This has happened to me for years
But with Amazon. Sometimes I cancel her parcels.
A developer has discovered that Gmail's email handling creates a handy phishing vector to attack Netflix customers. The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not. Over the weekend, developer James Fisher …
Yeah, I have a guy with the same name in Ireland who's somehow convinced that he has a variation of my email address.
One year I managed to get a postal address off a plane ticket he bought and sent him a letter. He was very good for a while, and wrote a nice letter back and closed a bunch of accounts (including PayPal - I could have been very naughty and "confirmed" his account and then waited for him to add a credit card, but I'm far too honest). But then either he or another person in Ireland with the same name started doing it again about six months later.
I now just put them in spam folders. Fact is, it's more tricky to convince me anyway as I have a domain that forwards to various things (one destination is a GMail that I can access on the go), but for which I use unique prefixes for each service. It's quite obvious and takes seconds to know if an email was sent to the actual prefix I signed up with, to some made-up prefix at my domain, or direct to the GMail account. Pretty much anything direct to the account is spam (I've never advertised that address whatsoever).
I always wondered what the point of the dot-address stuff was on GMail as I could only think of ways for it to go wrong. On a side-note, does anyone remember the Apache mod_spell module, that would try to correct mis-spelled page names? That always seemed the same to me... surely it just lets a ton of mis-spelled links propagate all over the web rather than actually fix the problem.
I use the dot in my Gmail address. Say I'm signing up to a website, I might use j.oebloggs@gmail instead of joebloggs. If that website passes on my address and results in spoof mail, I can more easily block it. It's handy because not everyone site accepts a plus sign in the email field so I can't always use joebloggs+netflicks@gmail.com
he has a variation of my email address
This is one of the positive benefits of owning my own domain and running my own server - I control absolutely who gets an email address and what format it is.
Of course there is a downside - having a catchall address also means what little spam gets through my firewall ends up in my address (which can also be useful - I can use variants of my email address for specific vendors so I'll know who has been abusing my emails..).
I have to say that operating a catchall address in this day and age is really a liability and not an asset. Unless of course you're maintainer of some RBL.
If you want to know who's trying to spam you, you simply look at the mail log and the rejected messages.
If you're using it as a honeypot to construct some kind of home-baked RBL, then just subscribe to Spamhaus Zen. Their database is orders of magnitude bigger than anything a little home domain will encounter... and is therefore much more useful if some exploit is in the wild. It's free for a host processing less than 100,000 SMTP connections per day. I used it for my medium-sized organisation (5000 mailboxes) until they made us get crappy Ironport. Like any RBL, the rejected connections are clearly logged in the mail log.
If you're operating a catch-all to capture misspellings of your email address(es), simply set up a catch-all that's aliased only with the likely misspellings.
Google (as well as the infamous mod_spell) ignores two basic rules of good software development:
1. Never fix user input!
2. If the customer insists on breaking the first rule, then let the software inform the user about the fix and let the user confirm the fix!
Fixing user input silently is very wrong. There are so many reasons for wrong user input: Typos, wrong information, fraud etc. If a software fixes it without informing the user, the user has no chance to find out hat something is wrong.
I don't use Gmail, so I was quite surprised that they do such a stupid thing. I thought in 2018 every software engineer should have learned that at university...
BR
littlesmith
I'm in contact with around 3 or so namesakes I get email for including one in my home town. I've had property rental statements, mortgage application details house sale agreements, job contracts. I even got something rather important that I could have digitally signed for and caused all kinds of issues. Quite a lot of the time the companies they are using have assumed my namesakes have made a mistake in the email address they've given and corrected it to mine off their own back. I am however nice and let people know of their mistake. I even forward email on to one guy in the US, trouble is when I used to send myself an email to remind myself of things (stopped doing that a long while ago), he was in my autocomplete and I sent him my private stuff a couple of times!
