Why are orders being placed with @dummy.email addresses?

Summary

The phenomenon of orders being placed with @dummy.email addresses is complex, stemming from a mix of legitimate testing practices, user privacy concerns, and potentially malicious activities. The domain itself is likely squatted and these email addresses are non-functional, indicating they are not used for genuine communication. The use cases range from developers using them in testing environments to avoid real emails, individuals bypassing signup requirements, to fraudulent attempts such as validating stolen credit card data or bot sign-ups. The presence of these addresses can distort marketing analytics and compromise data quality. Consequently, a multi-faceted approach involving security enhancements, code review, data validation, and careful monitoring is crucial to address the issue effectively.

Key findings

  • Domain Status & Functionality: @dummy.email is likely a squatted domain with non-functional email addresses.
  • Testing & Development: Dummy emails are used for testing in development environments to prevent sending real emails.
  • User Privacy & Bypass: Some users use dummy emails to avoid providing personal information or bypass signup requirements.
  • Potential Fraud & Exploits: Orders with @dummy.email may indicate fraudulent activities (CC validation, bot sign-ups) or exploits in the client's code.
  • Analytics Distortion: Dummy emails can skew marketing analytics, affecting the accuracy of campaign performance.
  • Data Validation Importance: Proper data validation and sanitisation are crucial for application security.

Key considerations

  • Review Purchase Metadata: Analyse purchase metadata, including IP addresses, to identify potential fraud patterns.
  • Code & Security Audit: Conduct a code and security audit to identify and address potential vulnerabilities, particularly in data validation processes.
  • Enhanced Security Measures: Implement security measures such as CAPTCHA, email verification (double opt-in), and stricter validation to prevent bot sign-ups and fraudulent activity.
  • Data Sanitisation & Testing: Sanitise test data, replacing dummy emails with valid examples like @example.com and ensure compliance with data protection laws when the data involves real individuals.
  • Analytics Cleansing & Monitoring: Clean email lists to remove dummy emails, improve the accuracy of marketing analytics, and continuously monitor for suspicious patterns.

What email marketers say
12Marketer opinions

Orders with @dummy.email addresses can stem from various reasons, ranging from testing environments and user privacy concerns to potential security exploits and fraudulent activities. These addresses are sometimes used in development to avoid sending real emails, to bypass signup requirements, or by users wishing to remain anonymous. However, a high volume of such orders could indicate code exploits, credit card validation attempts, or bot activity. The presence of dummy emails can also skew marketing analytics, impacting the accuracy of campaign performance assessments.

Key opinions

  • Testing Purposes: Dummy emails are commonly used in software development and testing environments to avoid sending emails to real users and ensure functionality.
  • User Privacy: Some users employ dummy emails to protect their privacy and avoid spam when signing up for services or making purchases.
  • Potential Exploits: A large influx of orders with dummy emails could indicate a vulnerability in the client's code, an exploit being tested, or issues with data validation.
  • Fraudulent Activity: Dummy emails may be linked to fraudulent activities, such as stolen credit card validation or bot-driven sign-ups, especially when associated with successful transactions.
  • Analytics Distortion: The use of dummy emails can significantly distort marketing analytics, making it difficult to accurately measure user engagement and campaign performance.

Key considerations

  • Code Review: Review the client's code for potential vulnerabilities and ensure proper handling of invalid email addresses.
  • Security Measures: Implement security measures like CAPTCHA, email verification, and double opt-in to prevent bot sign-ups and validate user authenticity.
  • Fraud Monitoring: Monitor orders with dummy emails for suspicious patterns and validate credit card information to prevent fraudulent transactions.
  • Data Sanitisation: Ensure test data is properly sanitised with correct domains for testing.
  • Analytics Cleaning: Clean email lists to remove dummy emails and improve the accuracy of marketing analytics.
Marketer view

Email marketer from Email Geeks suggests checking the client's code for handling invalid addresses, in case of an exploit.

September 2023 - Email Geeks
Marketer view

Email marketer from Digital Marketing Institute mentions using dummy emails can distort marketing analytics, making it difficult to accurately assess the performance of email campaigns and overall user engagement. He advocates for clean and verified email lists.

February 2024 - Digital Marketing Institute

What the experts say
5Expert opinions

The use of @dummy.email addresses for orders is multifaceted. The domain itself is likely squatted. It's not a typical disposable email service, but the addresses are non-functioning. Reasons range from it being suggested in articles as a spam avoidance method to representing fraudulent attempts at credit card validation. Sanitizing test data by replacing domains like dummy.email with valid examples like example.com is important, along with following data protection laws when the data involves real individuals.

Key opinions

  • Domain Status: @dummy.email is likely a squatted domain, not a traditional disposable email service.
  • Functionality: The email addresses at @dummy.email are non-functioning and do not exist.
  • Potential Reasons for Use: Users may be using @dummy.email based on articles suggesting it to avoid spam, or it could indicate attempts at stolen credit card validation.
  • Test Data: Check if developers have used dummy.email in their test data.

Key considerations

  • Metadata Review: Check purchase metadata, including IP addresses, to identify potential fraud.
  • Data Sanitisation: Sanitise test data by replacing @dummy.email with valid domains like @example.com.
  • Legal Compliance: Ensure compliance with data protection laws when working with test data that involves real individuals.
Expert view

Expert from Email Geeks suggests that the website dummy.email is parked and likely a squatted domain.

March 2023 - Email Geeks
Expert view

Expert from Email Geeks tested dummy.email and confirmed the email address does not exist. Provides a data point that it is a non functioning email.

January 2025 - Email Geeks

What the documentation says
5Technical articles

The documentation highlights best practices for handling data, especially in testing environments. Reserved domains like example.com are designated for safe use in documentation. Proper data validation and sanitization are crucial for application security, avoiding reliance on dummy data. Setting up test email accounts with mock servers or discard configurations allows safe testing without impacting real users. Adherence to data protection rules is essential when test data involves real individuals.

Key findings

  • Reserved Domains: Domains like example.com are specifically reserved for documentation and should not resolve to live servers.
  • Data Validation Importance: Data validation is crucial for application security, minimizing the use of dummy or invalid data.
  • Email Testing Methods: Test email accounts and mock SMTP servers are effective for testing email functionality without sending to real users.
  • Data Protection: Data protection rules must be followed when using data, especially if it refers to real individuals.

Key considerations

  • Sanitize Data: Ensure you sanitise your test data where it relates to real individuals
  • Use of Reserved Domains: Employ reserved domains like example.com in examples and documentation.
  • Implement Robust Validation: Implement thorough input validation and sanitisation to prevent security vulnerabilities.
  • Safe Email Testing: Utilise test email accounts or mock servers for safely testing email functionality.
  • Comply with Regulations: Comply with data protection regulations when handling data related to real individuals.
Technical article

Documentation from Mozilla details approaches for handling emails in testing environments, including using mock SMTP servers or configuring test email accounts to catch and inspect outgoing emails.

March 2023 - Mozilla
Technical article

Documentation from ISO shares that when using data that is for test purposes it is crucial to follow data protection rules and use data that does not reference real individuals.

November 2023 - ISO