I bought this domain about a year ago and have been operating a single email inbox on it since day one. Said mailbox has been set up as a catch-all (meaning it receives all mail for all addresses on the domain) for at least half that time, as a cheap way of getting more free aliases than my hosting plan provides. A few months ago, this mode of operation alerted me to a form of email… harassment(?) that I was not yet aware of.
On 2021-10-26, I received an email from someone claiming to be a Vietnamese measuring instrument company, destined for "odhovkzw@bdb.sh". I figured some nutjob must have been populating their new spam list by randomly generating email addresses from letters of the alphabet, marked it as junk and moved on.
Fast-forward to 2021-12-02, when that same address receives an email from, supposedly, the Japanese division of a certain rainforest-named e-commerce company. The styling looks legit; I can't read Japanese; the big button in the middle points to a .xyz domain, so onto the pile of junk it goes. Must have been scammed into buying the other guy's shitty spam list, lol.
On 2021-12-14, I receive another email in Japanese, this time from a popular German-sounding ridesharing company that now also appears to be doing food delivery. I wouldn't have bothered to put it through a translation service, but at the bottom of the mail they've included an English translation that suggests the message is to inform me of a ToS change. Feeling frisky I check the links, and they *all* point toward that company's legitimate international website. What? How can they scam me if they never even show me any malicious content? Is this some kind of corporate Aleksandr? I check the recipient and this time it's "hdheh@bdb.sh". The next day, there's more mail from them in the same vein, but I don't think much of it and bin it.
Aleksandr and their most persistent spam (The Boston Diaries)
The new year comes around and on 2022-01-22, I am contacted by a Texas-based money transfer company that wishes to thank me for joining their "Plus Rewards" program. (I didn't.) This just reeks of archetypal scam setup, but once again every last link and button points to legitimate content. At this point I'm getting pretty annoyed with actual real companies reaching out to me out of the blue, because they obviously keep beating my spam filter and I have to see their crap. This time they're looking for "bdkfdndb@bdb.sh", though? And they are addressing "Gesheh" in their message?
The pieces finally fall into place. One or more people (among whom someone named Gesheh, probably) have been using fake email addresses on my domain to sign up for real services! The first one, odhovkzw, must have been doing some pretty shady stuff and ended up on a spam list, but hdheh and bdkfdndb seem to be real people using real services that apparently just don't verify ownership of email addresses.
As the *actual* owner of these addresses, I probably have the power to delete their accounts or even steal some of Gesheh's money. But I can only assume they had no ill intentions and just didn't want to give their personal email address to a commercial company if they didn't have to, and I can respect that. If they had known their undoubtedly password-managed keyboard mashing would end up on someone's smolnet log, I'm sure they would have mashed on for a different domain. (Besides, the legality of some of the counteracts suggested earlier would perhaps be questionable.)
I'm not sure of the best way to proceed, though. For now, I've decided to get rid of the catch-all inbox - I wasn't using those aliases anyway - and maybe the companies will notice their email getting bounced and prompt our friends to change addresses. I suppose I could still contact the companies' support teams about this, but I'm somewhat averse to bureaucratic corporate ticketing systems and now that new mail is properly getting bounced I kind of feel like it's no longer my problem? To be continued, perhaps… :)