contains; the original was full-sized and fully legible):
Here’s a South African passport that some guy scanned and attached to a job application email; I further blurred it to protect him, but the copy I got was fully legible, with his ID number and all.
This next email (below) was for a covert phone-tracking app that someone — obakeng@langa.com, a person wholly unknown to me — is using to spy on a spouse, child, employee, or some such.
This next guy, from Florida, was trying to set up a business meeting over lunch; I not only got his email on corporate letterhead (I’ve stripped it away, below, so as not to embarrass him), but I also got his whole mailing list, because he CC’d everyone, instead of BCCing:
This month’s “second Thursday” lunch is this Thursday at noon. Unless anyone has any preferences, I was thinking that we could go to Foxy Brown’s on Broward Blvd. Please let me know if you would like to attend and I will make reservations for noon. Thanks, Dave
Speaking of restaurants, here’s a reservation confirmation from a somewhat snooty-sounding place in London, England; the reservation reminds you how long you may stay at your table, what to wear, and not to bring kids after 7pm.
I get lots of receipts for transactions on accounts that aren’t mine, like this banking confirmation:
If I had a larcenous bent, emails like those would be golden: a running start for easy social engineering and identity theft.
In addition to the more-serious emails, I also get a million minor activity notices from Facebook, Twitter, Instagram and others; all to and about people I don’t know, like this:
In all, I’m talking thousands and thousands of emails; some pure junk (like the Instagram thing) but many others containing sensitive, personal, or valuable information.
I didn’t ask for any of it, and I didn’t do anything wrong to cause this flood of information to come my way.
I think I’ve finally figured out why I’m getting this unwanted private email, but I still have no good way to stop it.
Yes, at first, I tried to contact the senders and intended recipients of any important-seeming emails that ended up in my Langa.Com mail. But that proved impractical because there really are thousands of these, and it started taking up way too much time to sort through them, to select what seemed important, and to try to contact the parties involved.
Besides, I didn’t cause this problem; it’s not my responsibility to correct email problems caused by others.
That’s true even when the email arrives with one of those scary-sounding (but meaningless) warnings, along the lines of “This email message contains information that may be confidential, proprietary, privileged or constitute non-public information. Use, dissemination, distribution, or reproduction of this message by unintended recipients is prohibited.”
Baloney! A sender can’t tell me (or anyone) what to do with an email he or she sends to me, unsolicited and through no fault of mine. If someone sends me unsolicited email, then any consequences are entirely on them!
That said, I’m not trying to be a dick about it: I did try to contact errant senders; but there are just too many to handle. Now, I just delete ’em.
But that’s a painfully manual process. Filtering or blocking does little good because most of these emails are one-offs; they have to be handled one by one. And I can’t block the ones that come from popular domains that I myself also use — Google.com, Microsoft.com, Facebook.com, etc. — as I get real emails, actually meant for me, from them.
But again, I think I finally have a handle on why this is happening. In Part Two of this article, coming up shortly, I’ll explain what’s going on; what I’ve done to try to clean up the ongoing mess; and what you can do to prevent it from happening to you!
But before I finish today, here are just a few more examples:
I get a steady stream of Amazon receipts; here’s a relatively harmless one:
This next one is from some lost soul changing his Microsoft Account from one unauthorized Langa.Com address to a different, but still unauthorized, Langa.Com account; in Portuguese (I clicked the translate button):
Blackberry is still active in some parts of the world, and I get some account creation notices:
I also get the output from job-search services, all over. Here’s one from South Africa:
… on and on and on…
Click for Part Two.
Sounds like you have your domain email set to receive anything rather than just specific accounts. If you set up the latter as named or virtual accounts, all that junk would bounce. But I am looking forward to the rest of your story, Fred.
Yes, you’re right, David; and I do have separate personal, contact/query, and webmaster addresses; the latter is the catch-all account that collects most of the weird mail.
But when the mail flood was at its worst, I couldn’t safely use the option of simply discarding any mail not sent to one of my specific addresses.
The current Langa.Com site is on its third host and second domain registrar in less than 12 months. Changing webhosts and registrars created a long tail of mis-addressed email that bounced and forwarded its way to me, from site to site, with just enough legitimate email mixed in with the dreck that I couldn’t safely ignore it all. Sigh.
But last years’ host/registrar misadventures are gone. The site seems stable now; legit mail from the previous hosts and registrars has mostly run to completion; and the various sorting/filters/blocks I’m using have been in place long enough to have reduced the bogus emails to a handful a day.
For example, just this morning (2018/10/12) I received a payment confirmation from a bank in Durban, South Africa; an invitation to a gala dinner in Kuala Lumpur given by the Malaysian AIDS Foundation; and a letter from an online Chinese pharmacy, in Chinese, which (via Google Translate) appears to be along the lines of “We got your query and will reply shortly.”
But that’s just three bogus emails so far today — a trickle, not a flood.
While it still can be annoying, it’s at least partially offset by the minor amusement of peeking into other people’s lives and projects, all over the world. 🙂
Thanks for writing!