Ask HN: Fake email using my domain

1 points by code_Whisperer 2 years ago | 5 comments

Weird. Someone has created an account with one of the major money-sending apps using a fake email on a domain name I own. I can see this because I receive the emails sent by the app vendor via the domain's catchall account. So whenever this person tries to login or change their password, I see the confirmation emails sent by the app vendor.

To be fair, it could have been an innocent mistake on the part of the person who signed up... maybe they meant to type .net instead of .com or something like that.

I contacted the vendor to tell them that the account is not authorized or known on my domain, and asked them to cancel, but they will not unless I send them an email using the 'from' address of the unauthorized account.

So, questions:

1) Is this a common thing? And if this is potentially illicit activity, what is this person thinking or hoping they'll be able to commit?

2) Even though I'd be using my own domain, should I intentionally impersonate someone who may (or may not) be attempting inappropriate activity in order to get the account removed? Wouldn't that - on its own - be a potentially dangerous or illegal act?

{sigh} modern problems.

bell-cot 2 years ago |

This kinda stuff is why I don't like catchall email accounts.

IANAL...but there can be some legal exposure here, too. Mr. Bad Actor is up to shady sh*t, using a fake bactor@YourDomain.com account as part of that, and some less-than-friendly Feds (or lawyer for a victim, or ...) could be knocking on your door.

Yes, fake-account and typo'ed -address email can be kinda entertaining to read. But better to lose no time, need no lawyer, set things to auto-bounce with a "No Such Account" error, and keep email logs for ~3 months or so - to play the random clueless honest bystander part.

mtmail 2 years ago |

If it's only "please confirm your account" and password reset emails then the user probably just mistyped the email address.

If their username is go-to-ydotcom-for-free-cash then it might be spam. It doesn't seem very effective but I know a company where a spammer created 10.000 accounts overnight to be sent to random people.

rini17 2 years ago |

Were they able to verify the fake email address somehow? If not they can't actually use the account and you can safely ignore it.

code_Whisperer 2 years ago | |

Thank you for your response. I don't see how they would have been able to, but the first email I received from the app vendor was a quarterly statement notification, and includes the person's screen name on the app. I checked all of the email headers and they seem legit (match emails I receive for my own account from the app vendor)

mtmail 2 years ago | | |

Maybe user had an account and was able to change their email address? Vendor should've reconfirmed they're in control of the new email address.