My email address was the target of a spam attack a few years ago.
Someone had gotten ahold of my credit card info and email address (hosted at GMail) and tried to order a laptop from an Apple store a few states away. I got the email receipt, cancelled the order, and reported the fraudulent card use. I figured that’d be the end of it.
An hour or so after the laptop was supposed to be picked up, I got an email that said something along the lines of “you can’t even afford to buy me a laptop? how broke are you?” which like… That’s an odd way of looking at it.
About an hour after that, I started getting bombarded with spam. Job postings, “thanks for signing up for our newsletter” emails, seasonal specials for restaurants in Eastern Europe, Taiwanese toy wholesalers, you name it.
I was getting over 50 emails a minute for a while, and it was impacting my ability to log into and interact with my GMail account.
I had used this email address for everything on the internet for over a decade. I really didn’t want to abandon it because some jerk was mad I wouldn’t let them use my credit card.
Short term fix #
I needed to stem the flow, so I created a few rules:
- All of the mail that included a firstname used “John”, so I created a rule to delete any email that had “John” AND did not have “Sean”.
- Delete any email that matched “enquiry”, “following item”, “request following”, “wordpress”, “newsletter”, “unsubscribe”
- I also directly blocked many FROM addresses that were egregious senders.
I later changed these rules to “Skip Inbox, Mark as read, Apply label “Probably Trash”, Never mark it as important” and spent hours unsubscribing from things.
Longer term fix #
- I set up a catch-all address at a domain I hadn’t been using; email sent to any address at that domain ends up in the same mailbox.
- I know for sure these providers support this: Google GSuite, Protonmail, Fastmail, Godaddy, and Namecheap. I’m sure many others do as well.
- Every time I have to create an account somewhere, it gets a unique email address; if I create an email address for OpenAI, I register with the email
[email protected], Linkedin is
[email protected], etc.
- I was already doing this, but every account also gets a unique password.
- I claimed ownership of my domain with HaveIBeenPwned’s Domain Search. I now get alerted if any email at my domain shows up in a breach or a pastebin somewhere. This allows me to blackhole addresses that are likely to be abused, and because each vendor gets a different email, I never have to fear an attack like the one I had on my gmail account.
I wish more banks and credit card issuers supported single-use credit card numbers!