inbox count 428,000+ · and nobody sent a packet

Placeholder
Squatting

noun. You register a real identifier that software and its users treat as a throwaway placeholder, like noreply.*, deleteduser, your-username, or yourdomain.com. Then you quietly become the real recipient of the data, mail, or code routed to it.

The assumption

This isn't typosquatting. Nobody made a mistake. It's the assumption that a placeholder is no one. Register the placeholder behind that assumption and you don't intercept anything. The mail, the traffic, the code was always routed to you. You just showed up to collect it.

I built an accidental honeypot, and I never sent a packet.

Two ways the data finds you

Sometimes a production system is configured to send to or from the placeholder, and it mails a stranger automatically, forever, with no one in the loop. That's how a catch-all on a noreply domain fills up with real mail.

Sometimes a person follows a setup guide, runs the command with the generic value still in it, and sends real data or code execution to whoever registered it. Same assumption, different route.

What a placeholder looks like

noreply.<tld>the sender no one reads
deleteduserthe account that was "removed"
your-usernamethe repo path in every setup guide
company-namethe package the docs say to install
no-reply@companyname.comthe copy-paste default

It's older than it looks

Each of those found one domain. Nobody named the class, and nobody wrote down the fix. That's what this is for.

The fix points at your own code

Whose mail I got is the least interesting part. Whether your own systems are addressing a stranger right now is the part worth your time: a real-looking fake sender in your source, or a placeholder domain that's live and registerable. You can catch that in CI, without pointing a prober at anyone else's mail.

Certified Placeholder Squatter badge Certified Placeholder Squatter