What Happens To Bounced @Donotreply.com E-Mails

An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

Spell Check?

[iamhigh]

I am probably not the first to point out that don't o reply isn't the same as do not reply.

*Cough*

[geekoid]

wikileaks might be a good place to expose those documents. Hey, They sent them to YOU. It's will only take a few and this will be curbed.

Re:*Cough*

[Garridan]

That was my first thought, too.

Re:*Cough*

[scooter.higher]

Has anyone noticed his last posting to his RSS feed, published Mar 3, 2008 6:29 AM:

Funny thing happened on the way to an update this week...
from Do Not Reply by Chet

I have been without access to my email account since posting scary week.

Donotreply.com email is now run through google apps. I was about to praise them for providing a great service that had zero down time and was actually able to handle the high volume of email this site generates (think hundreds of thousands to a million a day just to this account). But guess I can't at the moment.

The week after scary week, I started getting this error when trying to access my account - "Sorry... account maintenance underway". It suggested I email support if it lasted more than 24 hours. It did, so I did. Their response

        Hello,

        Your Gmail account is currently under maintenance, and our engineers are
        working to allow access to your account as quickly as possible.

        We apologize for any inconvenience this may cause, and we thank you for
        your patience during our limited test of Gmail.

        Sincerely,

        The Google Team

That was 2 days ago (i waited a week after getting the first error). The account remains inaccessible. Wonder who on the list is mad?

On a happier note, another animal shelter received a check for $200 this week. Thanks.

Chet
ps. If you need to contact me to threaten me, get my mailing address so you can send me a scary threatening email, or even so you can show up in person, or just my phone number so we can shoot the breeze as you try and threaten me in a friendly manner, email me at chet at poe-news dot com

I bet he's at the Guantanamo Bay Resort and Re-education facility now...

Re:*Cough*

[Darundal]

Actually, I find it much more likely that the poor bastard would end up with gajillions of people suing the hell out of him for most likely made up monetary damages, and then a hitherto unheard of coalition of groups with way more money than anyone else working to take the domain name from him. Just sitting on it like he is doing now is probably the best option, although if he wants to make some sort of statement to them, he could set his mail server up so that it sends a reply to everyone who sends him an email, which would contain the contents of the original. Of course, that would lead to those who are actually trying to reach him probably forming a mob and burning his house down, but he doesn't need that, right?

Re:*Cough*

[slawo]

In return he could sue the hell out of them for falsifying their e-mail headers and addresses and for using his domain name without his permission.
In addition I'm pretty sure someone could probably find a way to use US copyright laws and make them pay money for using his domain name (Intellectual Property) without his permission.

Re:*Cough*

[mpe]

Actually, I find it much more likely that the poor bastard would end up with gajillions of people suing the hell out of him for most likely made up monetary damages,

In which cased he can counter sue for their using his domain without permission. Even without going the "copyright infringment" route (using RIAA/MPAA numbers).

WTF

[Poromenos1]

What idiot decided this was good policy anyway? What happened to donotreply@companydomain.com?

Re:WTF

[iamhigh]

Well, if you are signing up for a network management seminar, or something of the like, then you might also be the person that gets abuse@yourcompany.com, admin@yourcompany.com, it@yourcompany.com and a host of other generic email addresses. So perhaps you don't want them to even have your domain name?

Re:WTF

[LMacG]

Having worked at Capital One, I can assure you that there is absolutely no shortage of idiots running around.

Re:WTF

[gEvil+(beta)]

I already get enough crap email as it is!

- Dylan O'Notreply

Re:WTF

Or donotreply@example.com

Re:WTF

[OglinTatas]

Well, the CEO Don o'Treply was getting tired of getting everyone's bounced emails, THAT's what happened.

Re:WTF

[rkanodia]

Because then, when people reply anyway, you get junk mail at your own servers. Using donotreply.com directs the problem to other people.

Re:WTF

[moderatorrater]

Whatever happened to letting people reply and then putting them into a customer service queue? Instead of making them click a link to reply, let them reply with email. I know this is a hard concept to grasp for some companies, but using technology to benefit the customer is better than making them jump through (usually worthless) hoops.

