Who’s using my email address, and why?

By | June 23, 2011

Somebody seems to be using my email address in a weird, ongoing way that doesn’t seem to be benefiting them in any way. The fact that I can’t figure out why they’re doing it concerns me, because I have to suspect that there is some benefit to them, which I just haven’t been able to figure out. I’m worried that if it’s helping them, it’s probably hurting me, even if I don’t know it.

Therefore, I’m blogging what I know, in the hope that perhaps someone else will be able to look at the facts and point out something I missed about why this is going on.

A few days ago, I received an automated email message from the “Starwood Preferred Guest” program which began, “Thank you for contacting Starwood Preferred Guest.” Except I hadn’t.

I assumed that a spammer had sent spam with my return address to Starwood, so I just ignored it.

However, later that day, I received this message from Starwood:

Dear Jonathan Kamens,
Thank you for contacting Starwood Preferred Guest. I hope this email finds you well.
I must apologize but I am unable to determine exactly what your inquiry is regarding. If you would please reword your question or add more detail we would be pleased to assist you.
We are always available to assist you; feel free to chat with us online, have us call you, or if you prefer, simply reply to this email. Have a lovely evening.

Best Regards,

[name elided]
Specialist, E-Communications Department
Starwood Hotels & Resorts Worldwide

Original Message Follows:
————————
SPG Number: *******24
Subject: Benefit Clarifications
Comments: In the moment two persons must give me money they are Ingrid Betancourt and Guy André-Kieffer these two persons must give me two milliards [sic] of dollars.
First Name: Diallo
Last Name: Mamadou Oury
Email Address: jik@kamens.brookline.ma.us
Membership Level: E

Note that whoever wrote to Starwood (through a form on their Web site, I suspect) gave the name “Diallo Mamadou Oury”, but when Starwood wrote back to me, they used my real name! I thought at the time that they must have looked up my name from my email address, since I was at one point a member of the Starwood program, but I just called their customer server number and asked them to look up my account by name or email address, and they were unable to do so. I just sent them an email message asking where they got my name from; I will update this blog entry when I hear back from them about it.

Note also that Ingrid Betancourt and Guy André-Kieffer are real, prominent people. Bizarre!

Anyway, I wrote back to Starwood and told them that somebody was clearly just misusing my email address, and they should ignore it. I thought that was the end of it.

Now it gets crazy.

Earlier today, I got this from Google:

Congratulations on creating your brand new Gmail address,
ibsondao.mamadou331@gmail.com.
Please keep this email for your records, as it contains an important verification code that you may need should you ever encounter problems or forget your password.

You can login to your account at http://mail.google.com/

Enjoy!

The Gmail Team

Verification code: [elided]

If you didn’t create this Gmail address and don’t recognize this email, please visit: http://mail.google.com/support/bin/answer.py?answer=62400

WTF? What benefit would someone get from creating a Gmail account and using someone else’s email address as the recovery address?

Thinking fast, I immediately used the fact that this person listed my email address for recovery to change the account’s password and security question. So whatever he was intending to do with this account, which I honestly can’t imagine, he isn’t going to be able to.

Note that whoever created the Google account gave the name “Diallo Mamadou”, which matches what he gave to Starwood, but doesn’t match the email address he chose, where he instead used the name “Ibso Ndao Mamadou”.

So, does anybody have any ideas about what’s going on here?

Print Friendly

46 thoughts on “Who’s using my email address, and why?

  1. Pingback: Since Diallo Mamadou Oury is so insistent on sharing my personal information, here’s some of his « Something better to do

  2. Pingback: Mamadou Diallo still, inexplicably, using my email address all over the internet « Something better to do

  3. AL

    Hi! I have a similar and very perplexing issue!! Twice in the last few months, someone (unknown to me) has signed up for an online account, using my main personal email address! The address used is in the format of firstnamelastname@domain. My name is commonly known. The first person registered a Gmail account using my email as their contact address. Does this make sense?? Lol. I logged into that new Gmail account, cleared out everything in it & deleted the account. Maybe I should have reported it? The second person, only yesterday, created a new Twitter account, in which she used that same email address of mine as her contact address. She is female and I have her name- but I am male. At the end of the confirmation email I was sent from Twitter, was this line- “If you received this message in error and did not sign up for Twitter, click not my account.” & “not my account” was a link- I clicked it, then I was told my email was removed! If anyone here knows why people do this, I’d really like to know? Please share if you do- thank you!!

