Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can you clarify how ignoring the dots is a problem?


One problem I've encountered is that usually sites won't allow you to register an account if the email address is already registered at that site. So if I register foo@gmail.com then someone else can't accidentally register foo@gmail.com. But they can register f.o.o@gmail.com just fine.

So I mean at my Gmail I have all manner of different Facebook accounts with various misspelling of my email address notifying me of stuff, none of them are mine. I'm sure they entered my email address (with dots) by accident, not on purpose.

I appreciate that sites not allowing you to register the same email address twice hardly solves everything, as I absolutely get email to my actual correct Gmail address from random sites I've never signed up for. But at least it would help in certain cases like Facebook where I do have an account.


LOL this reminds me of a hilarious bug (but only in hindsight!) I had with Discord just three days ago!

I tried to login to Discord. It detected a novel browser or location. Sure, this stuff can happen. It wanted to confirm that I was still me and asked me for my e-mail address. I gave it and it said "This e-mail address is already registered". What. Of course it is. It's me. Mine. The one I have registered with you.

Since I have a few useful things tied to Discord, I felt my pulse go up. I googled for answers, found a Reddit thread with this specific problem. They said "Hey, if you use Gmail you can use the dots-are-ignored-feature to give Discord a "new" mail that will still go to you, allowing you to verify it!" (https://www.reddit.com/r/discordapp/comments/12makhd/verify_...)

Sounded clever so I gave it a fore.name.sur.name@gmail.com variant.

Sure enough, I got the mail.

I logged in. I gasped as I realized Discord had now created a new, empty user for me! It somehow thought I was a brand new user despite this was only a user account _verification_ due to changed IP or whatever to begin with.

I tried logging in to my original account once more and now I somehow got in! The verification on my new account had somehow triggered (cookie? I have no idea) that I was trustworthy again. Phew! I promptly deleted the new-account-going-to-same-mail and breathed normally again...


This isn't a bug.

Instead of clicking the "login" button on discord's home page, you clicked the "Open discord in your browser" button.

This, by default if you're not logged in, takes you to a create account flow. The prompt you entered your _username_ into was the "Pick a display name" prompt. If you enter, say, "user" it silently adds numbers to your displayname to make a new username ("user1234"), rather than redirecting you to the login page or prompting you about it (like most other sites do).

At the end of the flow is a "Finish signing up", "claim your account" prompt (which really is the end of the "create a new account" flow, the ephemeral account without an email you're using there is in a partially signed up state).

This is the box where you were entering your email, getting a conflict, and ended up using a new email to create a totally new account.

I know people who use hacker news are on-average much less tech savvy than the average discord user, so I can get why you missed the login button on the home page and instead went through the "create account flow", but everything that happened is "working as intended" rather than a "bug".

I do agree the flow there is pretty confusing. They've managed to make the new user signup flow so optimized you didn't even realize you were doing it.

Still, by the time it was telling you your email was already registered, you really should have slowed down and noticed it was telling you you were creating a new account rather than using a new email address for some reason.


You're trolling, right? Discord's sign up pattern is similar enough I've actually made this mistake not once, but twice. I think it's closer to a failure of design than anything else - it's almost never correct to blame user error for things like this.


> I know people who use hacker news are on-average much less tech savvy than the average discord user

Sarcasm? Serious question. I used Discord exactly once, many years ago, and it appeared to be mostly children playing video games. I hear things have changed, but it’s hard to imagine a more tech savvy group than HN.


>I used Discord exactly once, many years ago, and it appeared to be mostly children playing video games.

I'd assume kids are better at navigating modern dark patterns, having grown up with them.


I spend a lot of time on Discord, write bots, etc. Maybe it’s just the communities I hang out in, but I’ve seldom seen a less tech-savvy user base.


I hate that prominent sign up, hidden sign in pattern so much. Is it simply that a tracking system "discovered" the sign in button isn't statistically used that often so someone concluded you don't really need it?


> This isn't a bug.

Okay.

> Instead of clicking the "login" button on discord's home page, you clicked the "Open discord in your browser" button.

Sure.

> This, by default if you're not logged in, takes you to a create account flow.

That is a UX bug! Why does opening discord in my browser automatically imply I need to create a new account?

> I know people who use hacker news are on-average much less tech savvy than the average discord user

And yet, somehow, much more tech savvy than the average Discord UX designer.