Re:WTF

[EdIII]

That is what you are supposed to do of course. If you are operating a mail server you are NEVER supposed to put information for domains you don't control into the headers. That is what spammers do.

Now that I have thought about it a bit more, this is about the money. If they put donotreply@companydomain.com, then the inevitable replies would eat up their bandwidth and processing power on their incoming mail servers.

By forging that information, which is not good policy, they are intentionally redirecting that reply to somewhere else. They may have thought that the sending mail server would simply give a permanent delivery failure notice to the sender, but in this case that forged information leads to an active mail server which accepts all of those emails.

Who is the bigger "butthead" here? The companies intentionally forging their emails or the guy who owns this domain and is exploiting this companies (after they have already harassed him) to save a couple of animals?

Re:WTF

May I suggest reading RFC 2606, Reserved Top Level DNS Names. There is example.com for a reason.

http://tools.ietf.org/html/rfc2606

Re:WTF

[techno-vampire]

So, just have the reply address be foo@donotreply.company.com and have your incoming mailswerver send all mail addressed to that subdomain to /dev/null.

Re:WTF

[sjames]

Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.

Re:WTF

[AnotherBlackHat]

If the idea is to pick an email address that isn't in use, I recommend one ending with ".invalid" as in "address@is.invalid" or "noreply@domain.invalid"

Re:WTF

[vux984]

Never attribute to malice, or even conscious though, what can be attributed to incompetence.

Anyone bright enough to -think- having the messages bounce to another domain would save them money should be able to think that maybe just maybe if they have the messages bounce to another domain that this other domain might actually exist, accept that bounced mail, and even read it.

If they really wanted to save money, and not take that risk they could blacklist an address at their mail gates front door. That would eliminate most, but not all the cost of handling the return mail.

And it would be a simple matter to simply have it go to "donotreplay@donotreplay.company.com" which wouldn't have an MX record configured, and would thus never get anywhere. And being a subdomain of your own, it wouldn't be incidently delivered to someone else either.

Re:WTF

[Joe+the+Lesser]

and, if the commercials are true, vikings!

Re:WTF

[HTH+NE1]

I've always been partial to disabled@bedridden.invalid.

I've also wondered if routing your mail using user%example.org@example.com notation still worked. Could one give out an address like user%example.com@spamfilter.example to run it through a spam filtering service and reject any mail that didn't come via spamfilter.example (if spamfilter.example allowed such relaying syntax)?

Sorry, first disclosure, I can't even patent it now.

Re:WTF

[X0563511]

Even better, send an automated response thrashing the moron for replying to a message that states not to reply to it. Better than silently deleting, AND you feel better doing it!

Re:WTF

[assassinator42]

Most do. I just searched through my emails and found none that had a "donotreply.com"ish domain. Most were either something like donotreply@example.com or something@noreply.example.com.

Re:WTF

[ender-]

Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.

And in what fantasy world do you live, where corporate idiots have actually ever heard of an RFC, let alone read one? :)

Re:WTF

[EdIII]

Never attribute to incompetence what can be just as easily attributed to malice.

That statement works both ways :)

Nevertheless, your bring up a valid point. However, I have seen some rather malicious behavior coming from the Pointy Haired Ones that looks like incompetence at first glance. That's just their way.

As for the MX record, you are completely correct. The more elegant solution to be sure. The sending mail server will not even be able to resolve it, and no bandwidth is used at all.

Re:WTF

[Jonner]

While I can't find an MX record for example.com, there is an A record for it and a web page in accordance with http://www.rfc-editor.org/rfc/rfc2606.txt, so it's a poor choice for an email address that shouldn't go anywhere.

Re:WTF

That doesn't work if your mail server is on an IP address without an assigned domain name. Many mail exchanges will not accept messages originating from mail servers without a domain name, so naming donotreply.com or something similar as the message origin is the only way to get these messages to some people.

Re:WTF

[ceoyoyo]

I have doubts that the amount of dumb customer reply e-mails would be that big a deal compared to the amount of spam their servers have to deal with anyway. And the dumb customer ones are conveniently all sent to the same address so they're easy to identify and discard, instead of requiring fancy filtering algorithms.

