Never buy a .online domain

2026-02-2513:31787494www.0xsid.com

I’ve been a .com purist for over two decades of building. Once, I broke that rule and bought a .online TLD for a small project.This is the story of how it went up in flames. Namecheap's Alluring Offer…

Show article

I’ve been a .com purist for over two decades of building. Once, I broke that rule and bought a .online TLD for a small project.This is the story of how it went up in flames.

Namecheap's Alluring Offer

Earlier this year, Namecheap was running a promo that let you choose one free .online or .site per account. I was working on a small product and thought, "hey, why not?" The app was a small browser, and the .online TLD just made sense in my head.

After a tiny $0.20 to cover ICANN fees, and hooking it up to Cloudflare and GitHub, I was up and running. Or so I thought.

The Disappearing Act

Poking around traffic data for an unrelated domain many weeks after the purchase, I noticed there were zero visitors to the site in the last 48 hours. Loading it up led to the dreaded, all red, full page "This is an unsafe site" notice. The site had a link to the App Store, some screenshots (no gore or violence or anything of that sort), and a few lines of text about the app, nothing else that could possibly cause this. [1]

Clicking through the disclaimers to load the actual site to check if it had been defaced, I was greeted with a "site not found" error. Uh oh.

Initial Recon

After checking that Cloudflare was still activated and the CF Worker was pointing to the domain, I went to the registrar first. Namecheap is not the picture of reliability, so it seemed like a good place to start. The domain showed up fine on my account with the right expiration date. The nameservers were correct and pointed to CF.

Perplexed, I ran a quick dig NS getwisp.online +short. Empty.

Maybe I had gotten it wrong, so I checked the WHOIS information online. Status: serverHold. Oh no...

Stuck in No-Man’s-Land

At this point, I double checked to make sure I hadn't received emails from the registry, registrar, host, or Google. Nada, nothing, zilch.

I emailed Namecheap to double check what was going on (even though it's a serverHold [2], not a clientHold [3]). They responded in a few minutes with:

Cursing under my breath, as it confirms my worst fears, I promptly submitted a request to the abuse team at Radix, the registry in our case, who responded with:

The Verification Catch-22

Right, let's get ourselves off the damned Safe Browsing blacklist, eh? How hard could it be?

Very much so, I've now come to learn. You need to verify the domain in Google Search Console to then ask for a review and get the flag removed. But how do you get verified? Add a DNS TXT or a CNAME record. How will it work if the domain will not resolve? It won't.

As the situation stands, the registry won't reactivate the domain unless Google removes the flag, and Google won't remove the flag unless I verify that I own the domain, which I physically can't.

I've tried reporting the false positive here, here and here, just in case it moves the needle.

I've also submitted a review request to the Safe Search team (totally different from Safe Browsing) in the hopes that it might trigger a re-review elsewhere. Instead I just get a No valid pages were submitted message from Google because nothing resolves on the domain.

As a last resort, I submitted a temporary release request to the registry so Google can review the site’s contents and, hopefully, remove the flag.

A Series of Unfortunate Events

I've made a few mistakes here that I definitely won't be making again.

Buying a weird TLD. .com is the gold standard. I'm never buying anything else again. Once bitten and all that.
Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
Not adding any uptime observability. This was just a landing page, and I wanted as few moving parts as possible.

Both Radix, the registry, and Google deserve special mention for their hair-trigger bans and painful removal processes, with no notifications or grace time to fix the issue. I'm not sure whether it's the weird TLD that's causing a potentially short fuse or whether I was brigaded earlier with reports. I'll never know.

Oh well, c'est la vie. Goodbye, $0.2.

Notes

[1] A mirror can be found here to verify the site contents.

[2] serverHold is set by the registry and is a royal pain to deal with. Usually means things are FUBAR.

[3] clientHold is set by the registrar and is mostly payment or billing related.

Read the original article

Comments

By NikolaNovak 2026-02-2513:5715 reply

Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.

This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).

By duxup 2026-02-2518:442 reply

Oh man we had a person leave unexpectedly who controls our Apple organization for our dev accounts. I'm several months into me making requests, getting responses at least a week later for each email where the responder ... didn't really read my message. Then they ask for documents ... but they forgot to send me the secure link ... another week+ for them to do what they said they were going to do. Now one of my documents didn't include a sentence they needed ...

One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.

The amazing thing is that I bet scammers working this system can get through this faster than I can.

At this point they should just give me control because no way would some scammer fail this much at this ungodly process.

By praestigiare 2026-02-2522:33

Scammers can definitely get through it faster than you can. Whenever you attempt to address abuse in a system by increasing the complexity of that system, you implicitly bias it towards those with the time and inclination to study it, which always includes those with intent to abuse it, and generally does not include your users.