You might be right but then why did I get in just fine the second time I opened Discord after these hoops? I clicked on the same button both times. That was about as surprising for me, that I was just suddenly logged in and fine again. On my old account. And the Reddit thread is full of people falling into this trap too?


Spotify once had a very similar issue which actually allowed hijacking of other accounts.

https://engineering.atspotify.com/2013/06/creative-usernames...


> I promptly deleted the new-account-going-to-same-mail and breathed normally again...

I think at that point I would just have been too scared that this would cascade-delete the old account as well ^^


I hadn't thought of getting possibly locked out of Discord for something so stupid. I have so much going on in there as far as dev comms... That makes me nervous now. Is there a way to export anything just in case?


The joys of using a proprietary walled-garden platform.


I've done this at least twice for the same reasons, and it's lead to me pulling my number off discord twice now. It's stupid how similar logging in and creating an account look.


what would be the best fix for this? when checking for dupes, ignore dots on all leftside of all emails?


What actually happened here is that the parent commenter, instead of clicking "login", entered their username into a "enter a display name" prompt on the home page, which registers a new account using the string you entered as a _display name_, and generates a random username.

The parent poster then did not realize they had created a new account and, even when it told them their email address was registered to a different account, somehow didn't realize they should go click login instead.

I think the easiest way for discord to make this a not-confusing experience for people who aren't tech savvy enough to click "login" to login, is to make it so the signup flow is a normal explicit "Enter email, enter display name, enter username" prompt, not a flow where they silently create a username if you _just_ enter a displayname.

The reason this would help is because forcing the user to enter a username early on lets you display a "Would you like to login instead?" message if the username conflicts.

Having the user enter a non-unique displayname, and silently creating a random unique username, means the signup flow no longer has the ability to say "Are you sure you don't want to login?"

Of course, discord mostly targets relatively tech-savvy users, not the average hacker-news-user, so it probably isn't that big a deal for their main demographic.


Not trying to mislead existing users into creating new accounts.

It's really annoying that on some websites you have to open up multiple dropdowns to reach the login page, also passing five sign up buttons on the way there. It's even filled with dark patterns, with the sign up button blinking and screaming at you to click it every single time, while the login button is made smaller and grayed out. I remember GitHub pulling this shit some time ago. Once I truly couldn't find the login button and gave up, opting to guess the URL/find it in history.

What is even the purpose of that? Is it truly a scheme to get users to sign up multiple times for the same service so that the user number goes higher? That seems too dumb.


No, just @gmail.com ones, and maybe a few others - not all email providers ignore dots.

But if you do this you better do it everywhere you use email. Otherwise you can get some pretty nasty bugs where two emails aren't considered the same sometimes, are are considered the same other times.


Doesn't Facebook require users to verify the email address with a confirmation email? If so, the only Facebook spam you should be able to get would be such confirmation emails. Or what am I missing?


I can't speak about facebook but I am in the case of having a gmail address[1] with my first name initial followed by my last name and I am in the case of having people with same last name and first name initial using my email address to register. That box is polluted by regular confirmation emails followed by spams from the same many websites. It turns out that more often than not the confirmation email is made to protect the companies running the websites (I guess to limit bots and password that can't be reinitialized), not promotionnal mail registration. You still receive all the promotionnal and automated email regardless if the user is active. Different table in the database I guess. Also there websites/services that don't use confirmation emails as well as processes initiated through physical office/point of sale.

[1] now pretty much abandonned but I mostly keep it to avoid anyone obtaining it and impersonating me. I still need to do some housekeeping and make sure I am not registered anywhere with that address anymore.


In my experience, surprisingly few services nowadays require email confirmation, I suppose in the name of increasing conversions or something.

I've had a number of accounts opened in my address but with different dots (eBay, Spotify, Shutterstock) that didn't require confirmation.

I usually reset the password, inform customer service (who generally don't care, or don't want to do anything because it's not my account), and then I close the account.


Oh I wish that were true, I've been receiving email for years for someone who signed up to facebook with my email address. It's a horrible pain, you can't contact facebook without a facebook account, and I can't create one because someone already has one with my email address.


Do a password recovery, log in and simply delete the account.

I had to do this once when someone signed up to FB with my email address. It actually was an eye opening experience as to how much data FB collects from everyone.

Now keep in mind that: 1) I don't have a FB account myself 2) This person signed up with my email address (which is <something-generic>@gmail.com), but their name is completely different from mine 3) They didn't even speak the same language, when I logged in to the new account the whole thing was in Swedish or something like it.