There are two reasons for everything corporations do. I suspect the first, greed, isn't the one here. It's the second: stupidity.

Re:WTF

[lintux]

An idiot who doesn't know the difference between a username and a domain name but managed to get into an IT department anyway, probably.

Re:WTF

[vux984]

So, just have the reply address be foo@donotreply.company.com and have your incoming mailswerver send all mail addressed to that subdomain to /dev/null.

I was thinking that originally, but now I wonder if I could instead have an MX setup for donotreply.company.com that sends the mail to 127.0.0.1

Would there be any pitfalls to that? Worst case it would try to deliver the mail to localhost, which assuming the guy was actually running an smtp server, it would probably just reject it as an invalid recipient, refuse to relay it, or deliver it to a default account. The latter is the most 'risky', but the default account is likely managed by the person you sent the mail to in the first place.

In any case, the real risk is zilch, as even if it does go somewhere 'unexpected' it wouldn't really be 'abuseable' as it would go somewhere depending on each indivually owned smtp server. I couldn't just register a domain or squat on an ip and receive it.

And besides the person who received it who runs an smtp on localhost can forward your mail anywhere he wants anyway, so if he wants to send it on, he can, and whether he just uses the forward button or sends it via some automatic handling of an smtp server on his own machine its the same difference.

The final concern is that he's been pwned and botted... and the smtp server he's running is not his... but really if that's the case you can assume whoever pwned him can read all his email anyway if he wants to, regardless.

Re:WTF

[Thaelon]

Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.

It did until you got it slashdotted.

Re:WTF

[assassinator42]

Sorry, by "example.com", I was referring to the actual domain of whoever was sending the email. I just used it in my post because others had mentioned that RFC.
The best reply-to email I saw was "UseTheYellowButton@ebay.com" for an email notification of an eBay message.

Re:WTF

[Robert+The+Coward]

You would likely get branded a spammer and end up on a few black list.

Thanks
Robert

Re:WTF

[HeroreV]

Would an email sent from a reserved domain/TLD be accepted by most email software? It wouldn't work to use "donotreply@donotreply.invalid" or "donotreply@example.com" as the From: field if such emails were blocked from reaching their target.

Re:WTF

[Myopic]

Even better yet, accept email replies and provide conscientious service to your customers.

Why even have a donotreply@company.com? How about customerservice@company.com? I guess that would make it too easy to get customer service.

Re:WTF

Reminds me of the guy in California who got the personalized plate 'noplate'. Immediately he was forwarded hundreds of overdue parking tickets and dozens of new ones a week. Apparenly 'noplate' was what officers used routinely when there was... no license plate on the car! He tried to fight the DMV but quickly gave up his plates.

Re:WTF

[TheRaven64]

Exactly. What do they think whitehouse.gov is for?

Re:WTF

[iamnafets]

Too bad other sites listed there (namely test.com, invalid.com) are actually in use...

Re:WTF

You do realize that at some point in history you had an ancestor who's first name was Notreply?

Re:WTF

[Methlin]

Because then all the ads on their website don't generate extra revenue, and the number of page hits goes down.

Re:WTF

[John+Hasler]

> Who is the bigger "butthead" here?

The buttheads who are being paid $70,000/year to run corporate mail servers and don't know that "invalid" is a reserved top-level domain.

Re:WTF

[quizwedge]

If you don't want to process the mail, why not do donotreply@donotreply.companydomain.com? This way it doesn't come to you, but also doesn't go to someone else.

Re:WTF

[Jack9]

Never attribute to incompetence what can be just as easily attributed to malice.
 
That statement works both ways :)

It does not. One is a general rule that holds true in the majority of situations, the reverse does not, which is why the original is recognized at all. It works in this specific case, or you would not even bring it up.

//pedantic

Re:WTF

[mike2R]

You think you have a problem!

- Devlin Null

Re:WTF

[helmespc]

Yeah, but are you getting a kick out of these replies?

Re:WTF

[vux984]

If its a memo you send to 100,000 customers, and 90% of the responses are bounce messages, spam, and cruft from customers asking to be removed from the list (which is handled by clicking the 'remove me from the list link').