    Reply
  4. jik Post author

    Another one:

    Dear de Montigny,

    The Global Editors Network received a newsletter subscription request for this email address. You can confirm that you would like to receive our weekly newsletter by clicking here. If you cannot click the link, use the following link:

    [deleted]

    If you have not made this request, please ignore this message.

    Thank you.

    Reply
  5. jik Post author

    Great, now this guy has signed up for an account at http://propheticmail.com/ using my email address, and I can’t log into the account to reset it without knowing the username he used to create the account. *sigh*

    Reply
  6. Montigny

    Dear sir

    Normally the year who come again you must give me my
    money by the postal.Actually I have worked on a man whole name’s are
    alpha yaya diallo a ancient chief who had been deported to mauritanie.
    I would say that why you haveprogramming seven years in order to give
    me my money : that’s very hard for me to join all my difiicult having.
    In the second where I say you my family would deport me to the hospital
    for they said to take product and injections.

    Reply
  7. Diallo

    Dear Sir

    That’s long time ago i would to get with you a large explaining
    a explication in about my game with because Guy André Kieffer with sans
    condition sans immédiate i have related with the time where i have
    listening the topo with Laurent Bagbo with Alassane Ouattara.
    Mister i hope that you have said that two persons must give me
    two milliards dollars that is exact.

    Reply
    1. Walter Stone

      It is very hard to find who is using your email and finding someone to investigate it is even harder yet. Police organizations do cyber crimes but I only think they or the FBI only look into it if a serious crime is being committed or if bigger money is involved. Somehow I just thing they don’t really take interest otherwise.

      Reply
  8. Pingback: Mysterious identity thief uses my email address to create Skype account « Something better to do

  9. Barfo Rama

    Don’t forget that with email, “benefits” may have very, very small values when costs have values approaching zero.

    The starwood “specialist” is probably some kid glad to have a computerish job, tasked with all the emails that come in asking about email blasts sent by starwood – in other words, manually dealing with spam response, and perhaps unsure what a spambot might send. The person you called and asked to look up was probably also some fairly clueless clerk, you can’t conclude specialist didn’t just look up your info from that.

    You are right to be suspicious, this appears to be someone harvesting email and script-kiddying something. Perhaps someone in Nigeria with another variant on the classic scam.

    The thing is, we tend to forget just how bad sysadmins out in the world are, especially with email. (Here come some other random thoughts risks items have made banging around in my head). On my ISP, I noticed a “cool” but obvious to spammers email was available, just as they were rolling out Bayesian virus/spam checking, so I snagged it. When combined with a couple more levels of checking on my end, it made the address usable. It was kind of interesting to see what still made it through, and I noticed some “your bill is ready” kinds of mails from a telco in another part of the country… addressed to the “cool” email plus a dash and another name. So I tried sending to that address from several unrelated places, and sure enough, got them. ISP support couldn’t understand my description and demos, so eventually kicked me up to the sendmail person who actually understood the issue. Another risks item mentioned using the domain name for an email registration if you have your own domain. I’ve had a couple of funny ones there. One large old listserv started sending me bounce commands, thinking I was the list owner! Recently a redirect service enhanced their web site, and when I went to change my email there, it wouldn’t accept their own domain as the portion left of the @ sign, giving a message that that was way too attractive to spammers. And recently, I knew right away when a condo project lost their mailing list to the bad guys.

    Sometimes I just have to wonder if there are just some really bad mysql programmers out there, randomly corrupting their own data.

    Reply
  10. Don

    This has happened to me a couple of times recently:

    The first occurence was a subscription to a Cable TV service (west-coast US, but I’m in Toronto, Canada) for which I continue to get confirmations of payment, etc. The second was a subscription to an on-line dating service (registered as female, wich I’m not).

    I have no idea why someone would set this up. The only thing I could come up with is that the provider requires an e-mail address for access to their web-presence, doesn’t require confirmation of the e-mail. The perpetrator then uses the 1st e-mail that he can think of or cut-paste from somewhere.

    The internet: curiouser and curiouser :-)

    be seeing you … Don

    Reply
  11. Hank Roberts

    Have you checked your phone bills for ‘third party service’ items regularly?
    search phone+third+party+service+bill
    Lots of recent news on that happening again recently, and I wonder.

