I just did a signup on a brand new email address and was not able to recreate. No random spam emails reported. Just a normal verification email.
It's likely that the email the author received is pure coincidence. Especially if they are using a client that downloads emails in batches.
FWIW it looks like their validation email is sent by Customer.IO via Mailgun. Both have squeaky clean service agreements so it's unlikely they are shooting off the data to spammers.
Edit: No way! I did end up getting a random empty email. From a "Adventure-Meter Department" at bugbusterbrigade.com. The topic of the email was "Scents and Memory".
This is a really weird email. It's not a spam email, it's some sort of attempt at inbox testing. Perhaps it's an attempt to sniff out AI agents signing up for their service?
Mailgun's validation API, presumably the underpinnings of Pangram's, returns more than a simple yes/no validity. My educated guess is that this is part of figuring out all of those extra fields.
Maybe they don't do that for larger destination providers. But definitely no coincidences here. (in the post I replaced address with example.com because I'm curious if I will ever get other spam onto it, but here's another one unmodified)
curl --request POST --data '{"email": "pangramdemo@milek7.pl"}' https://www.pangram.com/api/validate-email
If you want to verify an email, send me a one-time code with several hours expiry that I have to resubmit through my logged in web identity at your site.
It drives me batty that a financial provider (retirement vendor from previous employer) won't seem to let my "paperless" setting remain active. Only because I don't ping their abusive email tracking pixels etc.
To me, paperless means I can log in and download my quarterly PDF statements and related documents, and they won't be left in a mailbox on the street. It doesn't mean I have to subject myself to reading your silly emails with a promiscuous client.
To me, paperless means they ATTACH MY STATEMENT TO THE EMAIL. Not signing up to any paperless until they do, none yet have met this bar. The statement is supposed to be a snapshot of the status of the account at a given moment, if you have to open their website to view it they could regenerate it from whatever crap data they have lying around at the given moment. If it can change every time you look at it, it's a quantum statement, it's not a snapshot, it's a vibe. This defeats the entire purpose of getting a statement, I don't know how anyone tolerates this.
I tolerate it when I get a fixed period statement and can download to review and archive. I don't treat the website as my archive, nor would I treat the email system as my archive. It's just the delivery mechanism.
And they are for the well-defined accounting periods, e.g. monthly or quarterly, not some sort of ephemeral "rollup to time of download". That would drive me mad if they had different periods depending on download timing.
I can't know for certain, but my gut tells me they are just generating PDFs at the same time they perform the general reporting run that also leads to printed statements. And then they have some limited retention history to limit the storage costs.
Unfortunately for quite a few people in non-Western states with whom I share my email, I now have their paystubs and insurance receipts and so on. They just sent me the email after someone either made an error in data entry or optimistically assumed they have first.last@gmail.com
For things like financial records, I would not want plain PDF in the email. I think it needs encryption for confidentiality.
I am geeky enough to use PGP or S/MIME if they had the option, but I can definitely see how vendors would see this as too fringe with retail customers. I would not like the typical "secure email" which is nothing more than a volatile link back into yet another website.
The idea that they really send spam to validate an email address sounds to insane to be believable.
Is it possible that they are somehow leaking the address to actual spammers?
For example, they (or the hypothetical email validation SaaS) use an infected email validation library that ex-fills every email supplied to it, or something like this.
the actual base64 email itself is an HTML document, with a bunch of filler text about metal magnets!
> Hi there, A magnetic domain is a region within a magnetic material in which the magnetization is in a uniform direction. This means that the individual magnetic moments of the atoms are aligned with one another and they point in the same direction [...]
they sign off the email with a zero-width space set to "font-size: 0" for some reason
There is a procedure common in mail sending where you ALMOST do this. You connect to their mail server, tell it you have a message for them, and wait to see if it rejects you or accepts the message. Then you disconnect without actually sending the message. I wonder if this is some kind of confusion among the devs behind this, or some benefit to really sending the message that I can't think of. Does it contain a tracking pixel or anything?