By mxuribe 2026-02-2523:351 reply

I'm in a similar boat...and over the weeks where i have been sending the requested docs/files...Apple reps come back and state that one of docs i sent them was not valid...so i ask them to clarify their "definition" of the doc..and they just either reply with unhelpful comments, or delay a little and delay things further. When someone asks for a copy of a payslip and you send it...but then Apple says its not a payslip, i genuinely am sad about the overall state of the world...I dislike apple and all these big tech providers for their abusive control/power and at the same time vast layers and levels of incompetence. :-(

By duxup 2026-02-263:251 reply

I’ve been shocked by the poor support.

I didn’t expect speed but what I’ve experienced has been what feels like bottom of the barrel outsourced support you get from some no name brand company….

By ajb 2026-02-268:05

Structurally all these companies have adopted the approach that the anti-fraud team is it's own world, that should be uninfluenced. So you can't talk to them on the phone, even customer support can only email them; the only feedback paths are ones under their own control. It also seems likely that each subsequent reply is processed by a different operative; for companies of sufficient size, that's probably enforced programmatically.

This all helps make them immune from manipulation by "social engineering" or other forms of influence. But of course it also means they have virtually zero incentive to give a shit about the customer.

There are obviously many ways that they could improve customer experience, but giving them an incentive to do so, without opening the door to influence, is a hard problem.

Personally I think it should be the law that you can put up a bond to get to accelerate the process. Unfortunately the amount potentially at risk is probably larger than some customers accounts, at least at places like AWS where their services can trivially be exchanged for cash. So in many cases a bond would be over the customers means. But if any customers can afford it, it would provide a feedback path.

By MereInterest 2026-02-2518:413 reply

> Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.

I got hit by this from google.

1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).

2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).

3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.

Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.

By fencepost 2026-02-2522:18

Google made it very clear years ago that they shouldn't be trusted with anything irreplaceable/that would cause major problems if you lost access.

Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.

It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!

By akoboldfrying 2026-02-260:406 reply

> Fundamentally, this was google's fault for misusing a recovery email for 2FA.

While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.

By spaqin 2026-02-263:04

I'm tired of 2FA. Absolutely the worst when setting up a new phone after losing the old one. A whole bunch of mixed methods, in 2 hours between installing all the apps again, getting text messages, installing authenticators, scanning IDs, taking selfies, receiving phone calls with spoken codes, grabbing another device that still somehow has access, twenty emails about new suspicious activity, grabbing recovery codes, or scrambling to find the Yubikey I used when registering for the simplest and most benign services that have no connections to my personal data or payment.

Google will insist on sending a notification to a phone you have no longer access to, and regaining access always feels like hacking yourself. I dread the day I lose a phone together with my SIM card and ID during travel. I will never be able to go back and will have to start a new life as an illegal immigrant, living as a hermit in some deep forest.

By simoncion 2026-02-268:17

> What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely?

Yes. I've had online accounts for nearly as long as there's been an "online". The only time I've ever lost control of an account was due to 2FA.

2FA should always be optional for one's personal accounts. [0] People who can securely manage passwords simply don't need it. And if Organized Crime or Mossad wants access to my accounts, 2FA is not going to stop them.

[0] Corporate accounts and hardware are a different matter. You manage those however your employer commands you to manage them.

By justsomehnguy 2026-02-2619:031 reply

The only reason Google does that 2FA dance is to get your phone number 'cuz it tends to be a very strong persistent marker which is very useful for... advertisement.

By akoboldfrying 2026-02-2722:551 reply

I have the same suspicion in general, but isn't it possible to use an authenticator app as the second factor instead of a phone number?

By justsomehnguy 2026-03-0116:39

Try to register a new account without a phone number.

By harimau777 2026-02-2611:541 reply

Personally, if their 2FA doesn't work, then they should definitely permit everyone to avoid upgrading to 2FA indefinitely.

By akoboldfrying 2026-02-272:17

If their 2FA doesn't work, I agree.

By t-3 2026-02-268:01

2FA isn't an upgrade, it's an annoyance. If your organization needs secure authentication, it's useful, but as an individual I have only ever been enraged. Making me check my email and phone to log in is a great way to ensure I never use your service again.

By 63stack 2026-02-2612:411 reply

I doubt anyone would blame google for not forcibly enabling 2fa.

By akoboldfrying 2026-02-2711:03

I think it's similar to, say, serving raw HTTP instead of HTTPS. If, say, Facebook still served HTTP and people were getting their passwords swiped, Meta would be in the crosshairs.

Even though you could say a person getting their 1FA account details phished is technically "their own fault", certainly to a greater extent than my HTTP example, spending the time understanding the issue well enough to realise that it was their own fault and not BigRichCompany's fault is not high on most people's list of fun things to do.

