One problem I've encountered is that usually sites won't allow you to register an account if the email address is already registered at that site. So if I register foo@gmail.com then someone else can't accidentally register foo@gmail.com. But they can register f.o.o@gmail.com just fine.
So I mean at my Gmail I have all manner of different Facebook accounts with various misspelling of my email address notifying me of stuff, none of them are mine. I'm sure they entered my email address (with dots) by accident, not on purpose.
I appreciate that sites not allowing you to register the same email address twice hardly solves everything, as I absolutely get email to my actual correct Gmail address from random sites I've never signed up for. But at least it would help in certain cases like Facebook where I do have an account.
LOL this reminds me of a hilarious bug (but only in hindsight!) I had with Discord just three days ago!
I tried to login to Discord. It detected a novel browser or location. Sure, this stuff can happen. It wanted to confirm that I was still me and asked me for my e-mail address. I gave it and it said "This e-mail address is already registered". What. Of course it is. It's me. Mine. The one I have registered with you.
Since I have a few useful things tied to Discord, I felt my pulse go up. I googled for answers, found a Reddit thread with this specific problem. They said "Hey, if you use Gmail you can use the dots-are-ignored-feature to give Discord a "new" mail that will still go to you, allowing you to verify it!" (https://www.reddit.com/r/discordapp/comments/12makhd/verify_...)
Sounded clever so I gave it a fore.name.sur.name@gmail.com variant.
Sure enough, I got the mail.
I logged in. I gasped as I realized Discord had now created a new, empty user for me! It somehow thought I was a brand new user despite this was only a user account _verification_ due to changed IP or whatever to begin with.
I tried logging in to my original account once more and now I somehow got in! The verification on my new account had somehow triggered (cookie? I have no idea) that I was trustworthy again. Phew! I promptly deleted the new-account-going-to-same-mail and breathed normally again...
Instead of clicking the "login" button on discord's home page, you clicked the "Open discord in your browser" button.
This, by default if you're not logged in, takes you to a create account flow. The prompt you entered your _username_ into was the "Pick a display name" prompt. If you enter, say, "user" it silently adds numbers to your displayname to make a new username ("user1234"), rather than redirecting you to the login page or prompting you about it (like most other sites do).
At the end of the flow is a "Finish signing up", "claim your account" prompt (which really is the end of the "create a new account" flow, the ephemeral account without an email you're using there is in a partially signed up state).
This is the box where you were entering your email, getting a conflict, and ended up using a new email to create a totally new account.
I know people who use hacker news are on-average much less tech savvy than the average discord user, so I can get why you missed the login button on the home page and instead went through the "create account flow", but everything that happened is "working as intended" rather than a "bug".
I do agree the flow there is pretty confusing. They've managed to make the new user signup flow so optimized you didn't even realize you were doing it.
Still, by the time it was telling you your email was already registered, you really should have slowed down and noticed it was telling you you were creating a new account rather than using a new email address for some reason.
You're trolling, right? Discord's sign up pattern is similar enough I've actually made this mistake not once, but twice. I think it's closer to a failure of design than anything else - it's almost never correct to blame user error for things like this.
> I know people who use hacker news are on-average much less tech savvy than the average discord user
Sarcasm? Serious question. I used Discord exactly once, many years ago, and it appeared to be mostly children playing video games. I hear things have changed, but it’s hard to imagine a more tech savvy group than HN.
I hate that prominent sign up, hidden sign in pattern so much. Is it simply that a tracking system "discovered" the sign in button isn't statistically used that often so someone concluded you don't really need it?
You might be right but then why did I get in just fine the second time I opened Discord after these hoops? I clicked on the same button both times. That was about as surprising for me, that I was just suddenly logged in and fine again. On my old account. And the Reddit thread is full of people falling into this trap too?
I hadn't thought of getting possibly locked out of Discord for something so stupid. I have so much going on in there as far as dev comms... That makes me nervous now. Is there a way to export anything just in case?
I've done this at least twice for the same reasons, and it's lead to me pulling my number off discord twice now. It's stupid how similar logging in and creating an account look.
What actually happened here is that the parent commenter, instead of clicking "login", entered their username into a "enter a display name" prompt on the home page, which registers a new account using the string you entered as a _display name_, and generates a random username.
The parent poster then did not realize they had created a new account and, even when it told them their email address was registered to a different account, somehow didn't realize they should go click login instead.
I think the easiest way for discord to make this a not-confusing experience for people who aren't tech savvy enough to click "login" to login, is to make it so the signup flow is a normal explicit "Enter email, enter display name, enter username" prompt, not a flow where they silently create a username if you _just_ enter a displayname.
