Gmail's addressing scheme has created a new, potentially dangerous twist on the old telephone party line. Not only could some people with common names receive the personal messages of like-named strangers, but a Gmail alias of their account name could be used to sign them up for an unsavory service.
Since establishing the "email@example.com" account in April 2004, I have received hundreds of e-mails intended for other "D. O'Reilly"s. The misdirected messages include receipts for computers, vacation rentals, and various services, complete with addresses, telephone numbers, and other personal information.
My January 2010 post "Gmail delivery errors divulge confidential information" summarizes Google's explanation for the errant e-mails, which boils down to "human error."
The problem took a more serious turn recently when the "firstname.lastname@example.org" alias of the address was used to create an account on a hook-up site, and I don't mean trailers (necessarily). As shown in the screen above, the message indicates that Google considers it: "Important mainly because it was sent directly to you."
Because Gmail doesn't recognize dots and capitalization in its addresses, people often use an account name they believe is unique but is actually shared. Someone likely used "email@example.com" to sign up for a service without realizing (or without caring) that confirmation messages and other mail sent to that address would go to the "firstname.lastname@example.org" inbox.
I forwarded four examples of the misdelivered messages to a Google press representative. I was assured that no one else had gained access to my Gmail account, and that the names of other people appeared next to the address because the sender retrieved the address from their contact list, which included the name of the person who provided the sender with the "email@example.com" address.
Google insists the solution to misaddressed messages such as this is public education to let people know dots and capitalization in address names are not recognized. However, other e-mail systems distinguish addresses with dots from the same characters without dots. A Google representative suggests the best way to prevent receiving other people's private mail is to avoid signing up for a generic Gmail account name such as mine.
The account has tremendous value as an e-mail archive, but its generic name has rendered it a security risk. I now forward the address's incoming messages to an ISP e-mail account and use the ISP address to reply or send new messages, as I explained in last week's post, "Deter phishing attacks by consolidating your contacts."
Gmail's flawed addressing scheme
The "doreilly" address seemed like such a prize when I registered it more than nine years ago: It's quick to enter and easy for friends and associates to remember. I didn't consider the thousands of other "D. O'Reilly"s in the world, some of whom use the address "firstname.lastname@example.org" as their own.
The first "d.oreilly" message still in my archive was received on June 10, 2005. It's addressed to Dustin O'Reilly and included as an attachment a draft of a contract for an orthopedic fellowship. (I've changed all the recipient names used in this story.)
The message's confidentiality statement instructed me to contact the sender if I was not the intended recipient, which I dutifully obeyed. The Gmail support site claims the problem is due to senders mistyping addresses. The company recommends that you reply to the sender to inform them of the mistake.
When dealing with individuals, it's courteous to inform the sender of the error. If the errant message doesn't include private information, however, simply deleting it may suffice. (Google recommends marking the message as spam and choosing the Unsubscribe option if it is available.)
In my case, a name other than mine often appears next to the "email@example.com" address. As stated above, Google insists the person was not able to create a separate Gmail account using that address. Rather the sender's contact for the address includes the other person's name.
Similarly, someone named Durwood O'Reilly was shown as the owner of the address "firstname.lastname@example.org," and Dashiell O'Reilly was also identified as the owner of "email@example.com." Gmail's aliases are clearly misfiring.
The Google Groups thread "Someone else is using my e-mail address" includes posts from people who regularly receive other people's messages. In some instances, two people have the same name but slightly different Gmail addresses. In others, one person receives many other people's mail. (Often a sender simply enters the wrong address, such as the person whose boss always made the same addressing mistake.)
Most of the people posting to a similar Google Groups thread from July of last year claim the problem is due to someone using the account name as their own by mistake rather than on purpose.
It's difficult to convince some Gmail experts that these are not cases of accounts being hacked. No one else has signed into or otherwise attempted to access the account. Someone has mistaken your Gmail address for theirs. There is no indication that other people are able to read messages sent to you.
On the other hand, whenever you think there's a chance your account has been compromised, it's safest to change your password and be sure you've enabled the service's two-factor authentication.