Rendered at 16:36:11 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
legitster 19 hours ago [-]
I just did a signup on a brand new email address and was not able to recreate. No random spam emails reported. Just a normal verification email.
It's likely that the email the author received is pure coincidence. Especially if they are using a client that downloads emails in batches.
FWIW it looks like their validation email is sent by Customer.IO via Mailgun. Both have squeaky clean service agreements so it's unlikely they are shooting off the data to spammers.
Edit: No way! I did end up getting a random empty email. From a "Adventure-Meter Department" at bugbusterbrigade.com. The topic of the email was "Scents and Memory".
This is a really weird email. It's not a spam email, it's some sort of attempt at inbox testing. Perhaps it's an attempt to sniff out AI agents signing up for their service?
JdeBP 18 hours ago [-]
Mailgun's validation API, presumably the underpinnings of Pangram's, returns more than a simple yes/no validity. My educated guess is that this is part of figuring out all of those extra fields.
> Catch email addresses that have turned into honey pots
> Make smart decisions on who you should and shouldn’t send to using our risk score
Identifying honeypots is tricky business. Sending something that looks like obvious spam from random burner domains and seeing if it still gets delivered is not a bad way to do it.
mcv 17 hours ago [-]
Yeah, but any site that uses signup email addresses to send spam should be immediately blacklisted. Sending spam to potentially legitimate email addresses is a really bad idea and should destroy any credibility you may have had.
garaetjjte 19 hours ago [-]
Maybe they don't do that for larger destination providers. But definitely no coincidences here. (in the post I replaced address with example.com because I'm curious if I will ever get other spam onto it, but here's another one unmodified)
curl --request POST --data '{"email": "pangramdemo@milek7.pl"}' https://www.pangram.com/api/validate-email
This seems like crossing a fine line of legal vs the right thing. More than likely Panagram Labs is just on one of the customers using a third party API to get validation on the email. This third party API is the one who is abusing this technique most likely using pixel tracking for email addresses they havent seen before.
Partly fun part is what Panagram here has done is to expose an endpoint for anyone to transitively use the email validation API in their product
EvanAnderson 18 hours ago [-]
I just tried with a new email at my domain. I'm excited to see what I get.
18 hours ago [-]
saltcured 18 hours ago [-]
I would make even stronger advice.
If you want to verify an email, send me a one-time code with several hours expiry that I have to resubmit through my logged in web identity at your site.
It drives me batty that a financial provider (retirement vendor from previous employer) won't seem to let my "paperless" setting remain active. Only because I don't ping their abusive email tracking pixels etc.
To me, paperless means I can log in and download my quarterly PDF statements and related documents, and they won't be left in a mailbox on the street. It doesn't mean I have to subject myself to reading your silly emails with a promiscuous client.
infogulch 18 hours ago [-]
To me, paperless means they ATTACH MY STATEMENT TO THE EMAIL. Not signing up to any paperless until they do, none yet have met this bar. The statement is supposed to be a snapshot of the status of the account at a given moment, if you have to open their website to view it they could regenerate it from whatever crap data they have lying around at the given moment. If it can change every time you look at it, it's a quantum statement, it's not a snapshot, it's a vibe. This defeats the entire purpose of getting a statement, I don't know how anyone tolerates this.
saltcured 18 hours ago [-]
I tolerate it when I get a fixed period statement and can download to review and archive. I don't treat the website as my archive, nor would I treat the email system as my archive. It's just the delivery mechanism.
And they are for the well-defined accounting periods, e.g. monthly or quarterly, not some sort of ephemeral "rollup to time of download". That would drive me mad if they had different periods depending on download timing.