So nothing at all linking the account to me, except a misspelled e-mail address. When I logged in, FB was happy to suggest I friend a whole bunch of people I know IRL. Including people that do not know the e-mail address used. Absolutely crazy. How were they able to link me to these people when I was signed in to a complete stranger's account?


Well I sort of did, didn't want to delete the guy's stuff, so I made a dummy gmail account, switched it to that and deleted the gmail account after weeks of spam emails and trying to contact facebook I figured he could do some of the hard work to get his account back.

Of course it backfired, after he stopped using his account facebook and a couple of weeks facebook started sending begging emails to my email account again (don't believe them when they say they delete anything), I still get the occasional "what you've missed on FB" emails and about once a year the guy tries to recover his account and I get an email, I'd drop him a note, but the only email address I have for him is mine


Recover the account if you own the email address?


(see my reply above)


It does, i just tested it.


Facebook shouldn't be sending you those emails at all, to be honest, assuming you never clicked the verification button.

That said, clicking the "report spam" button should allow you to unsubscribe from such emails without dealing with logins or whatnot. Gmail supports certain unsubscribe headers that'll automate the process, which should make getting rid of Facebook's spam a lot easier.


I don't understand how anyone else can register a facebook account with f.o.o@gmail.com if you own it just as much as you own foo@gmail.com.


The trouble is that Facebook doesn't know every email providers rules and which email addresses the email provider considers equivalent. So for Facebook, foo@gmail.com and f.o.o@gmail.com are two separate addresses (and indeed foo@hotmail.com and f.o.o@hotmail.com probably really are two separate addresses probably controlled by two different people).

You're right that if Facebook required the email to be verified (by sending an email to it) before it could be used with Facebook then two different people wouldn't be able to have two separate Facebook accounts with one of them having an email address controlled by someone else. However, Facebook, in order to "reduce friction" and "reduce time to first value" is happy for you to use an unverified email address and they're happy to send a variety of emails to that address (including lots of emails telling you to finally verify that address).


That's not true.

I've just gone to facebook

    clicked register new account

    Entered Name, DOB, Email
Now I'm stuck, can't proceed past "Enter the code from your email" and going to https://facebook.com in a new browser tab takes be back to the "enter code from email page".

I doubt they will send any chaser emails but I will report back in some time


I see, interesting! Maybe they've changed their system. Thanks for looking into this!


I just did the same thing with the opposite behavior, you’re probably coming from a bad internet neighborhood. Facebook does a lot of reputation stuff in their login and onboarding flows.


When that happens I happily do a password reset, log in to the account and delete it.


I don't understand how someone could sign up for a site with f.o.o@gmail.com in this example. That person would never receive email from the site (like a confirmation), because the foo@gmail.com owner would receive the confirmation. Doesn't Facebook require confirmation before the account is created?


I have exactly the same problem, and it has made my gmail account almost unusable. I have at least 150 unwanted emails per day (80% of them get caught by the spam filter)


Bear in mind that since there are a lot of websites (hundreds at least), and you haven't signed up to all of them, you can end up getting emails from websites you didn't sign up for even, when you're not using Gmail. I doubt it makes this minor problem appreciably worse


I think you just chose an insufficiently unique email address.

I never get any of these problems.


Mr Foo and I thought having an email address for our name was a great idea, but it does tend to attract mistaken addresses.


To borrow an example from Internet domain names, consider:

  experts.exchang@gmail.com

  expert.sexchange@gmail.com
Those addresses would be identical by Gmail's parsing conventions.


What happened to Expert Sexchange btw? Did they rebrand? Got bought by Stack Overflow?


They got a new domain name: experts-exchange.com

For a while it redirected, I guess they let it expire at some point.


And how is that a problem?


It's a problem when using email to register into a different site. Services without email validation will happily accept those two addresses separately, because they don't adhere to Gmail's internal conventions. If the site then sends mail to its registered accounts, then the Gmail address will receive unwanted mail.


Why would you register with an e-mail address that's not yours in the first place?


You may be stunned and astounded to discover that This Actually Happens.

(Examples include both Gmail and other systems.)

<https://news.ycombinator.com/item?id=12025091>

<https://news.ycombinator.com/item?id=12027598>

<https://news.ycombinator.com/item?id=17284211>

<https://news.ycombinator.com/item?id=36756201>


There are horrible people who loves the idea of being able to use someone else's identities. Not just made up but stolen. I - I don't want to know why, nor what they're normally thinking.


