Tell HN: I'm getting spam on an email address only ever used to sign up to HN
Basically thread title. This email address has only ever been used to sign up for HN. I have never posted the email address and never set it to public. What gives? I'll paste a copy of the relevant email headers and the text of the email below. The email is designed like a Docusign lookalike, including Docusign logos.
Return-Path: <nola@teacheip.com>
Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47])
by slotpi12n09 (Cyrus 3.13.0-alpha0-133-gac9c1746a-fm-20250121.002-gac9c1746) with LMTPA;
Thu, 23 Jan 2025 13:09:47 -0500
X-Cyrus-Session-Id: slotpi12n09-1737655787-719141-2-12600257906326982523
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-sender-reputation: 500 (none)
X-Spam-score: 50.0
X-Spam-hits: DATE_IN_PAST_03_06 1.076, DCC_CHECK 1.1, DCC_REPUT_90_94 0.4,
HTML_MESSAGE 0.001, ME_HAS_VSSU 0.001, ME_SC_NH -0.001,
ME_SENDERREP_NEUTRAL 0.001, ME_VADEPHISHING_NB 2, MIME_HTML_ONLY 0.1,
RCVD_IN_BL_SPAMCOP_NET 2, RCVD_IN_INVALUEMENT 2, RCVD_IN_INVALUEMENT24 2,
RCVD_IN_MSPIKE_BL 0.001, RCVD_IN_MSPIKE_L5 0.001, RCVD_IN_SBL_CSS 3,
RCVD_IN_VALIDITY_RPBL 1.284, RCVD_IN_ZEN_LASTEXTERNAL 8,
SH_BODYURI_REVERSE_CSS 3, SH_DBL_HEADERS 8, SH_HELO_DBL 8,
SPF_HELO_NONE 0.001, SPF_PASS -0.001, T_MXG_EMAIL_FRAG 0.01,
URIBL_CSS_A 0.1, URIBL_DBL_MALWARE 8, LANGUAGES en, BAYES_USED none,
SA_VERSION 4.0.0
X-Spam-source: IP='194.169.172.227', Host='sheer.teacheip.com', Country='BG',
FromHeader='com', MailFrom='com'
X-Resolved-to: REDACTED
X-Delivered-to: REDACTED
X-Mail-from: nola@teacheip.com
Your 2025 DashBoard Agreement
REVIEW AND CONFIRM HERE
Dear REDACTED
Confirm your Webmail is still in use.
Important update regarding our operating agreement:
We have recently revised our agreement for all our customers to ensure clarity in our business relationship and remain aligned with industry standards.
Please select the secure DocuSign link above to review, sign, and confirm that REDACTED is still in use. By doing so, all 2025 features will be updated on your Dashboard.
Confirmation Deadline: January, 2025
Do Not Share This Email
This email contains a secure link to Docusign. Please do not share this email, link, or access code with others.
Alternate Signing Method
Visit Docusign.com, click 'Access Documents', and enter the security code:
467278E6C1C24415AF996AD5A66927041
About Docusign
Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- Docusign provides a professional trusted solution for Digital Transaction Managementâ?¢.
Questions about the Document?
If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly.
Stop receiving this email
Report this email or read more about Declining to sign and Managing notifications.
If you have trouble signing, visit "How to Sign a Document" on our Docusign Support Center, or browse our Docusign Community for more information.
Download the Docusign App
This message was sent to you by NBS Contracts who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.
I got the same e-mail sent to an address unique to HN. It is a custom domain with a catch-all enabled, the e-mail only came to the HN specific address.
edit: While the above statement is true, the e-mail was posted publicly on a 'whos hiring' thread so there is no mystery as to why it is receiving spam.
Questions for both you and OP:
Have you ever sent any email using this as a return address?
Have you ever received any non-spam HN mail at this address?
If yes, it seems like it might have been grabbed from a server in the middle. If not, then it does sound like HN has to be the direct source.
After further review, the e-mail was posted on a 'who's hiring' page, so to be honest its a miracle that this isn't receiving more spam!
Mine most certainly wasn't.
Is this your email: https://news.ycombinator.com/item?id=36157877 ?
Yikes yeah that's the one. Did not remember posting that. Thanks for clearing it up, that has to be the culprit.
Btw, posts to "who is hiring" and related threads remain permanently deletable, so you should be able to delete that post if you want to.
You can search for specific strings in comments as well as stories with the search bar on the bottom of the page. Plugging you email in shows where it was posted.
Most of us think our operational security is way better than it actually is.
Unfortunately the Internet does not forget.
but you can always ask dang to help you if you fucked up and find out something you need deleted here.
I can't remember if HN sends an activation link or anything on signup, but if so that would be the only thing ever sent to it.
Long ago, I had a 5 character username (first-name + last initial) on a decent sized ISP's email system.
Eventually it got a ton of spam, and it was pretty clear a lot of that was from brute forcing emails at the ISP.
> This email address has only ever been used to sign up for HN. I have never posted the email address and never set it to public.
Was it something simple and guessable, like hn@yourdomain.com? or ycombinator@yourdomain.com?
I have a wildcard email address in my own domain and I receive a lot of spam on addresses that I have never used such as info@ or news@.
Not trying to defend HN here, but if it's a custom domain and whatever comes before the @ is easy to construct, it may be automated spam. Nothing to lose for the spammer if it bounces back, but a partial success if it the server accepts the message.
Very strange. You should try sending an email to dang: hn@ycombinator.com
Is it possible that the email provider leaked the whole list of emails?
It's an email provider that is well known among HN folks. If this happened we'll surely hear about it.
I'm guessing Fastmail since you've posted about them before and the format looks like their aliases
The hostname in the Received: header (phl-compute-07.internal) is consistent with Fastmail.
Correct. It's a Fastmail masked email address.
People try to guess and/or brute force common addresses on my domains fairly regularly. Is this feasible for your private email? Something like me@example.com, or something more like pwq2324oeir2u435wperiouwepriowuepriowje@example.com?
The address is in the format "grand.headphone1234@host.com" (real word dot real word random four digits). The host is a well known paid email provider (not gmail or outlook or yahoo or any of the very common ones).
Are the words random too? Or do you have other email addresses used with other accounts with the same words but a different number?
The words are totally random. It's a Fastmail masked email address, so I didn't even select the words.
Is the hackernews username equal to your email (the string in front of the @ sign)?
Or did you once accidentally try to login somewhere else with your hackernews credentials?
No, and no. I always log in with Bitwarden and news.ycombinator.com is the only entry that uses this email address.
Any other browser extensions?
Only uBlock Origin.
Does it appear in any HIBP datasets? https://haveibeenpwned.com/
Is the domain known to have emails or is it a common username? I admin a few different websites and set up Gmail to dump everything sent to the domain to a particular email. A ton of email is sent to addresses that do not exist.
The address is in the format "grand.headphone1234@host.com" (real word dot real word random four digits). The host is a well known paid email provider (not gmail or outlook or yahoo or any of the very common ones).
Do you think you could be a target for nation-state intelligence?
Absolutely not. I wish I was that interesting.
You don't have to be interesting for an adversary to be interested in using you as a stepping stone towards their purposes.
not even as part of a background check on someone you know?
HN:
Nation states, CIA or KGB?
RSA/EC cracked. Quantum or math?
Email leaked by fastmail.
Brute force attacks.
Reality:
Forgotten post with email; Spammer scraping HN.
Fastmail recycles masked email addresses.
That seems like a very bad idea.
As far as I know they don't. At least within my interface it is telling me so.