I've used the dot in my email address for services that point blank refuse to allow me to use my original email address as they have it on file but no password reset mechanism. I find it quite useful so I hope it's not retired.
> I've had property rental statements, mortgage application details
> house sale agreements, job contracts.
Same.
It turns out that a lot of people have a firstname.lastname that is the same as the single name on a gmail account I use - and it seems plenty of them are handing out the wrong address or friends and family are misremembering / guessing wrongly.
I was copied into one conversation involving organising, and paying for tickets to a group trip to an event at the Sydney Opera house that in total gave me a perfect little identity theft kit overnight.
I've had very many opportunities to activate post-sale services for someone in California who bought a posh car. And for someone on the East Coast who bought a much less posh one.
There have been plenty of invites to things that sounded like a lot of fun but were happening on the wrong continent and more than a few pieces of very personal news.
It's not really much of an inconvenience for me but I suspect some of the intended recipients would really rather it did't work the way it does.
Also, why havent folks complained about ignoring the + you can put at the end of your gmail address?
So yournamehere+whatanumpty@gmail.com would work just as well as your.name.here@gmail.com
WHY OH WHY OH WHY do f**ktards like to moan about features that have been around since day 1 ???
Cant the commentards just keep them.selves to themselves.... ???
Sure, this is something to be aware of, but hey - dont go blaming google becuase you are a numpty that doesnt understand the service you are using FOR FREE.....
"John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".
Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.
Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.
"rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.
most email clients hide the actual email address that is being sent to so there is little chance to spot the mistake. The thing is though, it should not matter if someone changes their email address to yours post sign up as an email should be sent stating "you've changed your email address to this, click here to confirm. If you've not changed your address then ignore this email" or some words along those lines. When the link is clicked, the user should have to then enter their account username and password before the change is confirmed. If someone is trying to spoof or phish you into something, not having the password will stop the email change to look like yours. in order to login and add a CC will require a password reset and the scammer won't have it and won't be able to reset it as the reset email will go to you. you may end up with 2 netflix accounts, but thats easily refundable by netflix as why would you have to accounts with similar email addresses?
This is all FUD and aimed at Netflix for the person who claims this story happened to them to gain some column inches.
This is easily verifiable by anyone changing the email address of their Netflix or other reputable online service/retailer. There are established rules and procedures around doing this thing, any auditor will check for.
I don't think you understand the attack. You create a previously non-existant account on Netflix, which is given the dotted email address. When the legitimate Netflix user gets the message, they are able to change the card details. Some (admittedly small) percentage of folks will do just that, allowing the fake user to get Netflix for free.
Re: 'why', I would assume it's from a zealous reading of RFC 2822; in its grammar a dot is defined as a separator but a separator has no defined lexical meaning for the local part of an address. A server can do whatever it wants — to the extent that 2822's predecessor, 822, received an official amendment to clarify that the local part should not be modified when forwarding messages. Prior to that it was valid for server A to remove or add dots as it felt fit, then pass that along to server B assuming it made no difference there either.
I think it is more complicated than that; if I send an email to an account that I KNOW exists - exactly the same as my account, but with no ".", gmail sends it to that account; but if someone in certain parts of the world (southern US for certain), sends to that address, I get their email.
This has only been happening to me for a couple of years, and I have had this email address since we had to call it "googlemail.co.uk".
I have told a certain US car dealership about this bug MANY times, but they keep asking me to take my car in for a service.
It's good to know I'm not alone, although I put it down to carelessness on the part of someone giving their email address. These days I just delete the emails, but I have been known to report them to abuse@ whoever sent them, and once I went the extra mile to inform a doctor's practise in California that their patient was never going to turn up for surgery... (That was hard, due to a reluctance on the part of the practise to put any contact details on the website that didn't need logged in to, and I wasn't going to phone them)
I've had fun in a similar situation.
