Re: Interesting way to phish gmail users

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Interesting way to phish gmail users

Nathan Raymond
I use those allowed dots as a feature to work around limitations that companies like Netflix impose due to their poor backend programming. Here's a recent breakdown:

1. Netflix used to allow individual profile logins to their service, so my wife and I both had separate logins with our respective email, but all under one Netflix plan.
2. At some point Netflix got rid of the individual profile logins but retained the profiles, consolidating them under one account login. In this case, my wife's account was the primary/billing account, so for me to access my Netflix queue I needed to log in to the site with her credentials and then select my profile.
3. In addition to streaming, we've continued to rent physical discs from Netflix as well, and used to do two discs at home at once, tied to each of our profile queues. We decided to drop down to one queue (mine) a few months ago.
4. In concert with that, we planned for me to take over paying the Netflix bill. We called Netflix to discuss our options, and learned that there was not a way to re-activate my old login or make my old login the primary account holder. You also cannot migrate existing profiles to new accounts (or migrate profiles from one account to another). It is possible for the primary account holder to select another profile's disc queue that's under the account as the queue to use for physical media rentals.
5. We then tried to change her email to be my gmail address, but Netflix said that my email address was already in use in their system. Apparently when Netflix discontinued the multi-profile individual login feature, they've continued to store the associated email addresses but now prevent customers from being able to remove or change those email addresses (so they're somewhere in their back-end databases where maybe only their internal DBAs can get to now...)
6. To achieve what we wanted, I used a variant of my gmail address with a dot added to it in order to get the account emails to me so I could efficiently manage billing and my queue.
7. Another minor side-effect of all this is that Netflix will periodically mention in their emails what's upcoming from Netflix in the physical disc queue but it only looks at the primary account holder queue (my wife's old queue, which we're no longer drawing from), not from my profile queue.

So yeah, I don't want Google to stop allowing dot variants, at least not until I can trust giant companies like Netflix to do things like profiles and logins properly (which I don't trust, at all).

- Nate

On Mon, Apr 9, 2018 at 7:30 PM, gastropod <[hidden email]> wrote:
gmail ignores dots in the user name part of an address,  but other services don't ignore them, providing a way for bad guys to get an unobservant gmail user to pay, for as long as they stay unobservant, for services such as Netflix.

"Obscure E-Mail Vulnerability"

https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html

--
gastropod


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Interesting way to phish gmail users

@lbutlr
On 2018-04-10 (13:39 MDT), Nathan Raymond <[hidden email]> wrote:
>
> 6. To achieve what we wanted, I used a variant of my gmail address with a dot added to it in order to get the account emails to me so I could efficiently manage billing and my queue.


Gmail (and quite a lot of other email providers) support "plus addressing" which gives you a great deal of control. I don't really use gmail, but here is how I use plus addressing

When I register for a site, I usually set an email address that is [hidden email] and that email is only ever used for that site/company. So my netflix address is based on my 'work" email address we'll call [hidden email] and is [hidden email].

It's easy to setup alerts or sorting based on these address extensions.

On my own server, mail is automatically sorted into a "netflix" mailbox. I do the same thing with hulu and many other sites.

Some sites, written by incompetent idiots, will not allow you to use a + in an email address, falsely claiming it is invalid. I avoid those sites.

--
"If you can't do something smart, do something right."




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Interesting way to phish gmail users

Mr. Seth Anderson

On Apr 10, 2018, at 5:23 PM, @lbutlr <[hidden email]> wrote:

Some sites, written by incompetent idiots, will not allow you to use a + in an email address, falsely claiming it is invalid. I avoid those sites.

I find this irritating too, though of course, sometimes I cannot avoid using such sites.

I do wonder if spam harvesters are smart enough though to strip the “+company” off of an email address, but I still use the technique whenever possible.


-Seth Anderson
 



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Interesting way to phish gmail users

@lbutlr
On 2018-04-10 (17:32 MDT), "Mr. Seth Anderson" <[hidden email]> wrote:
>
> I do wonder if spam harvesters are smart enough though to strip the “+company” off of an email address, but I still use the technique whenever possible.

The nice thing about having my own server is that email that comes to my 'work' address without a + is matched up to a known senders list; if there isn't a match the mail is tagged as spam and trashed, so I never see it.

--
Why can't you be in a good mood? How hard is it to decide to be in a
good mood and be in a good mood once in a while?"




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Interesting way to phish gmail users

Maurice van Peursem
In reply to this post by Nathan Raymond
My opinion is that the fault is with Netflix, they should verify an
emailaddress like most sites do (and certainly when money is
involved), and this scam is unusable.

Maurice

>gmail ignores dots in the user name part of an address,  but other
>services don't ignore them, providing a way for bad guys to get an
>unobservant gmail user to pay, for as long as they stay unobservant,
>for services such as Netflix.
>
>"Obscure E-Mail Vulnerability"
>
>https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html
>
>--
>gastropod


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____