    When we’ve found and refused scam charges in the past, the ‘support’ operators’ script has them insist repeatedly that we must have agreed to the charges because they had our phone number and email address authorizing it. The email has never been legitimate. But perhaps the next level is to create ‘legitimate’ email for deniability? Just guessing.

    Reply
  12. david

    I have a 4-character .com as my personal domain that is configured with 3 mailboxes — mine, my wife’s, and an “else” mailbox that will accept any name.

    I frequently get emails for a .edu/.org (same organization, had both domains), .au, .ca with the same 4-character .com. In addition, I often get email for a company with a 6-character .com where the last 4 match mine.

    It seems like people get lazy or stupid or fat finger the address. I could understand an outsider (a parent sending to a kid for instance) but some seem to come via web link.

    - David

    Reply
  13. Roger Strong

    Keep on mind that most people would have deleted the messages as spam.

    My guess is that it’s a scammer establishing “reasonable doubt” ahead of time. He runs his scam using the Gmail account. If he isn’t caught, great.

    If he *is* caught, he claims to be a victim. Police get a court order for Google to turn over records. They discover that the Gmail account was created using YOUR email account, using the name Diallo Mamadou Oury. The scammer arranges for police to be tipped – if they don’t discover it themselves – that you’ve used the same name / email account dealing with other companies.

    Police will believe YOU, especially having documented it like this. They’d eventually believe the average person who would have deleted the messages as spam. But in court, it establishes the reasonable doubt that the scammer needs to avoid a conviction.

    Reply
    1. Roger Strong

      BTW, If I’m right, here’s where it gets ugly:

      Say the police want to prosecute the scammer. Even if they fully believe YOU, they’d seize your computer for a few months and examine your email activity. (If your private mail server is on a different system, that would be gone too.) Because if they didn’t, the defendant’s lawyer would stand up in front of the jury and demand to know why.

      Reply
    2. jik Post author

      But in court, it establishes the reasonable doubt that the scammer needs to avoid a conviction.

      No, it doesn’t really, because the records they get from Google will show what IP address the account was created from, and it’ll be the scammer’s, not mine.

      Your theory about what is going on may be correct, but if so, then the scammer is mistaken if he believes that it’ll actually do him any good.

      Reply
  14. Rick Steeves

    I saw your article in comp.risks

    I’ve had almost this exact thing happen to me. I had someone sign up and activate a porn site with my name and email address. I originally thought it credit fraud, managed to talk the ISP out of the name on the credit card, which matched the name on the account (but not me). I cancelled the account, and confirmed the PWD on my email was different, and moved on.

    It’s happened twice since then. Same name on the account. I’ve managed to track the name with the IP information (after bullying the ISP) back to an actual person, and attempted to contact them. Never heard back from them.

    Reply
  15. Ivan

    I’ve been getting all kinds of emails to gmail from people creating facebook or myspace accounts to auto parts receipts to “please give feedback on your stay at our hotel”.

    Facebook was the worst offender, as they started sending notification emails without ever verifying the email address.

    Other than being noisy, it seems harmless, so I set up a gmail filter. Unfortunately, gmail doesn’t let you bounce messages, so mail that gets sent to me without dots in the proper place now gets silently discarded. Hopefully no one I actually want to talk to tries to take advantage of gmail normally being dot-insensitive.

    Reply
    1. Ivan

      Oh, and as far as why someone would give control of their account to someone else’s email address, my best guess is simply that it is September. There is a lot of stupidity on the Internet in September.

      Reply
  16. jik Post author

    For those of you who are saying this is just a matter of something making a typographical error or getting confused about their email address, that really seems exceedingly unlikely. Please look again — my email address is “jik@kamens.brookline.ma.us”. It’s long and has a non-standard, custom domain. Nobody’s going to type that as an innocent mistake, and certainly not twice in two different suspicious scenarios within a few days of each other.

    Reply
  17. Amos Shapir

    Hi Jonathan, I saw this on RISKS. The name on the mails reminds me of the Nigerian scheme, so it’s possible these guys found a “how to pose as someone else’s mail” guide and are trying to use it without actually understanding. The fake ransom note may indicate teenagers at play.

