Finding My Impasta

Tracking the source of a weird email

January 17, 2024

One day while I was at work I got an email on my phone:

A screenshot of an email message from a bank. The name of the bank has been blurred. The headline reads 'Your credit card statement is now available'. The message is addressed to Mr. O'Connell.
(This is a recreation, I didn't want to show the actual message for reasons that will become apparent.)

The email came from a bank in the UK (let's call it BritBank), saying that my credit card statement was available to view online. I don't have a credit card in the UK, so I immediately suspected it was a phishing attempt. Someone was blasting these emails out to every address they could find, hoping that someone who did have a credit card would click through and enter their bank info on a fake website. Looking closer though, that explanation started to fall apart. The "from" address was on the bank's real domain, and the message content looked completely normal (no wacky fonts or typos or anything). There was also no urgent call-to-action ("click here", "call this number", etc.) which is a hallmark of phishing schemes. Even after digging into the metadata everything looked OK (DMARC passed, etc.), so it seemed safe to assume that the message really did come from the bank.

If BritBank sent this email to my address (with my full name written out in the message), then maybe I really did have a credit card with them that I didn't know about. Obviously that's a much more concerning possibility. I told my boss I needed to step away for a bit, and called BritBank.

(Well, I tried to. Apparently my phone plan doesn't include international calling. Google Voice to the rescue.)

Your call is very important to us

The automated phone system was difficult to navigate given my lack of information. I'm sure whoever designed it thought "Do you already have an account with us?" was a simple yes-or-no question, but at this point I genuinely didn't know the answer. The email included part of an account number, but not the whole thing, so I said "no" and stumbled my way through the rest of the prompts until I was connected with a person. The support agent was very understanding, and clearly agreed that this was worth taking seriously. She first asked me to read off some of the metadata on the email to confirm that it came from their usual outgoing address (it did). She then transferred me to someone in the card fraud department, who tried to look up my supposed account. She first searched for the email address, and found no results. I'm still not really sure how that was possible, maybe she mistyped it? Next she tried to look up my name and mailing address:

"Can you tell me your postcode?"
- "Well, like I said I'm in the U.S., but my zip code is 20500"
"Hmm, the system isn't letting me enter that"

Clearly that was not going to get us anywhere. At this point I relaxed a little. Even if someone had opened an account using my name and email, they obviously didn't use my mailing address or phone number since the BritBank system didn't accept them as valid. I've never even been to the UK, so any national ID or tax information on the account wouldn't have been tied to me either. It couldn't be "in my name" in any sense except literally.

After a few more attempts with different pieces of information, the agent concluded that she wasn't going to be able to find the account in question. She told me I could call back if I got more emails, but that for now there probably wasn't anything I needed to do.

But wait there's more

A few weeks later I got a similar email, but from a different bank (BritBank2). This time it was a checking account, and it was one of those generic "there's a new message about your account" ones where you have to sign in to see the actual notification. I called BritBank2, but had a similar conversation to the previous one.

The mystery was getting deeper. Why did multiple UK banks suddenly think I had accounts with them? Why couldn't they find any information when I called? I reflected on the events of the previous few weeks. Specifically, I thought about dinner.

"We should've gone to Pastabilities"

There's this fast-casual chain restaurant in the U.S. called Noodles & Company. If you've never heard of it, the menu is pretty much what you'd guess (unless you guessed that they sell companies). About a month before the weird emails started, I ordered delivery from them. This turned out to be a rather difficult process.

Screenshot of the Noodles & Company website showing the menu page. A handful of category options are presented, such as 'Everyday Value' and 'Craveable Faves'. Each choice is accompanied by a photo of a bowl of pasta.
Their website follows the trend of making all the elements massive, with lots of space between
them so not much content fits on the screen at a time. I'm not sure what's up with that.

See, the thing about websites these days is that nobody tests them. Ok, I'm being a little unfair there; of course many companies have entire quality assurance teams dedicated to testing their software for bugs. However, in the past few decades there's been an explosion in both the number of companies that need bespoke public-facing software, and the complexity of the requirements for what that software needs to do and what devices it needs to function on. The result, evidently, is that many companies have websites held together by hot glue and prayers, and only the most show-stopping issues are even noticed, let alone addressed. If anything about your hardware, internet connection, or use case doesn't match what the developers (and their managers) were expecting, then interacting with these systems can quickly become an obstacle course of dead ends and error messages.

For me the thing that most often gives me trouble is my last name. In many U.S.-based systems, the customer first/last name fields are restricted to only accept latin alphabet letters (often converted to all uppercase). This is certainly not ideal (people's names can have all sorts of characters in them), but it's not a huge problem for me personally. I don't care whether Pizza Hut spells it "O'Connell" or "OConnell" or "OCaml" as long as they bring me my food. But it becomes an issue when the database schema (only allow letters) gets reused as form validation, and suddenly the internal workings of their backend becomes my problem as a user:

Screenshot of the Pizza Hut website. In a text box labeled 'Last Name' the name O'Connell has been entered. Below it in red there is an error message that reads 'Not a valid name'.

That's not just unnecessary, it's rude. If you can't handle apostrophes you should just strip them out.