I kept getting accidental/incorrectly addressed email to me but for someone located in the UK. I replied to the dealer that I wasn't the right person, that my email was used in error, & to please remove it from their records. They were either too inept or lazy to scrub it, so the next time one came in from them I decided to have a bit of fun.
I replied "Sure you can service my car. Please send a towtruck & a temporary vehicle for me to drive while you have mine in the shop." They agreed (evidently the other person had bought a rather expensive car & the dealership figured they could soak the fool) & asked me to confirm the address to which they would send them. I sent them the Google Maps coordinates. They replied "That can't be correct, that's not even in the UK!" To which I replied back "No shit. Neither am I. But since you can't be fuckin' arsed to fix your fuckin' records then you've already agreed to send a tow & a temp car. When whill they arrive?"
They never sent me another email.
*Cackle*
I tried to be polite about it, I tried to do the right thing, but when the other party refuses to act accordingly... It's time to fuck with their heads!
I have this a lady on the West Coast of 'merica registered with one dot not two, make easy to spot as my first name becomes a female name. Gmail filtering also helps but why the heck they designed it that way is beyond me, also not have Netflix is a BIG plus from every angle ;)
Er, I think the point is that Netflix do distinguish between agmailuser@gmail.com and a.gmail.user@gmail.com. To Netflix, they're different addresses, so different accounts. Google don't make a distinction.
So if you learned that someone with the address agmailuser@gmail.com had a netflix account, you can have an account on netflix under the name a.gmail.user@gmail.com. Emails sent to a.gmail.user will actually arrive in agmailuser's inbox. If they're not paying attention, phish!
Effectively Google have given gmail users an infinite variety of email addresses, meaning that it's possible for literally everyone else on the planet to cybersquat on their identity on all other services on the planet. If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.
Google's "handy feature" is stupid.
It does not allow squatting as every such email address would still get delivered to your mailbox. It actually prevents squatting because of that.
No it doesn't. It requires you to spot and deal with emails that no one else on the planet is expecting you to receive. You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you.
No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com.
@D@v3,
They do, but a couple of times i have received emails from services i have never heard of, so i go in, have 'forgotten my password', reset link gets sent to my email, i now own the account.
That's all well and good, but you may also have taken on legal responsibility for the account. That might come along with all sorts of liabilities, which might include (depending on the service provider and what is being provided) debt, criminal prosecution, ownership of some difficult-to-explain-in-front-of-a-judge content, etc. Trying to protest "but that's not my real email address" when, clearly, it is (and Google are also saying it is) sounds like a bad day to me.
On the whole, not a good idea I think.
"You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you."
Lack of joined up thinking there AC.
If you don't have a password, you can't load a CC.
If you do have a password, the spoofers don't.
If you have a problem, you contact netflix, and seeing as you control a) the contact email address and b) the credit card, I fail to see how you can't cancel the payment.
Unless there's some method of inputting the CC into an unsecured form.
"No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com."
They consider them to be separate email addresses. A person can clearly have more than one address. More than one person have access to an email address. In fact there is no direct relationship between natural persons and email addresses.
Personally I find it quite handy, but I have some 40+ email addresses being delivered to the same gmail account. Luckily it's yet to confuse the police, courts or the bank, all of whom use such boring things as a physical address or phone number when they really want to get hold of me, rather than email.
mmccul, I think you have misread RFC 822 section 6.2.4. It says, 'This specification treats periods (".") as lexical separators.' It says that the effect of these lexical separators is to divide the name of the mailbox and turn it into a sequence of tokens.
Dividing a string in different places will yield distinct sequences. Note that the sequence ("a", "b"), which is a sequence of length 2, is a distinct sequence from the sequence ("ab"), which is a sequence of length 1.
I'm normally the first to hate on Google, but I don't see how is this their fault?
It sounds as though Netflix are allowing people to register accounts with email addresses without bothering to validate that they have access to those addresses?
That's insanely irresponsible, if that is actually the case. I hope I've misunderstood something.