    How did they get your address? Well “jik” is something someone may get by just banging on the keyboard; a too-helpful mail server may supply the domain, if it thought that the sender had forgot to put in the “@” part.

    Another for addresses is the RISKS digest itself, which is published unsanitized and available verbatim on Google. I am pretty sure most of my spam mail got my address off a commercially sold list gathered that way; that’s why I do not use this address for anything else any more.

    I hope this helps,

    Amos

    Reply
  18. jkb

    Has Oury hacked Starwoods and is he trying to extort money from them using well-known names?

    Reply
    1. jik Post author

      I’m not really sure what good mentioning Ingrid Betancourt and Guy André-Kieffer would do in terms of extorting money from them, and I also don’t see what good it would do for him to send an extortion threat using someone else’s email address (the people he’s trying to extort wouldn’t be able to respond to arrange payment!), and I also don’t see how it would help an extortion effort for him to create a Gmail account using my email address as his recovery address. So no, I don’t think this is a particularly plausible theory.

      Reply
  19. dm

    I have had this problem due to people with similar names but like a middle initial, and then they leave out the initial when giving their email address and it goes to me instead. I flat out ignore any misdirected mail other than returning to sender if its super important. It’s the sender’s issue after that…

    Reply
  20. Koos van den Hout

    I read your article in comp.risks …

    I have an e-mail address with a provider of the firstname @ provider (because that was normal in unix when they started in 1993). From time to time I get misdirected mail and it can be difficult to get people to understand that they have the wrong e-mail address in their records.

    But the most original cause of misdirected mail, now years and years ago is that someone actually had that e-mail address on his business cards and I got interesting messages for him, related to his high-ranking position in the telecoms world. People always were grateful I notified them about the error, but I never got anyone to send me one of those business cards.

    Reply
  21. Dan

    I get the same thing, but I get it from various people, with my gmail address. I’ve been able to contact some of the people, and usually get a message like “sorry it was an honest mistake” or “sorry I meant to contact my son who has the same name as you” (and, I assume a similar email address). I guess my username isn’t completely unusual, and I think sometimes it’s been typos. I assume some people don’t know what their email address is and when they tell people their email address, tell them the wrong one.
    It’s one of the disadvantages of using hotmail or gmail, I guess.

    Reply
  22. Dave Long

    A hacker can get access to “legitimate” sites with a legitimate email, eventually, they become almost “self-authenticating”. First line of authentication for a website is usually email confirmation…totally insecure, but common nonetheless… next line is banking or credit card details. Some banks or money transfer outfits only require very basic information in order to set up an account. Think paypal and others.

    When I was in university (almost at the beginning of the internet!) some rather enterprising fellow students created an identity and managed to get it a credit card…which was used to get another credit card and so on and so on. Chained authentications all certified as true based on someone believing a single lie. How do you think the CIA does it?

    The name Mamdou is West African…Nigerian money scam maybe?

    I would strongly recommend burning your email account, getting a new one and putting a note on your credit files specifically referencing that you are not responsible for account referencing the old account name as of some time before all this happened.

    Pain in the backside, but the alternatives of identity theft are worse.

    Hope this all makes sense.

    Dave

    Reply
    1. jik Post author

      First line of authentication for a website is usually email confirmation…totally insecure, but common nonetheless…

      But there’s no email authentication going on here, because my mail servers, which I run myself, are aggressively locked down, and it is extremely unlikely that anyone else has access to them. So although whoever is doing this can specify my email address to a Web site, it doesn’t do him any good — he doesn’t see the emails that the Web site sends to that address.

      I would strongly recommend burning your email account,

      Every email address I’ve used since 1987 still works. I’m not about to burn an email address I’ve been using since 1996 based on nothing more than vague theories which don’t stand up particularly well to scrutiny.

      Reply
      1. Dave Long

        You don’t always “have” to actually click on the confirmation email itself to get confirmed. Some sites allow you access even without confirmation through other mechanisms. Some sites have a very simple confirmation code which is a server and some plaintext hash of your email address. These can be simple enough to find out… do it for a disposable account you can access. Once validated, next step is the dirty business of using it to help support their next steps….then go change email addresses to something they CAN access…. voila… no re-validation required except maybe to the NEW address.

        Does make you wonder why those sites go through the hassle of the confirmation process though….other than to try and validate they can send you an email…but it’s not a sure thing if the “confirmation can be spoofed.

        Burn, or don’t burn…your call.

        Reply
        1. Robert Carnegie

          Well, there’s a distinction between an email-address-for-registration which isn’t yours to confirm and one that doesn’t exist at all, which is that there’s probably an immediate error returned when someone sends e-mail to the latter.

          Some services allow limited (e.g. forum read only) access after creating the account based on e-mail address and before receiving and acknowledging the e-mail.

          I suppose that a crime could involve changing a victim’s copy of DNS records so that e-mail to your special domain is delivered to the criminal instead of to you, and you’re seeing cases where this failed.

          Or some people may be dumb enough to assume that any such message represents something that they genuinely want to sign up for – just as some people are dumb enough to fall for simple spam fraud solicitations. If it works 1 per cent of the time, that may be enough.

          Actually, another device is if person A’s computer is hacked, then spamming everyone in their address book as from person A, you may get to do only once, whereas spamming everyone as from one of the other address book entries may last longer. So, could be, someone who knows you and who stays in a hotel sometimes got hacked.

          By the way, not really addressing the point, and probably no one reading this is going to create a new e-mail address of their own, but if your given name is common then obviously you could throw in an extra word that makes it more likely unique. And apparently, if you throw in the word “spam” in your actual e-mail address, there’s a good chance that any spammer who tries to spam that address will have it automatically discarded by their own evilware.

          If you create someone else’s e-mail address, for instance for your children, they’ll appreciate you specifying one that won’t get them teased at school, or, when the time comes, stood up on dates. As in, ponygirl365 is a bad idea twice.

          Reply
  23. George Harris

    It could just be that someone is confused about their own email address (although that seems unlikely as you have your own domain). I’ve received non-spam mails of that type before, and someone once gave my sister his business card, which had my email address on it.

    Reply
  24. Gary

    Outside possibility, but might you have entered the email address into a webform on a public computer somewhere (airport, hotel etc) ? The browser may have remembered the email and be using it as a default (especially if the user didn’t overwrite it with a valid email).

    If an activity looks really stupid, then often it is because it is being done by a computer.

    Reply
    1. jik Post author

      Definitely an outside possibility, because I don’t use public computers — my laptop and/or iPhone goes pretty much everywhere where I might need network access.

      Reply
  25. Camilla

    I’m going to guess that someone suffering from both schizophrenia and poor English comprehension, has stumbled across your blog, and something resonated with his paranoia, and he started mixing parts of your name and identity into his other crazy.

    Reply
    1. jik Post author

      Hmm. Crazy. Yeah, I suppose that’s a possibility I hadn’t thought of.

      Or perhaps it’s someone trying to harass me in particular for some reason. Someone who isn’t too bright, I imagine.

      Reply
      1. Camilla

        The incidence rate schizophrenia is something like 1% of the population, and given that treatment compliance is really quite difficult, and effective treatment is unavailable in many places, there’s a big pool of untreated cases out there.

        The content that would make me say “probably schizophrenic rantings” is:
        * pervasive and invisible/conceptual things like the internet, radio waves, satellites (classically tin foil hats and radio transmission in fillings)
        * celebrities, collusion between celebrities
        * grandiosity (large sums of money, international consipiracy)
        * persecution paranoia

        Your message doesn’t have all of that, but my guess is that you stand out (enough) by being effective at customer service retribution, and the crazy that goes “these people owe me money via internet” has started invoking your name in a cargo-cultish way as an effectiveness totem.

        I doubt that it’s personal harassment by a sane-but-stupid person, because I think that flagrant untreated schizophrenia is much more statistically likely, and a much better fit for the message. Harassing someone represents a significant energy expenditure, and sane people generally save their harassment for ex-lovers and others who are/were close to them.

        Reply
  26. Ruth

    Is there any chance they are getting a copy of your email as well as it coming to you?

    Reply
    1. jik Post author

      Remotely possible, but I can’t see how even that would help them.

      Reply
  27. JMike

    I don’t have any actual suggestions, but wanted to note that a milliard is a term that the Brits used to use, which means what we Americans call a “billion”. (It used to be that a Brit billion was a million million, which resulted in them saying weird things like “milliard” or “thousand million” for 10^9.)

    Reply
    1. JustMe

      “Milliard” is french for billion. French language is common in West african countries.

      Reply

Leave a Reply

Your email address will not be published.