The reason this would help is because forcing the user to enter a username early on lets you display a "Would you like to login instead?" message if the username conflicts.
Having the user enter a non-unique displayname, and silently creating a random unique username, means the signup flow no longer has the ability to say "Are you sure you don't want to login?"
Of course, discord mostly targets relatively tech-savvy users, not the average hacker-news-user, so it probably isn't that big a deal for their main demographic.
Not trying to mislead existing users into creating new accounts.
It's really annoying that on some websites you have to open up multiple dropdowns to reach the login page, also passing five sign up buttons on the way there. It's even filled with dark patterns, with the sign up button blinking and screaming at you to click it every single time, while the login button is made smaller and grayed out. I remember GitHub pulling this shit some time ago. Once I truly couldn't find the login button and gave up, opting to guess the URL/find it in history.
What is even the purpose of that? Is it truly a scheme to get users to sign up multiple times for the same service so that the user number goes higher? That seems too dumb.
No, just @gmail.com ones, and maybe a few others - not all email providers ignore dots.
But if you do this you better do it everywhere you use email. Otherwise you can get some pretty nasty bugs where two emails aren't considered the same sometimes, are are considered the same other times.
Doesn't Facebook require users to verify the email address with a confirmation email? If so, the only Facebook spam you should be able to get would be such confirmation emails. Or what am I missing?
I can't speak about facebook but I am in the case of having a gmail address[1] with my first name initial followed by my last name and I am in the case of having people with same last name and first name initial using my email address to register. That box is polluted by regular confirmation emails followed by spams from the same many websites. It turns out that more often than not the confirmation email is made to protect the companies running the websites (I guess to limit bots and password that can't be reinitialized), not promotionnal mail registration. You still receive all the promotionnal and automated email regardless if the user is active. Different table in the database I guess. Also there websites/services that don't use confirmation emails as well as processes initiated through physical office/point of sale.
[1] now pretty much abandonned but I mostly keep it to avoid anyone obtaining it and impersonating me. I still need to do some housekeeping and make sure I am not registered anywhere with that address anymore.
In my experience, surprisingly few services nowadays require email confirmation, I suppose in the name of increasing conversions or something.
I've had a number of accounts opened in my address but with different dots (eBay, Spotify, Shutterstock) that didn't require confirmation.
I usually reset the password, inform customer service (who generally don't care, or don't want to do anything because it's not my account), and then I close the account.
Oh I wish that were true, I've been receiving email for years for someone who signed up to facebook with my email address. It's a horrible pain, you can't contact facebook without a facebook account, and I can't create one because someone already has one with my email address.
Do a password recovery, log in and simply delete the account.
I had to do this once when someone signed up to FB with my email address. It actually was an eye opening experience as to how much data FB collects from everyone.
Now keep in mind that:
1) I don't have a FB account myself
2) This person signed up with my email address (which is <something-generic>@gmail.com), but their name is completely different from mine
3) They didn't even speak the same language, when I logged in to the new account the whole thing was in Swedish or something like it.
So nothing at all linking the account to me, except a misspelled e-mail address. When I logged in, FB was happy to suggest I friend a whole bunch of people I know IRL. Including people that do not know the e-mail address used. Absolutely crazy. How were they able to link me to these people when I was signed in to a complete stranger's account?
Well I sort of did, didn't want to delete the guy's stuff, so I made a dummy gmail account, switched it to that and deleted the gmail account after weeks of spam emails and trying to contact facebook I figured he could do some of the hard work to get his account back.
Of course it backfired, after he stopped using his account facebook and a couple of weeks facebook started sending begging emails to my email account again (don't believe them when they say they delete anything), I still get the occasional "what you've missed on FB" emails and about once a year the guy tries to recover his account and I get an email, I'd drop him a note, but the only email address I have for him is mine
Facebook shouldn't be sending you those emails at all, to be honest, assuming you never clicked the verification button.
That said, clicking the "report spam" button should allow you to unsubscribe from such emails without dealing with logins or whatnot. Gmail supports certain unsubscribe headers that'll automate the process, which should make getting rid of Facebook's spam a lot easier.
The trouble is that Facebook doesn't know every email providers rules and which email addresses the email provider considers equivalent. So for Facebook, foo@gmail.com and f.o.o@gmail.com are two separate addresses (and indeed foo@hotmail.com and f.o.o@hotmail.com probably really are two separate addresses probably controlled by two different people).
