I just did a signup on a brand new email address and was not able to recreate. No random spam emails reported.

It's likely that the email the author received is pure coincidence. Especially if they are using a client that downloads emails in batches.

FWIW it looks like their validation email is sent by Customer.IO via Mailgun. Both have squeaky clean service agreements so it's unlikely they are shooting off the data to spammers.

Edit: No way! I did end up getting a random empty email. From a "Adventure-Meter Department" at bugbusterbrigade.com. The topic of the email was "Scents and Memory".

This is a really weird email. It's not a spam email, it's some sort of attempt at inbox testing. Perhaps it's an attempt to sniff out AI agents signing up for their service?

• garaetjjte

  today at 10:04 PM

  Maybe they don't do that for larger destination providers. But definitely no coincidences here. (in the post I replaced address with example.com because I'm curious if I will ever get other spam onto it, but here's another one unmodified)

    curl --request POST --data '{"email": "pangramdemo@milek7.pl"}' https://www.pangram.com/api/validate-email
  

  https://milek7.pl/mailverifyspam/another.txt

• EvanAnderson

  today at 10:06 PM

  I just tried with a new email at my domain. I'm excited to see what I get.

• today at 10:09 PM

The idea that they really send spam to validate an email address sounds to insane to be believable.

Is it possible that they are somehow leaking the address to actual spammers?

For example, they (or the hypothetical email validation SaaS) use an infected email validation library that ex-fills every email supplied to it, or something like this.

Can it be that Pangram doesn't send any spam itself but instead (intentionally or not) leaks your email address to some spammer who then does the sending?

• autoexec

  today at 10:10 PM

  Leaking or selling

the actual base64 email itself is an HTML document, with a bunch of filler text about metal magnets!

> Hi there, A magnetic domain is a region within a magnetic material in which the magnetization is in a uniform direction. This means that the individual magnetic moments of the atoms are aligned with one another and they point in the same direction [...]

they sign off the email with a zero-width space set to "font-size: 0" for some reason

• gus_massa

  today at 9:40 PM

  The text is from https://en.wikipedia.org/wiki/Magnetic_domain that uses a CC BY-SA 4.0. I hope they remembered to add the atribution as requested :)

• tom1337

  today at 9:15 PM

  Also, the magnet text is not visible:

  style="position: absolute; left: -9999px; top:-9999px;display: none"

  maybe they try to warm up those emails to use them for other "campaigns" later on...

  • mike-cardwell

    today at 10:00 PM

    The text is added to get around bayesian filters. The spammer doesn't want the text to be displayed to the end user though typically.

    • autoexec

      today at 10:09 PM

      A nice bayesian filter would catch email with invisible text. Legitimate email shouldn't have any.

Strange to see this in an apparent real product. And also I don't see how this does much to 'validate' it... It could be a valid email that belongs to a random stranger, like, tcook@apple.com for instance.

Part of me wonders if someone has added something nefarious into their backend which just collects and exfiltrates new emails as people sign up.

Magnetic domain

looks like a response to https://news.ycombinator.com/item?id=48445834