Can it be that Pangram doesn't send any spam itself but instead (intentionally or not) leaks your email address to some spammer who then does the sending?
Strange to see this in an apparent real product. And also I don't see how this does much to 'validate' it... It could be a valid email that belongs to a random stranger, like, tcook@apple.com for instance.
Part of me wonders if someone has added something nefarious into their backend which just collects and exfiltrates new emails as people sign up.
Sell verification services to one set of clients, and use the harvested email addresses to sell spam delivery to another set of clients.
It's like having a space in a big building downtown with storefronts on two opposite streets. Babysitting/childcare services here; rent a child to go the park with and help you pick up chicks there.
The similar playing-both-sides against the middle that I'm struggling with right now: companies sell (physical) mail addresses to other companies for beaucoup bucks. But if you want to correctly report that your wife has been dead for 9 years because you're tired of getting her USPS spam, they want to charge you to add you to their profitable database.
It's likely that the email the author received is pure coincidence. Especially if they are using a client that downloads emails in batches.
FWIW it looks like their validation email is sent by Customer.IO via Mailgun. Both have squeaky clean service agreements so it's unlikely they are shooting off the data to spammers.
Edit: No way! I did end up getting a random empty email. From a "Adventure-Meter Department" at bugbusterbrigade.com. The topic of the email was "Scents and Memory".
This is a really weird email. It's not a spam email, it's some sort of attempt at inbox testing. Perhaps it's an attempt to sniff out AI agents signing up for their service?
* https://mailgun.com/products/validate/
* https://documentation.mailgun.com/docs/validate/oas/openapi-...
If you want to verify an email, send me a one-time code with several hours expiry that I have to resubmit through my logged in web identity at your site.
It drives me batty that a financial provider (retirement vendor from previous employer) won't seem to let my "paperless" setting remain active. Only because I don't ping their abusive email tracking pixels etc.
To me, paperless means I can log in and download my quarterly PDF statements and related documents, and they won't be left in a mailbox on the street. It doesn't mean I have to subject myself to reading your silly emails with a promiscuous client.
And they are for the well-defined accounting periods, e.g. monthly or quarterly, not some sort of ephemeral "rollup to time of download". That would drive me mad if they had different periods depending on download timing.
I can't know for certain, but my gut tells me they are just generating PDFs at the same time they perform the general reporting run that also leads to printed statements. And then they have some limited retention history to limit the storage costs.
I am geeky enough to use PGP or S/MIME if they had the option, but I can definitely see how vendors would see this as too fringe with retail customers. I would not like the typical "secure email" which is nothing more than a volatile link back into yet another website.
Is it possible that they are somehow leaking the address to actual spammers?
For example, they (or the hypothetical email validation SaaS) use an infected email validation library that ex-fills every email supplied to it, or something like this.
> Hi there, A magnetic domain is a region within a magnetic material in which the magnetization is in a uniform direction. This means that the individual magnetic moments of the atoms are aligned with one another and they point in the same direction [...]
they sign off the email with a zero-width space set to "font-size: 0" for some reason
style="position: absolute; left: -9999px; top:-9999px;display: none"
maybe they try to warm up those emails to use them for other "campaigns" later on...
Part of me wonders if someone has added something nefarious into their backend which just collects and exfiltrates new emails as people sign up.
Sell verification services to one set of clients, and use the harvested email addresses to sell spam delivery to another set of clients.
It's like having a space in a big building downtown with storefronts on two opposite streets. Babysitting/childcare services here; rent a child to go the park with and help you pick up chicks there.
The similar playing-both-sides against the middle that I'm struggling with right now: companies sell (physical) mail addresses to other companies for beaucoup bucks. But if you want to correctly report that your wife has been dead for 9 years because you're tired of getting her USPS spam, they want to charge you to add you to their profitable database.