You're right that if Facebook required the email to be verified (by sending an email to it) before it could be used with Facebook then two different people wouldn't be able to have two separate Facebook accounts with one of them having an email address controlled by someone else. However, Facebook, in order to "reduce friction" and "reduce time to first value" is happy for you to use an unverified email address and they're happy to send a variety of emails to that address (including lots of emails telling you to finally verify that address).
clicked register new account
Entered Name, DOB, Email
Now I'm stuck, can't proceed past "Enter the code from your email" and going to https://facebook.com in a new browser tab takes be back to the "enter code from email page".
I doubt they will send any chaser emails but I will report back in some time
I just did the same thing with the opposite behavior, you’re probably coming from a bad internet neighborhood. Facebook does a lot of reputation stuff in their login and onboarding flows.
I don't understand how someone could sign up for a site with f.o.o@gmail.com in this example. That person would never receive email from the site (like a confirmation), because the foo@gmail.com owner would receive the confirmation. Doesn't Facebook require confirmation before the account is created?
I have exactly the same problem, and it has made my gmail account almost unusable. I have at least 150 unwanted emails per day (80% of them get caught by the spam filter)
Bear in mind that since there are a lot of websites (hundreds at least), and you haven't signed up to all of them, you can end up getting emails from websites you didn't sign up for even, when you're not using Gmail. I doubt it makes this minor problem appreciably worse
It's a problem when using email to register into a different site. Services without email validation will happily accept those two addresses separately, because they don't adhere to Gmail's internal conventions. If the site then sends mail to its registered accounts, then the Gmail address will receive unwanted mail.
There are horrible people who loves the idea of being able to use someone else's identities. Not just made up but stolen. I - I don't want to know why, nor what they're normally thinking.
Will Gmail prevent you from entering such an address elsewhere, thinking either that it is yours, or that it is the email of some intended recipient other than the actual Gmail accountholder?
Alternatively: will third-party systems consolidate such addresses under a single account, or treat them as different?
You have to be a bit careful with that kind of argument though. According to the specs the local part of an email address (before the @) can also be case sensitive so me@example.com and ME@example.com could be different email addresses. In the early days of a new system we implemented account email addresses following what the rules really say and making no assumptions. We then spent way too much time dealing with users who signed up with one address but then tried to log in with a "different" one because they had caps lock on or some auto-capitalisation feature in whatever browser they were using. Lesson learned - users do assume those are all the same address and cleaning up a database that sometimes has accounts for both me@example.com and ME@example.com isn't much fun.
There is no RFC about how the local-part is interpreted: even the gmail +tag syntax is an extension some servers implement and some don't. The only way to accurately test equality of email addresses is to send an email to them.
Even that only tells you something about equality/equivalency (or more precisely, the deliverability) at this moment. I have a family mail server that we periodically update mail list and forwarding rules. You could test for deliverability today and tomorrow the situation could change.
Yes, I know, that's the whole point. The mistakes that most people (including yourself) are attributing to the dots, are actually usually caused by human carelessness -- spelling errors, mixing up gmail with hotmail, "dave" instead of "david" etc.
I made (and corrected) three further typos writing my correction.
But the point remains that what I'd originally intended to show was that local-part email addresses which read differently, and in cases quite differently, but are identical save for the location of the dot, are treated identically by Gmail.
And that in different contexts this might not be clear and/or lead to confusion.
I have a big problem because this, my account is créate in closed beta period, in this stage this feature does exist.
My email: name.alias@gmail, because already exists namealias@gmail. Ok the email Work fine for 4y before this feature exists, after if email send exacly works but the problem i am started reciving email for the other user and this is e-mail is not cool.
After 10y i give up of gmail and moved to my domain
imagine that you have an address name.surname@gmail.com
imagine that someone else has an address namesurname@gmail.com
this is very similar case to my mom's one. she constantly gets emails meant for someone else - including PII - because she has no dot in email, but the other party has a dot.
I know for sure that her's account is quite old one.
> Not for gmail though; gmail ignores those dots. But some.email@notgmail.com is normally a different inbox if the local part drops the dot.
My own mail server is configured to use a different character besides the `+` for tags and its notion of "same account" is defined by a mysql query. There's no way to know the interpretation of the local part in advance: you can apply various heuristics if you don't mind annoying people; or you can accept the email and verify it by sending an email.
Similarly, I configured my mail server to use the system "tag.user@domain". So you can't use the same heuristic as gmail, because if you try to do an untagged email, you likely just give the tag, which doesn't correspond to a user.