I can't know for certain, but my gut tells me they are just generating PDFs at the same time they perform the general reporting run that also leads to printed statements. And then they have some limited retention history to limit the storage costs.
arjie 18 hours ago [-]
Unfortunately for quite a few people in non-Western states with whom I share my email, I now have their paystubs and insurance receipts and so on. They just sent me the email after someone either made an error in data entry or optimistically assumed they have first.last@gmail.com
edoceo 17 hours ago [-]
Many places don't attach the statement because it has sensitive information. Add that with "email is not secure" which we've been yelling for years (well, me since 1996). Sending it via email is risk exposure for them.
thayne 13 hours ago [-]
It is long since time we made email secure. Or replaced it with something else that would allow us to send messages to people securely (in a decentralized way).
Having to log in to a half-maintained, slow web portal with terrible UI that is down 25% of the time is a really terrible way to get your sensitive and often important documents.
SAI_Peregrinus 1 hours ago [-]
email can be read by any server in the chain between the sender & recipient. It's not secure. PGP doesn't fully fix this, it still leaks message content (subject) and metadata. So does S/MIME. That doesn't mean attachments are leaked, but it does mean email isn't compliant with any of the standards which require communicating securely.
thayne 37 minutes ago [-]
Right. I'm saying this state of affairs is unacceptable for the dominant digital messaging system in 2026.
throawayonthe 17 hours ago [-]
they send important (financial?) documents over email???? who tf does that what vendor is this
technion 14 hours ago [-]
All of them.
My personal tax agent only accepts forms and sends them back via email. I had a conversation with him about using password protected zips and he just told me he won't accept them.
My hospital sent me a PDF that I was to fill in and email back with cleartext credit card information filled in to pay bills. Screenshot:
I recently deal with an inheritance and the Super Fund would only accept legal documents by email. I could go on, this is normal.
teeray 18 hours ago [-]
I really wish you could provide a PGP public key to your bank and have them just email the damn pdf every month.
RulerOf 18 hours ago [-]
That'd be nice, but I'd even settle for the plain pdf attached to the email.
mcv 17 hours ago [-]
Unencrypted sensitive data in an email is a really bad idea. I hope they never do that.
Although what I would really like, and think is long overdue, is an extension to email that normalises encryption and sender verification. It's ridiculous that email can be spoofed like that. (The same is even more true for phone numbers.)
thayne 13 hours ago [-]
Indeed. We really either need email to get decent, user-friendly encryption and verification, or replace email with a new, ubiquitous, decentralized, system that has first class support for encryption.
I have a laundry list of other issues I'd like fixed in email, but I'd be happy just to get end to end encryption and sender verification.
pocksuppet 17 hours ago [-]
Is it really? Who can read it today? Your email provider and theirs? Gmail won't deliver messages without TLS any more, so everyone supports it or they're effectively kicked out of email.
floam 15 hours ago [-]
TLS just encrypts the IMAP / SMTP sessions, no guarantee it’s stored encrypted, let alone end to end
account42 4 hours ago [-]
You didn't answer this question:
> Who can read it today?
mcv 2 hours ago [-]
Well, the email providers. And that could easily include Google without you even realising.
It's true that email isn't quite as insecure as it used to be (it was once compared to shouting your message at someone and expecting them to shout it in the right direction until it reached the intended recipient), but there are still many things missing compared to other forms of direct messaging, and there's good reason why many people and organisations don't want it used to send sensitive information.
saltcured 18 hours ago [-]
For things like financial records, I would not want plain PDF in the email. I think it needs encryption for confidentiality.
I am geeky enough to use PGP or S/MIME if they had the option, but I can definitely see how vendors would see this as too fringe with retail customers. I would not like the typical "secure email" which is nothing more than a volatile link back into yet another website.
wwind123 17 hours ago [-]
Hmm, yeah some people feel that plain emails are not secure for sensitive information. As a result, some banks provide a "secure email" box that's usually PITA to use.
It'd be great if there's a unified API for all financial institutes to provide sensitive info (statements, tax forms etc.) and you just need to run a software tool to download them once in a while or when you need it.
RulerOf 8 hours ago [-]
I get that, but I don't care.