By deepsun 2026-02-2519:205 reply

> Fundamentally, this was google's fault

Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.

What would you do in Google's place?

By wl 2026-02-2519:462 reply

I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".)

If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.

By dataflow 2026-02-2523:332 reply

> No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date

The rest of your complaints make sense but this one is bizarre. It's a recovery email, isn't having access to it the entire point? Like what else did you think it was supposed to be there for beside being accessible?

Google clearly misused it for something else, and you have a strong argument they shouldn't have. This one sentence just needlessly weakens the argument.

By cwillu 2026-02-260:19

The point is that an or relationship was silently converted into an and relationship, which is a _very_ different relationship between two factors.

By wl 2026-02-264:101 reply

I never expected to need to recover the account because I used a strong password stored in a password manager that I had adequately secured and backed up.

By simoncion 2026-02-268:30

Exactly.

It was pretty sobering when Google demonstrated to me a new and novel way that made them the actual threat to my account security. I thought that by carefully refusing to publish anything with their add-ons (YouTube, Docs, Android Store, etc, etc) that I'd avoid getting swept up in an autoomated account-wide bannination, but, nope. A perfectly ordinary login to the account I'd had for years from the exact same location and IP address I'd used the day before was "suspicious" and required "recovery".

By 8cvor6j844qw_d6 2026-02-260:19

> old .edu email address that I was promised "for life"

Best treat all org controlled email address as temporary.

By Telaneo 2026-02-2519:441 reply

Not add 2fa automatically, but instead prompt with options to add it.

This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion.

By deepsun 2026-02-2521:172 reply

I'm sure Google prompted author for years begging to turn the 2FA on, as well as warning that they will enforce it on day X. Author ignored them all.

By mulmen 2026-02-2522:451 reply

Why is 2FA so critical it’s worth proactively breaking the user? What’s the even more bad thing that would (not could) happen to the user if 2FA was not enabled?

By namibj 2026-02-2523:241 reply

Password database leaks turning into spam/proxy farms of very well aged accounts.

By mulmen 2026-02-2620:26

That’s a could.

By Telaneo 2026-02-2521:27

That doesn't make forcing it any less wrong.

By mindslight 2026-02-2519:512 reply

Not force nonconsensual authentication methods onto users.

Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.

By deepsun 2026-02-2521:261 reply

As for the banks I doubt it decreases security. Even SMS 2FA actually reduces fraud by 90%+ percent.

Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.

But even then having 2FA is 42 times better than not having it.

By mindslight 2026-02-264:13

For US banks, the most important thing you can do to prevent fraud is to check your account transactions every 30 days so that you can report fraudulent transactions in a timely manner and have them reversed. Anything that increases friction of logging into your account thus decreases your security.

By deepsun 2026-02-2521:22

But then millions of users would stay unprotected from password sealing (see https://haveibeenpwned.com/).

They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.

By saidnooneever 2026-02-2520:071 reply

nonsense. any feature should have acceptable failure modes. blaming the customer for a fault they have no control over is not acceptable. many people know nothing about 2FA. it is not their responsibility. 2FA is a symptom of shitty designed systems which are inherently insecure and companies who dont give a shit about that and let their customers shoulder the burden by shoving complexity down their throats.

if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.

you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.

most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.

By deepsun 2026-02-2521:182 reply

> many people know nothing about 2FA

That's why Google sent them multiple emails explaining what it is and recommending to turn it on. What else could Google do?

By YeahThisIsMe 2026-02-2521:42

Not just turn it on without their approval.

By harimau777 2026-02-2611:59

Provide a way to resolve the issue in the very foreseeable situation where someone doesn't read the emails an add it.

Is it possible that you use email differently than most people? I virtually never actually check my inbox. I'm either reading an email that I knew was coming (e.g. an order confirmation with a shipping link) or I'm searching for something specific. So no matter how many emails Google sends I'm unlikely to read them.

By happymellon 2026-02-2611:03

2FA falls under the same criteria as mandatory password rotation, and "has to have special characters". Those were NIST recommended for a long time too.

By rationalist 2026-02-2514:396 reply

Someone constantly adds my Gmail address as their Gmail account's backup address.

I constantly remove it whenever Gmail sends me the notification.

I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.

By ChrisMarshallNY 2026-02-2521:22

I have an "OG" mac.com account (got it about five minutes after Steve announced it). My wife actually has her first name.

We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).

What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.

mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.

I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.

By Romario77 2026-02-2514:522 reply

I logged in several times to other people's accounts and reset their passwords. But it's too tiring, people keep adding my email.

I hope it's because I have small simple email and not because they want to steal it.

By nativeit 2026-02-2515:356 reply

You’re confessing to several actual felonies here, may want to change strategies.