It's actually the other way around from what you are thinking. If YOU are registered to these services with a "dotted" email address, then someone can steal the account by creating an undotted email and then getting all of YOUR email. Including account password reset emails. Good luck getting your account back.
"If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.
Google's "handy feature" is stupid."
Do netflix and others not require the email account to be confirmed via some unique link before the account is activated?
Yes someone could setup the account but they will never see any correspondence and the dotless account owner would be notified.
I have seen that some sites are aware of googles dotless addressing and will strip the dot when checking for existing accounts and bleet if they have an existing account regardless of where or how many dots where entered in the submission. Its not a difficult regex to write to validate & sanitise the input prior to db lookup.
This is nothing but a subtle fishing attack and will catch out those who are click happy, but is easily fixed by netflix, with no need for Google to disable what is a useful feature for some.
Exactly this. Why is there a difference between someone registering for Netflix using the "actual" email address of say gmailuser@gmail.com and the "spoofed" dotted address g.mail.user@gmail.com if both addresses go to the same mailbox? Years ago I'd received several emails from Sony's Playstation online whatever it is asking about my account so I simply went online, reset the password, and closed the account. Note, the "attacker" didn't actually use dots, they simply signed up with my email address. Having said that, like someone mentioned in another thread, I use the dots to detect when someone is selling my address so I can point it out to them when I end my business relationship with them.
I submit the premise of the headline "Netflix is secure" is false if they aren't validating email addresses at the time someone signs up.
Is it possible to trick this?
Sign up to Netflix with a throwaway email.
Netflix sends the signup confirmation there.
Do the confirmation on that address.
Log in to the Netflix website using the throwaway address.
Go to account settings and change the email address to a dotted-variant of that of your mark.
That way your mark never sees the signup confirmation.
"Log in to the Netflix website using the throwaway address.
Go to account settings and change the email address to a dotted-variant of that of your mark.
That way your mark never sees the signup confirmation."
But they do get the "you've changed your email to this one" message. Which should raise alarm bells.
Log in to the Netflix website using the throwaway address.
Go to account settings and change the email address to a dotted-variant of that of your mark.
That way your mark never sees the signup confirmation.
An email confirmation is sent to the new address, with the account i assume in limbo until the address is confirmed.
that they seem to think they can improve on the thousands of man hours that go into RFCs ???
If I had a penny for every bug I've fixed that originated in a bit of code some smart arse thought was better than tried and tested modules ... I'd have a lot of pennies.
email, telephone and postcode (UK) validation should have been nailed 25 fucking years ago. So why do I still see code (badly) written last week ?
Amateurs ....
The RFCs actually allows for a lot of freedom for what comes before the @, because it was written in an era when how people were identified on different systems could vary wildly. IIRC, it allows even case-sensitive identifier - so JOHN.DOE could be different from john.doe or John.Doe... just I think nobody in their senses ever used it.
Why Google decided to implement GMail in a way that is different from what most people are used to think email works is the issue. Maybe they thought it was a smart way to avoid people register look-alike addresses for doing something nasty, maybe the reasons are others. Anyway, the main issue is having billions of addresses in a single domain, while people with the same name are not rare at all, especially in some countries.
But humans aren't. Sure, written language does use case to better distinguish some words - using some known rules, but spoken language isn't (good luck with voice activated commands...) - and trying to enforce case sensitivity on humans is one of the worst things Unix programmers could think of - a clear case when engineering laziness ("hey, string comparisons in English only are far easier this way!") took precedence over a comprehensive, future-proof solution (hint: in many languages you have to follow proper collation rules to compare strings, or you'll fail).
I understand mail RFCs had to cope with the limitations and bad designs of many early operating systems. There's really no need to persist in those mistakes - software must serve humans, not vice versa.
IIRC DNS was designed to be case-insensitive - think if you had to register all the permutations of a domain name. URL can contain case-sensitive parts (besides the domain name), because, of course, the Unix limitations when it comes to access the file system...