[mywacaday]

I'm Irish and have a common firstname.lastname@gmail.com At some point the head of a national hospital thought he had that address and wasn't using his official email for everything, I got several emails that should not have been for me and some were quiet sensitive, I always emailed back the sender to let them know and eventually I emailed his secretary as it kept happening. I've also received purchase order confirmations from Australia, building contracts from Canada, HR emails from a university to which I had to confirm I had deleted the mail as letting them know led to GDPR investigation

[baubino]

I’m in the midst of a similar situation. My firstinitial.lastname email keeps getting very sensitive legal documents from law firms handling the case of someone who does not seem to know what their actual email address is. I called the firm and told them they needed to have an in-person meeting with their client and get a correct email address from them. That seemed to help for a few months. But now I’m getting emails again from a different law firm.

[catoc]

Law firms that send very sensitive legal documents over email… #sigh

I’d switch firms immediately if that’s their level of opsec awareness

[stackskipton]

And I worked IT for legal firm, if we were not sending documents over email, we would get replaced by the client.

I spent 3 months on secure document transfer portal system, got scrapped after 4 months because clients wanted their forms as Word/PDF and they wanted them without hopping through any hoops.

[catoc]

I believe you - convenience gets picked over security all the time

[giancarlostoro]

If you reread again it sounds as if the secretary was hanging out the wrong email.

[catoc]

Yes I know this was about wrong delivery address (person with same name, wrong account); the point is that email is not completely secure - certainly not for very sensitive (legal) content

[eru]

What are you talking about? If you send emails from eg GMail to Gmail, it's fairly secure.

[basilgohar]

Gmail can be fetched via IMAP and leave Gmail's infra entirely. And I don't think Google guarantees that their implementation stays fully on their own owned infra. It's a reasonable assumption but I'd never trust that for a security guarantee.

Email is not an end-to-end secure data protocol without the use of client side encryption/decryption like PGP/GPG, but even then, sender/receiver and time are all in the envelop metadata.

[catoc]

Yeah, that exactly my point - no idea why I’m being downvoted on this

[giancarlostoro]

Probably because Law Firms arent necessarily computer security firms. Lots of people have terrible op sec. Additionally if you the recipient are on gmail it stops mattering, now Google knows your legal woes.

[dahart]

Why’s that even relevant if the recipient is the wrong address? Email isn’t particularly secure anywhere, and gmail has forwarding and IMAP and aliases and other services that send emails outside of gmail. But sending sensitive documents to the wrong recipient, which was the topic that started this sub-thread, is a case where it does not matter how secure your servers are.

[eru]

> [...] and gmail has forwarding and IMAP and aliases and other services that send emails outside of gmail.

No matter what format you hand a recipient a document in, they can always make a photocopy and pass it on.

[dahart]

Sure. How’s that relevant?

[catoc]

Even if the law firm uses a Gmail account - which most of course don’t - Google still has access to your sensitive legal email content. (And that’s apart from the meta data leaking)

[ArnoVW]

if you attach documents by linking to a Google Drive document, sure.

if you attach documents 'inside' the mail (i.e. MIME encoded multipart) that is most definitely not secure.

1) you do not know how that mail gets delivered, not necessarily via servers that support encryption 2) you do not know how that mail, or the attachment, gets stored on the local machine 3) you do now know if the mail, or attachment, is sent to someone else 4) you cannot revoke the access to the document once the Need To Known stops

In our ISMS, sending Highly Sensitive data (ex: customer data) by attaching directly to a mail, is strictly not allowed by the IT charter. We explain it during an on-boarding meeting to all new staff members. And it's a fireable offense.

[mcv]

There are several people with my name at the company I work for. I frequently get email meant for someone else.

Worst was at another company where a person with the same name has just left, so they gave me that email address. Turned out he was subscribed to several Confluence pages for which I now received updates. But I didn't get his Confluence account, so I couldn't unsubscribe from those updates.

[bakje]

Couldn't you reset the password since you have access to the email address?

[layer8]

Might have been using company SSO.

[mcv]

SSO indeed. I forgot if it was ever solved before I left.

[cogogo]

I have a canonical gmail address for what I thought was not such a common name pair. I get so much sensitive stuff. I used to email the sender but I have given up. One of them runs a business and the businesses that interact with his business just keep emailing me. Or stop for a couple of years, change personnel and start right back up.

[heffer]

Same here. My Google Account is something along the lines of jose86@gmail.com (a common hispanic first name + birth year; I'm German).

It's unusable. I have received full blown mortgage applications from couples in Mexico (including paystubs, tax forms, credit ratings, phone bills, passports). Mostly, these days, it's transaction notifications for a guy in Nigeria and phone bills for people in South America.

[rkomorn]

My spouse suffers from this as well. It's bananas to me how many people use that email address clearly thinking it's theirs.

[bonzini]

I have myname.wifename@gmail.com (we use it for bills, children activities, and other family stuff where you can't register more than one email address).

Neither of our names can be confused with a last name and yet I had multiple people writing to it incorrectly, including: as the email attached to a Diners credit card (I called Diners and they asked me what's the right one and "if I don't know the right one how do I know that it's wrong"), as the email for a school 400 km from home (another family must have had the same idea), once for some lawyer stuff (I then learnt that about 100 people in Italy do have my wife's name as a very uncommon last name), and lately as the recovery email for another Google account.

[citizenkeen]

Your use case is why I bought my own domain name. My wife and I create shared aliases we can both send from. It’s made spousal ensuing with schools so much easier, etc.

[toast0]

I used to get email for an org that had a similar domain as me (they had an extra letter in the middle). Thankfully, not a very big org, I would just bounce addresses that got a lot of misdirected email and I think they shut down and that really solved the problem.

Still annoying, but not as bad as gmail. I just got an email, in Italian, about someone adding a passkey to their ebay account. No way to tell ebay it's not their address / it's not my account.

[missedthecue]

I've noticed a lot of sites and orgs wont accept email domains that aren't gmail, hotmail, outlook, icloud, or yahoo.

[marcusb]

Interesting. I've used my personal domain name for email for almost 30 years and I've never had that problem.

[rkomorn]

Similar boat (~25 years) and, while I've run into some sites/services that rejected my domain, I'm pretty sure it's happened fewer than 5 times, total.

[missedthecue]

It's a tactic to prevent burner/spam accounts created using temporary emails

[rkomorn]

That is that we do as well, but she still has her own email account that I presume she'll keep as long as Gmail exists.

[rkomorn]

What a weird world. :)

Edit: side note, your username is also the name of my favorite fusball table maker.

[bonzini]

YES! I have no idea if we're related, but imagine the surprise when you "first get internet at home", and my father and I decided to search our surname on Altavista, and we found foosball tables and tournaments!

[rkomorn]

Damn it I was hoping you were going to reply "that's my family!" :D

[MaxBarraclough]

> I'm Irish and have a common firstname.lastname@gmail.com

At the risk of nitpicking, @gmail.com email addresses use a dots don't matter policy [0] so really you have a common firstnamelastname@gmail.com and are free to add dots wherever you like.

[0] https://support.google.com/mail/answer/7436150

[fn-mote]

Recently learned, to my surprise, that other major providers have not followed Google’s lead on this, so there are plenty of places dont.scam..me@ is a valid email (social engineering or typosquatting).