By kstrauser 2026-02-2515:411 reply

“…and so I made him the owner of my account, and he used that to remove himself from it!”

“We’ll be right over.”

By thatguy0900 2026-02-2518:191 reply

You forgot the part where he reset their email he didn't own and change their passwords so they couldn't get back into it

By kstrauser 2026-02-2518:511 reply

I think you’re misreading this. OP has an email account. Someone else signed up for some website that doesn’t verify that you own the address before allowing you to log in and use the service. If the site did verify it, the user wouldn’t have been able to log in because OP would have been getting the verification emails, and not the user.

Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.

I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.

By NikolaNovak 2026-02-2519:202 reply

One thing I've found, occasionally the hard way, is that helpful bystanders are always offering advice based on "ethical", "intuitive", "logical" and "common sense", usually without any aspect of "legal".

I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.

Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.

I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).

By kstrauser 2026-02-2520:05

While true, I think that's implicit in all online conversations. I'm certain my thinking is 100% wrong in some jurisdictions elsewhere. Anything I say is wrong somewhere.

"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."

Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.

But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.

Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.

By altairprime 2026-02-2519:271 reply

IANYL, though! Offering legal advice with the disclaimer “I am not a lawyer” could be prosecuted as practicing law if a reasonably party could still infer a potential lawyer-client relationship from your message and/or intent. Instead, “I am not your lawyer” explicitly denies the lawyer-client relationship, which closes the door on both being accused of practicing law illegally and on being found as party to a lawyer-client relationship whether or not you have the appropriate certifications.

By technothrasher 2026-02-2521:011 reply

> closes the door on [...] being accused of practicing law illegally

Does it? So I can say, "I'm not your lawyer, but I'm happy to go ahead and give you specific legal advice on your case." and I can't be accused of illegally practicing law? I was under the impression that this could still get you into hot water. But not being your lawyer, due to the fact that I am not a lawyer at all, I don't know if it is true or not.

By kstrauser 2026-02-2521:261 reply

IANAL, so take this with a grain of salt, but:

As with all things, who are you going to get in trouble with? And what's so magical about legal practice as opposed to, say, giving shitty medical advice or telling someone how to build porch? Asking genuinely. No one falls all over themselves to say "I am not a doctor, but...", even though their next words could kill someone. The implication is that they don't have formal training but they saw something on Facebook that you should try. What happens next is on you, not on them.

By altairprime 2026-02-2523:13

> No on falls all over themselves to say “I am not a doctor, but”

This is precisely why I’m pointing this out: IANAL is a very curious case of people self-labeling their statements as “not trustworthy for the topic”. I can think of perhaps no other cases where it is so popular to claim to not be a professional in the relevant field, which suggests that IANAL is a ‘badge of honor’ rather than a proper legal disclaimer. Certainly few (if any) claim IANAD before writing about their experiences with medical issues, body things, or nutritional supplements here, even though those topics are (as you correctly indicate) potentially lethal.

Thus, IANYL: if your goal is to ensure that the recipient of your advice / opinion / whatever does not have grounds to claim that you provided legal advice, and therefore are their lawyer, then you can either do so weakly with TINLA (“this is not legal advice”), which still leaves the door open for awkward claims by some desperate grifter-rando to reach a bench, or you can do so strongly with IANYL (“I am not your lawyer”), which closes that vulnerability in full.

Not once in years of using IANYL have I seen anyone else properly protect themselves from this vulnerability; meanwhile, “IANAL but” remains in use as a badge of honor. So, yeah, I don’t think anyone considers the particular avenue of vulnerability a serious threat, and yeah, the general context of IANAL here is prideful rather than protective. But after twenty years of dealing with a stalker who was adept at internet and tried to fuck with my job at one point, I do now tend to value closing off legal vulnerabilities with certainty, and as a bonus it doesn’t imply insult to the professions of law.

IANYL, YMMV :)

By NikolaNovak 2026-02-2519:13

Right. Techies are always quick to suggest I do something naughty or funny with this "great power" I've unwittingly gained, but in reality it's just a liability. If I ignore it and they do something nasty and implicate me, it's a pain. If I touch it with a 10 ft pole, now I'm even more actively involved.

Just include "not me!" In the verification email, dam it

By tracker1 2026-02-2518:011 reply

You give someone ownership of something and they used that ownership...

By krickelkrackel 2026-02-2518:122 reply

It's like leaving your bike in the street, with no lock. Still theft, but you'd be up for a part of the responsibility.

By tracker1 2026-02-2518:351 reply

No, it's like giving someone a set of keys to your car, and they take it for a drive.

By kstrauser 2026-02-2518:56

I think it’s more like you registered the car in their name. Now they’re allowed to use it, and also responsible for the thing which they didn’t want.

Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.

By c22 2026-02-2518:34

It's more like leaving your bike in someone else's garage.

By ntoskrnl_exe 2026-02-2517:151 reply

I'm curious if this would really be considered unlawful access, since only pure idiocy and no hacking/scamming/etc were involved.

By volkercraig 2026-02-2517:511 reply

It would be in Canada, but our "misuse of computer" charge is overly broad and never been well tested.

By charlieyu1 2026-02-2518:09

On the other hand, in Hong Kong it would be straight to jail. Someone was sent a link by the airlines, he changed a couple of characters and it ended up showing another person’s data. The guy voluntarily reported the vulnerability and all he got was a criminal charge and found guilty

By jama211 2026-02-2518:12

No harm done no one is gonna prosecute this

By cft 2026-02-2518:381 reply

In what jurisdiction? He's in Russia

By AlexeyBelov 2026-02-278:46

He's in the US.

By delecti 2026-02-2515:364 reply

Have you tried sending them emails asking/telling them to stop?

By kstrauser 2026-02-2515:464 reply

I’m a different person, but this happens to me, too. I have the kstrauser@yahoo.com email address because I signed up for it like 25 years ago. I log in every 6 months to see what the few other kstrausers in the world have signed me up for.

Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.

I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.

By prawn 2026-02-2523:24

I have a catch-all on a .com.au domain where there exists a later 1000+ people organisation with the equivalent .gov.au. I get what you described but from many, many people - divorce proceedings, legal discussions, financial documents, health things, etc.

By josephg 2026-02-2521:051 reply

Yeah I have josephg@gmail. The amount of spam that account gets is wild - about 50-100 emails hit the inbox per day. I got soft-locked out of google docs a few months ago because my google account's 25gb quota was exhausted.

Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.

Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.

Send emails into that pit of PII misery if you want. I don't read them.

By amitp 2026-02-2716:37

Some of these banks are ridiculous. HDFC bank insists that I send them my photo id, address, phone number, and my Indian id number to prove that I'm not their customer. I tried explaining that I don't have an Indian id number because I don't live in India but they insisted they can't help me unless I provide all of this. Then they sent me legal notices threatening me for not paying "my" bills. I send all their stuff to spam now.

By Izkata 2026-02-2517:29

I had one that person seemed to think their @twitter name was the same thing as my gmail address. Haven't seen it in a while, maybe they figured it out after I told their kid's teacher they had the wrong person...

By theragra 2026-02-261:51

I have very weird and rare @gmail.com and I Still get other peoples mail sometimes.

By lawrencejgd 2026-02-2517:03

>You write an email that says "Hey, can you please stop using my email address?"

>You send it to johnsmith@gmail.com

>You receive a new message, it says "Hey, can you please stop using my email address?"

>You're johnsmith@gmail.com, you only know that's the address that's being used

PD: I know that if he resets the password he can get the other address, but this scenario was funny in my head.

By Mordisquitos 2026-02-2516:362 reply

That may be what they're hoping for, using a similar modus operandi as those WhatsApp/IM messages from strangers who text you with things in the vein of ‘Hey, it was great meeting you at the conference’ or ‘Did Martha like your flowers?’ etc.

They may well be looking for targets.

By vintermann 2026-02-267:12

I have a story here: I deleted my Reddit account.

A few months later, the owner of the u/batman account added my mail as password reset mail.

I looked up the account. It was hardly ever used in 15 years, mostly for once in a blue moon dropping in a random comment role-playing as Batman. It was not obviously anyone I knew. It looked like they were basically inviting me to take over the account.

That was actually a bit tempting, but then the owner, whoever they were, would know who I was, and I still didn't know who they were.

(For that reason I've changed the name, it wasn't Batman, but it was equally "I can't believe you got THAT as your Reddit username" rare.)

So I clicked "this wasn't me" instead. After a few weeks the account was deleted by the owner. It seems they were willing to burn a 15+ year old account with a super-desirable (to many) name in order to get me back to Reddit, and then when I refused they just deleted it. That was VERY weird, and I wish I knew what was going on.

By red-iron-pine 2026-02-2615:30

yeah this was my thinking, too

great way to phish people without looking like a malicious, obvious actor

instead they look like idiots or rubes and you get a little too curious, and in ways that might be considered malicious (and potentially illegal).

By tracker1 2026-02-2518:071 reply

There are times where you just can't... someone uses my email address in person at tractor supply co. and I'm getting a ton of marketing email I can't usnsub to.

I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."

It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.

I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.

By rationalist 2026-02-2519:14

Contact the Bar Association for that lawyer's state. He will definitely stop making that mistake then.

By tecleandor 2026-02-2518:081 reply

My Gmail account is a funny word in Spanish that I got when there was still plenty of names available.

I get TONS of emails of people trying to join services that use my address as a "fake email".

By marcus_holmes 2026-02-265:00

We call this the Scunthorpe problem. Stupid "rude word" detectors use simple rules that fail on actual words.

Way back I was working on a loyalty card system that had the entire UK electoral roll and Post Office data and we had to validate people; names and addresses. A "comedian" decided to sign themselves up for the system using a stupid name, and when the loyalty card duly arrived at their (correct) address with their (incorrect) name, they went to the papers and it became a slow news day human interest story.

We had to implement a Scunthorpe filter, and that was really difficult. We ended up with a human looking at the data and hitting a button if they thought this was a made-up "funny" name or address.

You would be amazed at English place names and surnames. Velvet Bottom is a real place in the UK. There are many people wandering around with names that you can't say in polite company.

By parable 2026-02-2520:08

This happens to me several times a month. I'm more concerned about account termination, in that if their Gmail account is terminated for some reason, mine would be as well due to it being the backup email address.

By pocksuppet 2026-02-2522:16

You could try stealing theirs. Surely, one of the forgot-password flows must use the recovery email.

By -Fu 2026-02-2518:53

[dead]

By jacekm 2026-02-2520:071 reply

A couple of years ago someone associated my email with their bank account in Santander UK. I tried to get in touch with Santander but turned out that the only way to do so is to either make an international call (I don't live in UK) or send them a paper letter. I gave up and just routed these emails to separate folder.

By subscribed 2026-02-2520:321 reply

I meticulously report every single of emails like this as spam. Every single one. If it _could_ be read as a phishing attempt, I report them as phishing.

Etc.

By zenoprax 2026-02-262:30

"Wrong recipient" seems beyond the scope of what you can expect a spam filter to handle with accuracy. Wouldn't marking it as spam just degrade the signal to noise ratio of legitimate email? I'd rather get a few misses here and there than have to trawl through my spam folder which I only check once or twice a year when something doesn't show up right away.

By plagiarist 2026-02-2514:542 reply

I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.

I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.

By Aachen 2026-02-2516:061 reply

Any idea what the incentive is for them to put in an email address they can't access?

I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse

By plagiarist 2026-02-2523:03

One way to do phishing attacks is to inject some payload in an automated mailing so malicious content comes from a valid email address. I wonder if they're testing whatever mail entry they can find with addresses they have access to in attempt to find something usable?

By prmoustache 2026-02-2518:11

> The former presumably does not verify when I ignore it.

That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.

By duped 2026-02-2517:061 reply

A chronic problem is the idea that if something can't be automated with a human in the loop then it simply can't be done at scale. Technologists will do anything except employ humans to solve social problems.

By jagged-chisel 2026-02-2518:10

s/technologists/venture capitalists/

By derefr 2026-02-2523:241 reply

> along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email"

What would you expect clicking that "wasn't me" link to do?

In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?

The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)

By vintermann 2026-02-267:24

> and the site also won't send you any more email because they don't consider the email verified

Netflix, for one, didn't do this. They kept allowing this guy to "resend his confirmation email" periodically over several months (I never had a Netflix account).

My theory is that it was an affiliate scam of some sort; someone probably got paid for everyone who signed up with his code. So he "signed up" thousands of random mails in the hope that some of them would click through on the "you're almost ready to start your Netflix journey!" mail and actually subscribe to Netflix.

By Arrowmaster 2026-02-2519:071 reply

I'm currently in the endless email loop because someone named Raymond used one of my Gmail names to register with State Farm. One of their agents even emails me directly when he gets really behind on his payments but won't do anything when I tell them it's the wrong email.

In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).

By smelendez 2026-02-261:45

This exact thing happened to me with a State Farm agent.

After a few months, I told them I was concerned about the privacy ramifications and would have to report it to their state insurance regulator, and it was very quickly fixed.

By integralid 2026-02-2514:134 reply

No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.

I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker

By wat10000 2026-02-2514:50

What is the word for harming other people in order to make more money for yourself, if not "malicious"?

By justinclift 2026-02-2514:42

> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.

Malicious in-attention then, by the profit driven org? :)

By b112 2026-02-2514:332 reply

If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.

By Pxtl 2026-02-2517:13

Yes but bartenders overserving is a crime done by a working-class person and not a wealthy business.

By CydeWeys 2026-02-2518:341 reply

What are you envisioning exactly?

By b112 2026-02-2518:44

Am I supposed to envision something?

When pointing out that legal parallels exist, to enact a solution, must I envision that solution?

By loloquwowndueo 2026-02-2514:16

With AI these days it’d cost almost zero money. /s

By Pxtl 2026-02-2517:121 reply

Ah the old "reverse identity theft".

Relevant xkcd:

https://xkcd.com/1279/

Yeah, I get the same regularly.

By thesuitonym 2026-02-2519:26

Smartly, I got firstnamemiddleinitiallastname@gmail.com. I never get anybody else' details.

On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.

By cucumber3732842 2026-02-2515:471 reply

The point of the system is what it does.

They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.

By db48x 2026-02-2520:461 reply

This is a catchy aphorism, but not really true. Things can be badly implemented so that they fail to achieve their purpose.

By praestigiare 2026-02-2522:591 reply

People often have trouble with this saying, and that trouble often boils down to the difference between intent and purpose.

The people who create a system have some intent for it. The system may or may not effectively achieve that intent, may or may not outlive the initial conditions that surrounded its creation, and may or may not have side effects.

Purpose is something humans assign. It is sometimes linked to intent. A carpenter's hammer is intended to drive and pull nails, and that is often also its purpose. The purpose of the hammer I keep in my basement is breaking open walnuts.

The phrase is stating that the purpose we should assign to systems when judging them is their outcome, and not the intent behind them.

By db48x 2026-02-260:521 reply

Sometimes intent and outcomes matter, but the aphorism is simply not a good guide to understanding reality. It should be discarded.

The classic example is a hospital for treating cancer patients. Suppose that one third of the patients are successfully treated, while the other two thirds die of their cancer. Is the purpose of the hospital to kill two thirds of the patients? Clearly not, but that is the outcome.

By praestigiare 2026-03-040:321 reply

No, that is not what the hospital does, and thus based on this heuristic, it is not its purpose. What a system does is not the same as the context-free outcome. It is the outcome compared to the outcome that could be expected without the system. You have to define your priors.

However, if the expected 5 year mortality for the cancer was 50%, and with this treatment 2/3 died, then the rule would apply. A choice to continue using that treatment could be criticized as equivalent to a choice to kill 1/6 more patients. Because despite the intention, the known outcome was more patients dying.

By db48x 2026-03-0410:32

Good! You are thinking! In principle something like this should be the right answer. (But we can simplify it by simply saying that we expect the hospital to improve outcomes, even though it cannot cure every patient.)

But no, the truth is that this hospital was built to provide jobs for civil servants <https://www.youtube.com/watch?v=x-5zEb1oS9A>. The purpose of a thing does not have to be related to the outcome.

By oooyay 2026-02-2522:13

It's entirely on us as citizens to leaving them as pet peeves instead of crafting them into strategic law that makes them not only illegal but shunned. A little bit of structure goes a long way here.

By BobbyTables2 2026-02-260:41

Once got one of those with a disclaimer that clicking any link was giving permission to subscribe me…

I believe they included the “unsubscribe” link too…

By AtreidesTyrant 2026-02-2517:57

happens with apple products all the time

By squeefers 2026-02-2516:14

> Either people who do this for a living have no clue how to do their job,

how naive. most of the world work to survive, not because its their dream vocation. they probably dont care as much as you do

By iamnothere 2026-02-2513:576 reply

The registrar relying on Google Safe Browsing as a “trigger” for suspension is the most horrifying thing I’ve seen in a while. This basically makes the entire TLD unviable for serious use.

By mzajc 2026-02-2516:041 reply

.online is one of the many TLDs that charge a dollar for registration but bump the price to $30-$35 for renewal. So far, this seems like a good signal to tell apart serious TLDs and ones just preying on customers who sort by cheapest (or capitalizing on one-off phishing domains).

By volkercraig 2026-02-2517:52

I had a .fun domain that I was using to host a small project and they pulled that on me, I just let it expire and killed the project.

By TLDRisk 2026-02-2522:51

It's the registry, not the registrar. I made a website that tries to help explain some of the lesser known nuances and risks relating to domains. The section about domain reclassification is based on first hand experience and is especially interesting IMO:

https://tldrisk.com/beyond-basics/reclassification/

> This basically makes the entire TLD unviable for serious use.

It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..

The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).

By mcoliver 2026-02-2516:091 reply

This is the real story. This is 100% a problem with Radix. Safe browsing targets the website not the domain. No reason a registrar should be suspending an entire account over something a company reports. Black-holing the A and CNAMEs on a subdomain? Maybe..... But even then I don't think it's the registrars place to do that. Freezing the entire account? Absolutely not.

By NewJazz 2026-02-2517:121 reply

Blackholing the a and cnames would prevent getting off the safe browsing list, as mentioned in the blog post.

By arielcostas 2026-02-2611:11

Google allows you to use TXT to verify though, since this "feature" of disabling domains because of Safe Search is based only on web contents (A/AAAA/CNAME) they could disable those and allow TXT anyway since those are AFAIK harmless

By RHSeeger 2026-02-2514:212 reply

The followup from that would appear to be don't use any domain that Radix controls.

By fc417fc802 2026-02-2520:14

More generally, I think it's advisable to prefer the ccTLDs of places that are politically stable. And (IMO) to view com/net/org as defacto US ccTLDs (technically they aren't but for all practical purposes they might as well be).

By holysoles 2026-02-2515:33

Yeah this doesnt seem like a unique or new issue:

https://news.ycombinator.com/item?id=40195410

By WmWsjA6B29B4nfk 2026-02-2514:51

Who said serious use is their business model though.

By NewJazz 2026-02-2517:111 reply

Registry, not registrar

By iamnothere 2026-02-2518:24

Thanks, yes, even worse! The registry should act on only legal orders IMHO.

By merek 2026-02-2513:553 reply

The TLD owner in this case was Radix, which also owns

.store .online .tech .site .fun .pw .host .press .space .uno .website

https://radix.website/

By g947o 2026-02-2514:267 reply

They seem to be almost always associated with scam sites.

So, might as well to block entire TLDs and never buy a domain under those TLDs

By jeroenhd 2026-02-2515:032 reply

These alternative domains are quite popular with the fediverse and other hobbyist-run groups. Affordable domains with somewhat recognisable names still available.

Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.

By prmoustache 2026-02-2518:142 reply

> Affordable domains with somewhat recognisable names still available.

Aren't they only affordable for the first year though?

By erinnh 2026-02-2518:25

I don’t know about most of them, but I’ve used .pw for many years for most of my domains as pw is really cheap even on renewal.

By jeroenhd 2026-02-269:24

$2 per month isn't cheap for a domain per se, but compared to .ht or .ao or .ly it's still cheap.

TLDs like .stream, .click, .top, and .link are cheap in general, even compared to .com

By kstrauser 2026-02-2515:481 reply

My all time favorite Fediverse domain is jorts.horse. That’s the most delightfully random thing.

By b65e8bee43c2ed0 2026-02-2518:37

this looks exactly like every mastodon instance I ever saw.

By xnorswap 2026-02-2514:311 reply

The only .fun site I know is neal.fun, which regularly features on the front page here: https://news.ycombinator.com/from?site=neal.fun

By ivanjermakov 2026-02-2518:13

I can also name https://beamng.tech/

By mghackerlady 2026-02-2517:23

funnily enough, good.store which sounds like a made up example of a scam is actually a nonprofit ran by john green and his brother hank green

By dist-epoch 2026-02-2515:181 reply

Because they are very cheap. If you are a scammer, why pay $5 for a domain when you can buy one of these for $1.

I use them when I need a random domain.

By esseph 2026-02-2516:34

> Because they are very cheap.

When I first bought an .online, it was not cheap

By eli 2026-02-2521:49

That's just because they're relatively inexpensive

By Yizahi 2026-02-2515:32

Only .info is missing for the bingo :)

By avipars 2026-02-2618:40

add .xyz to that list

By ectospheno 2026-02-2516:011 reply

Despite blocking 66 TLDs and all IDN ccTLDs on my home dns I didn’t have these blocked. Guess I’ll consider it. Once you have the hagezi rpz files including threat information feed though you really have blocked most silliness.

By slekker 2026-02-267:431 reply

Which other ones do you block?

By ectospheno 2026-02-2622:331 reply

I'll append the current list below. My primary issue is protecting my son. His educational difficulties present a problem when it comes to determining when a link is good or bad. It is easier to cast a very wide net and whitelist good sites. There are other reasons for some of the TLDs but I can't go into that here.

  ad ads adult af alibaba alipay analytics anquan asia baidu
  bar bcn bible blockbuster by cf cfd cg chintai christmas
  citic click cloud cn coop country creditunion cyou data
  dish diy dm dot dtv dvr et feedback food forum fun gift
  hiphop hiv hk hkt host icbc il in iq ir kfh kp ky latino
  lb lifestyle link living locker lol love ly ml mm mo
  mobile moscow mov music my nhk ni nz observer ollo online
  ott ph phone pid porn press property pw quest realty
  redstone ren rest ru sbs sex sexy shouji site sling
  so sohu space st store su sy tech to top trust ua unicom
  uno vana ve wang website xihuan xxx yandex ye yun zip

By Buggem 2026-02-2622:381 reply

Why do you block so many country TLDs? New Zealand is an especially weird block...

By ectospheno 2026-02-274:38

Certain file hosting services located there. I agree that one is a wide net.

By jdfellow 2026-02-2519:17

Well, dang. I've used a .tech as my personal domain and email for some years now, and didn't know this was owned by an obnoxious registry.