If they have a question about their last order, they'll just have to contact customer service. Having people wade through this crud, find the real odd customer question like 'what is the status of my last order' which is invariably missing crucial information like what they ordered, or which subsidiary in which country they placed an order with, or is in foreign language.

Its often simply just not practical nor worth the expense, even if it is good customer service.

Also there are countless scnearios where donotreply@company.com is used for internal memos etc. Where its your OWN employees that are the recipients. If I tell them do not reply, they shouldn't reply. There are other channels if they have questions or follow up ... like their manager, or HR, or whoever is identified in the memo as their follow up option.

Re:WTF

[Your+Pal+Dave]

More details at snopes: http://www.snopes.com/autos/law/noplate.asp

Re:WTF

look again, neither of those is listed there...

Re:WTF

[bn557]

disabled@bedridden.invalid Should that even pass the e-mail filter? I thought TLDs had to be 6 characters or less.

Re:WTF

Those are RESERVED names, which means you're not supposed to use them in internet traffic.

It is really stupid to put a return address which is not under your control in your emails, no matter if that is a valid third-party-address, an invalid address or a reserved but technically valid address. You do not want emails to you to end up anywhere else, not even in the case of a misconfiguration (for example, when the postmaster of the remote MTA redirects mail addressed to reserved domains to a local address to keep them from going on the net in the event of DNS problems, etc. etc.) You do want all mail meant to reach you to arrive at your MTA, where it can be accepted, dropped or rejected. You also want to encrypt all emails which contain confidential information and make your business partners encrypt all email as well.

Re:WTF

[Damocles+the+Elder]

What's in your inbox?

Re:WTF

example.com is, and that is a live domain with an A record address assigned to ICANN. No MX record, but are you willing to bet your company's secrets on that?

Re:WTF

I concur. In the year 2000, I received 9 invitations to apply for a capital one card in a single calendar month. Same name, same address.

Yet, capital one survives to this day!

That's when I learned how to turn off pre-screen credit card offers by calling 1 888 5OPTOUT (1 888 567 8688)

Re:WTF

[residieu]

Or how about customerservice@companydomain.com, something they can actually reply to?

Re:WTF

I keep seeing "Use example.com" as an answer to this. It seems to me if I got an important e-mail from "someone@example.com", it would just scream phishing at me.

Personally, I prefer the donotreply@companydomain.com

Re:WTF

[Jesus_666]

Not quite. .invalid is an official TLD.

Re:WTF

[mrbcs]

I still like clownpenis.fart

Re:WTF

[cheater512]

I prefer blackhole@domain.com. Makes more sense.
Putting 'do not reply' there will make some people reply out of spite.

Re:WTF

[msauve]

What idiot decided this was good policy anyway? What happened to donotreply@companydomain.com?

Well, apparently an idiot just like you, who thought that picking some random (but legitimate) domain name as an example was correct behavior.

A proper response would have been "What happened to donotreply@example.com" or "...donotreply@companydomain.invalid".

Re:WTF

[Jonner]

Yes, I agree that addresses at the relevant domain should be used. If you don't want to do anything with the replies, just have the MTA discard all messages to that address. If you use noreply@example.com or noreply@noreply.com, you have no control over what happens to replies. Forging a From: to save the load of bogus replies is silly, since it's probably small. Even if it's big, it's still your responsibility.

Re:WTF

[rkanodia]

My guess would be that their 'engineers' have no idea what an RFC is. A long time ago, they used to use donotreply@ourcompany.com, and then they started getting all that pesky 'email' crap, so they had the brilliant idea of switching it to ourcompany@donotreply.com. If you told them about reserved domains, their heads would explode.

Re:WTF

[mortonda]

Because with any mass emailing, there are a ton of bounces or "out of the office" messages that come back to the sender. I made the mistake of posting to bugtraq recently, and it is horribly configured such that I got all the stupid vacation and undeliverable messages. That stuff should go to a bounces address for the list, not me. By making a link to click, you can reduce the noise/signal ratio.