Noodles & Company cleared that first hurdle, but they managed to invent a new one of their own:

Screenshot of the Noodles & Company website. In a text box labeled 'Email', the email address has been entered. Below it in red there is an error message that reads 'Email Address must be valid'.

In case you've never seen this before, I have what's called a catch-all email address. Anything that ends with will go to the same inbox (giving each site a unique address helps me filter and search my messages). For every other site I'd ever used, this system works great, but for whatever reason Noodles wasn't having it. As it turns out, they only accept email addresses that end in a few particular TLDs. Their support told me that they only take .com, .net, .org, and .edu, but digging into the code we can see that the list is actually longer:

this.emailRegex = /[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|gov|mil|biz|info|mobi|name|aero|edu|jobs|museum)\b/

As best I can tell, the regular expression comes from this StackOverflow post from 2009 (or some derivative of it). It accepts any two-letter TLD, along with any of the longer ones that are explicitly listed (which I think is all the ones that existed at the time). Uppercase and lowercase letters are used interchangeably throughout the expression, so presumably the author intended it to be used in case-insensitive mode. Somewhere in the game of telephone that detail got lost though, and the result is that will accept a .com address only if it's written in lowercase, and a (for example) .us address only if it's written in uppercase. You can't write the whole thing in uppercase though, just the TLD. So william@example.zk doesn't work, but william@example.ZK is totally allowed (even though there isn't actually a .zk TLD).

Also, your entire email address can't be longer than 60 characters. If it is, you'll get the error message "Email Address must be no more than 128 characters". Can you see what I mean about it being untested?

Now, at the time I didn't know any of this. I just knew that the box would turn red if I typed .me, and green if I typed .com. Luckily, I do actually own, ever since the domain squatter trading company that owned it for years finally got bored and auctioned it off. I'd never used it for email before, but I figured now was as good a time as any to set it up. I put in the .com version and everything was right in the world. Eventually I got my noodles. They were ok.

Flash Forward

As I thought back over the noodles incident, I realized what must have happened. BritBank hadn't suddenly started emailing me; they'd probably been doing it for years. Some other William O'Connell had opened a bank account (or actually several), and provided a email address. Maybe that used to be his email address many years ago, maybe it was just a typo, but either way the bank had been diligently sending account reminders there every month. In 2021 I acquired the domain, but because I hadn't set up MX records for it I was none the wiser. Only once I had the issue with the website and configured email receiving did I actually start seeing the messages. So that's why it seemed like multiple banks all started emailing me within the same month; I wasn't a victim of identity theft, I was the thief.

Let Them Know

Now that I understood the situation more clearly, I figured it was worth reaching back out to the banks to let them know what was happening.

Screenshot of chat messages between the bank (in grey) and me (in blue). The bank states that they are unable to remove customer email addresses, and asks if I can block the messages coming from them. I say that my bigger concern is the privacy issue, plus the fact that the intended recipient isn't getting the messages. The bank representative says they understand and to please block the messages on my side.

Apparently they don't really have a process for handling that sort of thing. It's possible it never occurred to their account team that someone could legitimately gain possession of an email address previously controlled by someone else.

The Resolution

A two-panel captioned image series. In the first panel, a detective asks 'How did you get rid of them>'. In the second panel the woman replies 'I Didn't'.
If you haven't played Contradiction, it's great.

So how did I manage to resolve this strange dilemma? I still haven't. I did eventually get in contact with someone that I thought was the other William, but either it was the wrong person, or they couldn't figure out how to fix it, because I'm still getting the emails. Since they're transactional messages, there's no unsubscribe link at the bottom. To remove the address from the bank account I'd need to sign in, and having access to the associated email isn't enough on its own to authenticate (which is probably a good thing). So while I can filter the messages out of my inbox, there's nothing I can do to stop receiving them.

Attempting to Conclude

There's this old quote supposedly from Albert Einstein that I think about a lot. The story goes that a student wrote him a letter in which she mentioned that she was struggling in her math classes. His response:

"Do not worry about your difficulties in mathematics;
I can assure you that mine are still greater."

I think computers are a lot like that. Programmers sometimes remark online that they're amazed that other people are able to use computers at all given how frequently they seem to break in ways that require specialized knowledge to figure out. Certainly I'd imagine there's a group of people who, if a restaurant website didn't accept their email address, they'd just have something else for dinner. But those people probably all have Gmail accounts, the one provider that Noodles almost certainly tested their site with. And if the other William had used iCloud or something with his bank then I never could've ended up getting his messages. The very fact that I'm a "power user" is why I so often find myself off the beaten path, trying to make software work in a scenario that's ever so slightly more unusual than the developers actually planned for.

I worry though, that the "happy path" is getting narrower and narrower. As internet services continue to consolidate, and companies seek to further automate their customer service, it seems only a matter of time before I run into an issue more serious than misdirected emails or rejected food orders. In the past I've had websites (including some very important ones) act up because they didn't recognize my phone carrier as legitimate. If my identity really is stolen some day, I'm not confident that I'd be able to resolve it in a timely manner.

Then again, I'm not sure how valuable my personal info would even be to a thief. They certainly couldn't order food with it.