Why are orders being placed with @dummy.email addresses?

Key findings

• Domain status: The @dummy.email domain appears to be parked and the MX records point to a hosting provider, not a traditional disposable email service. This suggests it is a squatted or unused domain.
• Email deliverability: Emails sent to @dummy.email addresses consistently bounce with a 550 This account does not exist error, confirming they are invalid. This is consistent with what happens when emails bounce with 'domain does not exist' or 'invalid sender domain' errors.
• Purchase activity: Despite being invalid email addresses, these accounts are associated with completed purchases, often for low-value transactions (e.g., under £100) and sometimes through third-party platforms like Amazon stores.
• Scale of the issue: One client reported over 500 different @dummy.email addresses associated with orders, suggesting a systemic issue rather than isolated incidents.

Key considerations

• Credit card fraud validation: The pattern of using invalid emails for low-value purchases, especially via third-party platforms, is a strong indicator of attempts to validate stolen credit card data. Scammers make small purchases to test card validity before larger fraudulent transactions.
• Internal testing or configuration error: Although less likely given the scale and persistence, it is important to confirm with developers whether @dummy.email was ever used for internal testing or sentinel data, or if an API or configuration error could lead to such entries. This is also related to how fake email addresses in testing can affect email deliverability and sender reputation.
• Suppress invalid addresses: All emails to @dummy.email should be suppressed from your mailing lists immediately to prevent unnecessary bounces and protect sender reputation. This is a critical step in preventing fake email registrations and list bombing.
• Investigate transaction legitimacy: The client should investigate if these are genuine orders, especially looking for chargebacks or other signs of fraud. The Federal Trade Commission (FTC) provides information on fake shipping notification emails and text messages, which can be part of broader scam attempts.

Key opinions

• Suspicious pattern: A high volume of sign-ups from a seemingly non-existent domain like @dummy.email that results in bounces is highly suspicious and warrants immediate attention.
• Impact on deliverability: Sending to non-existent email addresses leads to hard bounces, which negatively impacts sender reputation and can cause emails to land in the spam folder for legitimate subscribers.
• Fraudulent activity: The association with purchases, especially low-value ones, points towards credit card testing or other fraudulent activities rather than simple bot registrations.
• Client-specific issue: If only one client is experiencing this, it suggests a problem specific to their e-commerce setup or a targeted attack.

Key considerations

• Immediate suppression: Marketers should immediately suppress all @dummy.email addresses to protect their sender reputation and prevent further wasted sends.
• Investigate API/integration: Collaborate with developers to review the e-commerce platform's API or integration points for vulnerabilities that could allow such registrations.
• Fraud detection: Implement or strengthen fraud detection measures within the e-commerce system to identify and block suspicious transactions early. This includes scrutinizing order details beyond just email addresses.
• Monitor for chargebacks: Be prepared for potential chargebacks, as it can take months for notifications to arrive for fraudulent transactions, as described by Consumer Advice from the FTC on fake shipping notifications and order confirmation phishing scams.

Key opinions

• Domain squatting: The @dummy.email domain is likely squatted, meaning it's registered but not actively used for legitimate email services. MX records pointing to a registrar or hosting provider confirm this.
• Not disposable: It doesn't behave like a typical disposable or single-use email service, which would usually have active, albeit temporary, mailboxes.
• Credit card validation: The most probable explanation for transactions with invalid emails is attempts to validate stolen credit card data, especially given the low transaction values.
• Programming error or exploit: The volume of such addresses suggests a possible programming error or an exploit in how the client's e-commerce platform handles invalid addresses, potentially enabling malicious actors.

Key considerations

• Analyze transaction metadata: Clients should provide IP addresses and other metadata associated with these purchases to help identify patterns or sources of the fraudulent activity.
• Developer consultation: Engaging developers to review code related to invalid address handling and API integrations is crucial, as this could reveal system vulnerabilities or unintended behavior.
• Long lead time for chargebacks: Businesses should be aware that chargeback notices for fraudulent transactions can take months to appear, so a lack of immediate chargebacks does not confirm legitimacy. This is especially relevant to how fake email addresses in testing can affect email deliverability and sender reputation, masking real issues.
• Suppress invalid emails: Regardless of the cause, it is essential to suppress these invalid addresses to maintain good email deliverability and avoid being placed on email blacklists or blocklists. Such suppression protects your sender reputation.

Key findings

• Email validation: Documentation often advises against allowing generic or clearly invalid email domains to be registered, advocating for real-time email validation at the point of entry.
• Fraud prevention layers: Comprehensive fraud prevention involves multiple layers, including IP address analysis, behavioral analytics, and integration with credit card fraud detection services.
• System integrity: E-commerce platforms should have mechanisms to identify and flag suspicious transactions that use unusual email addresses or exhibit patterns indicative of automated attempts.
• Data hygiene: Regular auditing and cleansing of customer databases are recommended to remove invalid or fraudulent entries, thereby improving overall data quality and deliverability.

Key considerations

• Input filtering: Implement client-side and server-side validation to prevent clearly invalid email addresses, such as those from known squatted domains or temporary email services, from being submitted.
• API security: Ensure that any APIs used for order processing or data submission are securely configured and protected against automated abuse or exploitation.
• Transaction monitoring: Utilize fraud detection tools that monitor transaction value, frequency, IP origin, and other behavioral indicators to identify and block suspicious orders in real-time. The FTC, for example, issues consumer alerts about various online scams, including those involving fake invoices, which often use such email tactics.
• Error handling: Review how the system handles invalid email addresses upon registration or purchase. Proper error handling can prevent unwanted emails from being sent and highlight potential issues.