I want the PDF (or CSV) emailed to me as an attachment because that's the workflow that doesn't suck.
Everything else sucks in one way or another, and much of it is security theater.
18 hours ago [-]
maxspero 16 hours ago [-]
Hey! Founder of Pangram here. We use Zerobounce and CustomerIO for email validation. I had no idea this was happening. Not entirely sure which one this is coming from, but this is not intentional on our part. Will dig deeper and eliminate the part of the stack that is sending spam — definitely not good that this is happening.
technion 12 hours ago [-]
I'm reading the ZeroBounce docs and it seems very relevant. Look at this step:
"We recheck all unknown emails using IPs from different geographical locations". This matches exactly what this article describes as getting these emails from a range of locations.
The step before that is just "Proprietary Technology", which sounds like a good cover for what's going on here. How else are you testing an email address after between "real time SMTP server check"?
vova_hn2 19 hours ago [-]
The idea that they really send spam to validate an email address sounds to insane to be believable.
Is it possible that they are somehow leaking the address to actual spammers?
For example, they (or the hypothetical email validation SaaS) use an infected email validation library that ex-fills every email supplied to it, or something like this.
p2edwards 18 hours ago [-]
Yeah. The abundance of comments that take the article at face value makes me pause. I assumed it was satire.
bstsb 19 hours ago [-]
the actual base64 email itself is an HTML document, with a bunch of filler text about metal magnets!
> Hi there, A magnetic domain is a region within a magnetic material in which the magnetization is in a uniform direction. This means that the individual magnetic moments of the atoms are aligned with one another and they point in the same direction [...]
they sign off the email with a zero-width space set to "font-size: 0" for some reason
maybe they try to warm up those emails to use them for other "campaigns" later on...
mike-cardwell 19 hours ago [-]
The text is added to get around bayesian filters. The spammer doesn't want the text to be displayed to the end user though typically.
autoexec 18 hours ago [-]
A smart bayesian filter would catch email with invisible text. Legitimate email shouldn't have any, but I have seen it more than once in spam
xp84 19 hours ago [-]
Strange to see this in an apparent real product. And also I don't see how this does much to 'validate' it... It could be a valid email that belongs to a random stranger, like, tcook@apple.com for instance.
Part of me wonders if someone has added something nefarious into their backend which just collects and exfiltrates new emails as people sign up.
lwhi 18 hours ago [-]
I have a Gmail address in the format of x.surname@gmail.com, which is obviously potentially applicable to tens of thousands of people.
The amount of misdirected mail I get is astounding. I literally just got a delivery updaye for hair removal cream, with the option to sign the unknowing recipient up to a paid for tracking subscription service.
The problem isn't just making sure the address is valid.
You need to ensure you're sending communications to the correct person.
pocksuppet 15 hours ago [-]
You seem to be getting unsolicited commercial email, a.k.a. spam, and could possibly initiate legal action against the sender. If you did so, it would cause the entire industry to stop using email verification, and probably switch to phone number until they get sued for the exact same thing with phone numbers.
mcv 17 hours ago [-]
I still have a gmail address that looks in no way like a name, and that's not stopping me from receiving some really weird misdirected email. Often my random collection of characters with some dots in between (apparently Gmail ignores dots in your name).
There is a procedure common in mail sending where you ALMOST do this. You connect to their mail server, tell it you have a message for them, and wait to see if it rejects you or accepts the message. Then you disconnect without actually sending the message. I wonder if this is some kind of confusion among the devs behind this, or some benefit to really sending the message that I can't think of. Does it contain a tracking pixel or anything?
gerdesj 17 hours ago [-]
That's recipient testing based on mailbox name. I don't recommend that for spammers - its so trite and early 2000s.