How would dot sensitivity prevent that?


In my case, a few years ago, it was a user who didn't understand the difference between Twitter and Gmail.


The presumption would be that these are two different entities.


They can't be, because Gmail obviously won't let you register an address that's already registered.


Will Gmail prevent you from entering such an address elsewhere, thinking either that it is yours, or that it is the email of some intended recipient other than the actual Gmail accountholder?

Alternatively: will third-party systems consolidate such addresses under a single account, or treat them as different?


Will any e-mail service prevent you from entering an address that's not yours to another site?


Yes, but how can that ever cause a problem to the end user?


Because its not according to RFCs and how everyone else has implemented it.


You have to be a bit careful with that kind of argument though. According to the specs the local part of an email address (before the @) can also be case sensitive so me@example.com and ME@example.com could be different email addresses. In the early days of a new system we implemented account email addresses following what the rules really say and making no assumptions. We then spent way too much time dealing with users who signed up with one address but then tried to log in with a "different" one because they had caps lock on or some auto-capitalisation feature in whatever browser they were using. Lesson learned - users do assume those are all the same address and cleaning up a database that sometimes has accounts for both me@example.com and ME@example.com isn't much fun.


There is no RFC about how the local-part is interpreted: even the gmail +tag syntax is an extension some servers implement and some don't. The only way to accurately test equality of email addresses is to send an email to them.


Even that only tells you something about equality/equivalency (or more precisely, the deliverability) at this moment. I have a family mail server that we periodically update mail list and forwarding rules. You could test for deliverability today and tomorrow the situation could change.


Actually, only one ends in 'e', therefore Gmail would treat them as distinct.

It's spelling errors, not the dots, that are usually the source of misdirected emails (and also, wrong domains).

Kind of ironic that you proved the opposite point of what you intended.


That is a tyop. The names were meant to be identical but for the dot position.

  experts.exchange@gmail.com
  expert.sexchange@gmail.com


Yes, I know, that's the whole point. The mistakes that most people (including yourself) are attributing to the dots, are actually usually caused by human carelessness -- spelling errors, mixing up gmail with hotmail, "dave" instead of "david" etc.


True.

I made (and corrected) three further typos writing my correction.

But the point remains that what I'd originally intended to show was that local-part email addresses which read differently, and in cases quite differently, but are identical save for the location of the dot, are treated identically by Gmail.

And that in different contexts this might not be clear and/or lead to confusion.


I have a big problem because this, my account is créate in closed beta period, in this stage this feature does exist.

My email: name.alias@gmail, because already exists namealias@gmail. Ok the email Work fine for 4y before this feature exists, after if email send exacly works but the problem i am started reciving email for the other user and this is e-mail is not cool.

After 10y i give up of gmail and moved to my domain


imagine that you have an address name.surname@gmail.com

imagine that someone else has an address namesurname@gmail.com

this is very similar case to my mom's one. she constantly gets emails meant for someone else - including PII - because she has no dot in email, but the other party has a dot.

I know for sure that her's account is quite old one.


> imagine that you have an address name.surname@gmail.com

> imagine that someone else has an address namesurname@gmail.com

If gmail ignores dots, it shouldn't be possible to have name.surname and namesurname as two separate gmail accounts.


>because she has no dot in email, but the other party has a dot

And that's exactly the issue Gmail solves by ignoring dots. There cannot be two different accounts differing by dot(s).


Not for gmail though; gmail ignores those dots. But some.email@notgmail.com is normally a different inbox if the local part drops the dot.


> Not for gmail though; gmail ignores those dots. But some.email@notgmail.com is normally a different inbox if the local part drops the dot.

My own mail server is configured to use a different character besides the `+` for tags and its notion of "same account" is defined by a mysql query. There's no way to know the interpretation of the local part in advance: you can apply various heuristics if you don't mind annoying people; or you can accept the email and verify it by sending an email.


Similarly, I configured my mail server to use the system "tag.user@domain". So you can't use the same heuristic as gmail, because if you try to do an untagged email, you likely just give the tag, which doesn't correspond to a user.


that makes no sense, Gmail ignores the dot so both those email addresses are the same and can only belong to one person.

if you register namesurname@gmail.com, then you also every combination of it with a dot.

n.amesurname@gmail.com

na.mesurname@gmail.com

nam.esurname@gmail.com etc..


I get literally hundreds of unsolicited emails a week.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: