top of page
Writer's pictureThe Tech Platform

How Thousands of Misplaced Emails Took Over This Engineer's Inbox

Kenton Varda gets dozens of messages a day from Spanish-speakers around the world, all thanks to a Gmail address he registered 16 years ago.


TWO WEEKS AGO, longtime software engineer Kenton Varda got an email that wasn't meant for him. It was from AT&T Mexico to a customer named Jorge, whose most recent phone bill was attached. You've probably gotten an email intended for someone else at least once. But then Varda got another AT&T Mexico bill for Gloria. And then a third for Humberto, who is overdue on paying more than 6,200 pesos, about $275.

To Varda, the incident wasn't a surprise. As the owner of the email account temporal@gmail.com, he gets dozens of messages a day from Spanish-speakers around the world, all sent by people who thought they could use his address as a dummy input: "Temporal" translates to "temporary." Varda says he frequently receives private documents, even medical bills and collection notices. Many of the most sensitive emails contain legal notices that the messages are confidential and should not be disclosed to other parties aside from the intended recipient. Varda doesn't speak Spanish, but he uses Google Translate when possible to understand what's going on and reply to senders saying they have the wrong address.

"Recently I had a few people send me what appeared to be photographs of handwritten notes. Maybe notes from a class?" Varda says. "Also, I received several job evaluations of one Jose Gomez, who appears to be a janitor. And a pretty good one!" Like many Weird Internet Things, the saga of temporal@gmail.com began during a simpler time. As a teenager in the 1990s, Varda was an avid player of the tabletop role-playing game Rifts. The game had a character class Varda particularly liked called Temporal Wizard that, naturally, used magic to manipulate time. So Varda adopted "Temporal" as his gamer tag. In 2004, shortly after Gmail launched, Varda graduated college and registered temporal@gmail.com.

"In retrospect, I wish I had registered 'kenton@' instead," he says. "I was probably early enough to get it. Too late now."

But temporal@gmail served Varda well for many years. It was only around 2010, when Gmail started to see heavy adoption in Spanish-speaking countries, that Varda ran into problems. "When people are registering a temporary, throwaway account and don't want to give their real email address or need a placeholder, they tend to plug in 'temporal'" he says. "It doesn't occur to them that this address might actually belong to someone." The bulk of misplaced emails that head Varda's way are confirmations for various account sign-ups. He ignores those as much as possible. He says it can be difficult not to instinctively click confirm, but he doesn't want to let other people set up accounts tied to his address. He's also run into incidents where a platform doesn't require email address validation, and his suddenly becomes attached to someone else's account. Numerous times, it has appeared that an IT staffer at a large organization has used "temporal" as a throwaway for a batch of accounts, perhaps to close out support tickets or categorize miscellaneous user information in a database. Varda says the account also receives a huge number of sign-ups at schools around the world, though he's not sure why this category crops up so often.

In all of these situations, Varda can end up with large amounts of private data that was never meant for him to see. In the case of the AT&T Mexico emails, for example, Varda received Jorge's, Gloria's, and Humberto's full names, addresses, account numbers, and full call histories for the billing period ending June 11.

Varda always tries to reply to emails when possible and warn that his address is not the right one. He receives lots of résumés, for instance, from people who think the email address is linked to a temp staffing firm, so he set up a filter for "hoja de vida," or résumé, and an auto reply that warns they've got the wrong guy. Occasionally he gets one or two word replies to his messages, like "OK, sorry." But in general he never hears back, and often the emails keep coming. The email address is also a problem for Varda when he wants to join a new service or platform. Recently, he tried to create a Discord account only to be told that one was already registered with his email address. At first, Varda thought he had signed up for Discord years ago and forgotten. So he hit Forgot Password in an attempt to recover his old account.

"Turns out some guy had a whole online identity on Discord under my address, was active in a bunch of different channels, had his profile all filled out, and apparently used 'Temporal' as his gamer tag like I used to," Varda says. "He lost all of it the moment I hit Forgot Password. I would try to contact him to give it back, but the only email address I have for him is, well, temporal@gmail.com."

Varda, who is a principal engineer at the internet infrastructure company Cloudflare, would like to change his address but says that it seems prohibitively difficult after so many years of using it as his primary email. He would have to painstakingly update the email address on all of his online accounts and be sure not to miss anything. As an alternative, Varda says that he has tried to train Gmail's spam filter to catch any message in Spanish automatically so they won't overwhelm his inbox. It hasn't worked, likely because the filters are correctly identifying things like account confirmation messages or people sending their résumés as legitimate. They're just not messages Varda wants front and center.

"It must be so frustrating for temporal@gmail or whoever owns provisional@gmail," says Jose Rodriguez, a security researcher based in the Canary Islands. "I have done it with email addresses of friends—or enemies!—as a joke when I'm asked to fill in personal data in a survey, for example, and direct the spam that follows the survey to them instead. But this is a different situation."

In addition to his main address, Varda owns the account not.temporal@gmail.com, and will sometimes use the Forgot Password mechanism to move an account that sends a particularly large volume of emails from being registered with temporal@gmail to not.temporal@gmail. "Some people have questioned whether it's legal for me to hijack someone's account, which they've registered in my email," Varda says. "I guess I don't know, but I also worry that if I don't hijack the account and disassociate it with myself, I may end up liable for things that they do. I don't, however, mess with people beyond reassigning their email address. For example, I've had lots of students register for classes at universities using my address. Sometimes upon logging in I find I'm able to drop their classes. But I'm not going to do that."


Source: paper.li

0 comments

Comments


bottom of page