I wont allow you to test deliverability to my email domains without you sending an email I can analyze and decide to allow or drop mid stream. I also get to drop it before you consider it sent. I obviously drop connections that just establish from and to and go weird after that.
kirmerzlikin 19 hours ago [-]
Can it be that Pangram doesn't send any spam itself but instead (intentionally or not) leaks your email address to some spammer who then does the sending?
autoexec 18 hours ago [-]
Spamming, leaking, or selling. Either way, I now know that I want nothing to do with Pangram.
aitchnyu 9 hours ago [-]
Did any site implement incoming emails to signup@domain.com which then sends you a timebound signup form? No spam filtering drama.
Akronymus 11 minutes ago [-]
Kiwifarms did something like that, where you have to send an email to confirm your signup.
hopeless 18 hours ago [-]
My first thought would be that they've been hacked (or something else, like a CRM attached to their systems, has).
scosman 15 hours ago [-]
"ghostlygourd.com" is a S+ tier domain. Would click
andai 15 hours ago [-]
I'm more of a venusbases.com kinda guy
casey2 2 hours ago [-]
a botnet is not spam, garbage text is not spam, spam is defined primary by being unsolicited AND unwanted. This is solicited.
Don't confuse the map for the territory. What we see here is a so called "expert" in anti-spam technology completely losing site of the goal and complaining that world should conform to their system. This is learned helplessness masquerading as expertise.
aarjaneiro 19 hours ago [-]
Magnetic domain
zephen 18 hours ago [-]
Interesting business model.
Sell verification services to one set of clients, and use the harvested email addresses to sell spam delivery to another set of clients.
It's like having a space in a big building downtown with storefronts on two opposite streets. Babysitting/childcare services here; rent a child to go the park with and help you pick up chicks there.
The similar playing-both-sides against the middle that I'm struggling with right now: companies sell (physical) mail addresses to other companies for beaucoup bucks. But if you want to correctly report that your wife has been dead for 9 years because you're tired of getting her USPS spam, they want to charge you to add you to their profitable database.
Topgamer7 17 hours ago [-]
Can we talk about the reddit spam too? Like how they allow bots to sign up accounts, with random email addresses. Which then sends spam/verify emails, with no recourse? I want to block new accounts to my email, but I have no options.
It's likely that the email the author received is pure coincidence. Especially if they are using a client that downloads emails in batches.
FWIW it looks like their validation email is sent by Customer.IO via Mailgun. Both have squeaky clean service agreements so it's unlikely they are shooting off the data to spammers.
Edit: No way! I did end up getting a random empty email. From a "Adventure-Meter Department" at bugbusterbrigade.com. The topic of the email was "Scents and Memory".
This is a really weird email. It's not a spam email, it's some sort of attempt at inbox testing. Perhaps it's an attempt to sniff out AI agents signing up for their service?
* https://mailgun.com/products/validate/
* https://documentation.mailgun.com/docs/validate/oas/openapi-...
> Catch email addresses that have turned into honey pots
> Make smart decisions on who you should and shouldn’t send to using our risk score
Identifying honeypots is tricky business. Sending something that looks like obvious spam from random burner domains and seeing if it still gets delivered is not a bad way to do it.
Is it really empty? From a sibling comment by tom1337 https://news.ycombinator.com/item?id=48651560 it looks like they are using some CSS tricks to hide the text in a html email.
Partly fun part is what Panagram here has done is to expose an endpoint for anyone to transitively use the email validation API in their product
If you want to verify an email, send me a one-time code with several hours expiry that I have to resubmit through my logged in web identity at your site.
It drives me batty that a financial provider (retirement vendor from previous employer) won't seem to let my "paperless" setting remain active. Only because I don't ping their abusive email tracking pixels etc.
To me, paperless means I can log in and download my quarterly PDF statements and related documents, and they won't be left in a mailbox on the street. It doesn't mean I have to subject myself to reading your silly emails with a promiscuous client.
And they are for the well-defined accounting periods, e.g. monthly or quarterly, not some sort of ephemeral "rollup to time of download". That would drive me mad if they had different periods depending on download timing.
I can't know for certain, but my gut tells me they are just generating PDFs at the same time they perform the general reporting run that also leads to printed statements. And then they have some limited retention history to limit the storage costs.
Having to log in to a half-maintained, slow web portal with terrible UI that is down 25% of the time is a really terrible way to get your sensitive and often important documents.
My personal tax agent only accepts forms and sends them back via email. I had a conversation with him about using password protected zips and he just told me he won't accept them.
My hospital sent me a PDF that I was to fill in and email back with cleartext credit card information filled in to pay bills. Screenshot:
https://infosec.exchange/@jsmall/116745959468132388
I recently deal with an inheritance and the Super Fund would only accept legal documents by email. I could go on, this is normal.
Although what I would really like, and think is long overdue, is an extension to email that normalises encryption and sender verification. It's ridiculous that email can be spoofed like that. (The same is even more true for phone numbers.)
I have a laundry list of other issues I'd like fixed in email, but I'd be happy just to get end to end encryption and sender verification.
> Who can read it today?
It's true that email isn't quite as insecure as it used to be (it was once compared to shouting your message at someone and expecting them to shout it in the right direction until it reached the intended recipient), but there are still many things missing compared to other forms of direct messaging, and there's good reason why many people and organisations don't want it used to send sensitive information.
I am geeky enough to use PGP or S/MIME if they had the option, but I can definitely see how vendors would see this as too fringe with retail customers. I would not like the typical "secure email" which is nothing more than a volatile link back into yet another website.
It'd be great if there's a unified API for all financial institutes to provide sensitive info (statements, tax forms etc.) and you just need to run a software tool to download them once in a while or when you need it.
I want the PDF (or CSV) emailed to me as an attachment because that's the workflow that doesn't suck.
Everything else sucks in one way or another, and much of it is security theater.
"We recheck all unknown emails using IPs from different geographical locations". This matches exactly what this article describes as getting these emails from a range of locations.
The step before that is just "Proprietary Technology", which sounds like a good cover for what's going on here. How else are you testing an email address after between "real time SMTP server check"?
Is it possible that they are somehow leaking the address to actual spammers?
For example, they (or the hypothetical email validation SaaS) use an infected email validation library that ex-fills every email supplied to it, or something like this.
> Hi there, A magnetic domain is a region within a magnetic material in which the magnetization is in a uniform direction. This means that the individual magnetic moments of the atoms are aligned with one another and they point in the same direction [...]
they sign off the email with a zero-width space set to "font-size: 0" for some reason
style="position: absolute; left: -9999px; top:-9999px;display: none"
maybe they try to warm up those emails to use them for other "campaigns" later on...
Part of me wonders if someone has added something nefarious into their backend which just collects and exfiltrates new emails as people sign up.
The amount of misdirected mail I get is astounding. I literally just got a delivery updaye for hair removal cream, with the option to sign the unknowing recipient up to a paid for tracking subscription service.
The problem isn't just making sure the address is valid.
You need to ensure you're sending communications to the correct person.
I wont allow you to test deliverability to my email domains without you sending an email I can analyze and decide to allow or drop mid stream. I also get to drop it before you consider it sent. I obviously drop connections that just establish from and to and go weird after that.
Don't confuse the map for the territory. What we see here is a so called "expert" in anti-spam technology completely losing site of the goal and complaining that world should conform to their system. This is learned helplessness masquerading as expertise.
Sell verification services to one set of clients, and use the harvested email addresses to sell spam delivery to another set of clients.
It's like having a space in a big building downtown with storefronts on two opposite streets. Babysitting/childcare services here; rent a child to go the park with and help you pick up chicks there.
The similar playing-both-sides against the middle that I'm struggling with right now: companies sell (physical) mail addresses to other companies for beaucoup bucks. But if you want to correctly report that your wife has been dead for 9 years because you're tired of getting her USPS spam, they want to charge you to add you to their profitable database.