Re:WTF

[Nimey]

And many of them work at their marketing department. Until I called and demanded they stop, I got credit card offers from them every other day, and on at least one occasion every day. ...

Holy shit, that's where AOL's marketing department ended up.

Re:WTF

[elronxenu]

And that's just fundamentally wrong. You can automatically filter out bounce messages and spam. When a message gets through the first level of checking, it can be tied to a customer, so the support person can know all that there is to be known about the customer at the time of reading the email.

If you're sending communication as email, you should expect communication as email back.

Re:WTF

[sixsixtysix]

wonder how his wife, whyn, get bounced mail too.

Re:WTF

One is a general rule that holds true in the majority of situations

Because evil people are never incompetent?

Re:WTF

[Zero__Kelvin]

"Because then, when people reply anyway, you get junk mail at your own servers. Using donotreply.com directs the problem to other people."

Yes. Yes. That's right. I believe I read that somewhere ... I think it was in a Slashdot article titled "What Happens To Bounced @Donotreply.com E-Mails" The article says that someone else is some guy in Seattle. You might want to read it sometime. Thanks for the insight!

Re:WTF

[Nethemas+the+Great]

I want that domain!

Re:WTF

[Burning1]

It's trivially easy to reject any email to dontreply@example.com at the mail-server or mail gateway. The total cost of doing so is a few bytes of bandwidth, and a TCP connection.

Re:WTF

[EdIII]

But why do even that?

Although it is easy to reject, there is still a SMTP session that has to do quite a bit of work. Reverse DNS, DNS, SPF, DKIM, Spam, etc.

Instead of spending those few bytes to do that, and the associated cpu cycles, just stop the sending mail server from initiating a TCP connection at all. If you control the MX records for the domain in the FROM header (donotreply@some.company.example.com), you can just leave the record blank or point it to a private IP address. That way the sending mail server will fail and give a delivery failure notice to the sender, and then a permanent delivery failure notice a day or two later.

Of course, if it were me, I might just create an account and an auto responder that informs the sender that they are stupid and can't read and their original email was destroyed without being read. I would also provide links to several dictionary sites and the wikipedia entry (I wonder if that exists?). Then again I am the kind of administrator that is not "user friendly" :)

Re:WTF

[Dan541]

Well, if you are signing up for a network management seminar, or something of the like, then you might also be the person that gets abuse@yourcompany.com, admin@yourcompany.com, it@yourcompany.com and a host of other generic email addresses. So perhaps you don't want them to even have your domain name? Good point but you probably don't want someone getting your sensitive email either.

Id make allot of them public for all to see that might educate a few people I would be especially careful to ensure the security vulnerabilities one was made public.

~Dan

Re:WTF

[mabhatter654]

then why are you sending them email? This is part of the "breaking" of email, that the system expects the reply address to be valid, why would you send a message out and not want a reply?

Re:WTF

[mabhatter654]

I'd agree, all emails should be "correct". Perhaps we need an RFC to specify one "true" no reply function for email addresses to use. That way all MTAs would immediately identify it as a no reply and drop it no matter where they are. Sort of like how 127.0.0.1 will always drop at the nic, or 192.168.x.x will always block at the router.

Otherwise, you should expect communication. One thing I'd like is automatic threading at the server level.. something to recognize that a message is a reply and attach it and not an ugly hack or guess.

Re:WTF

[Dan541]

I think Moron@localhost would be better suited.

~Dan

Re:WTF

[BiggerBoat]

For those who don't know the reference (or just want to see it again): http://www.jibjab.com/view/132078

Re:WTF

I rather wonder what kind of administrator you are at all, considering you don't appear to have realized that you could check the recipient address first, then reject the message before doing all of the other related checks.

Re:WTF

[sconeu]

If you are operating a mail server you are NEVER supposed to put information for domains you don't control into the headers. That is what spammers do.

Maybe the donotreply.com guy can countersue under CAN-SPAM?

Re:WTF

[mlk]

.invalid would be a better option. Example.com is for examples.

Re:WTF

[Antique+Geekmeister]

Perhaps the owner of "donotreply.com" should publish SPF records to restrict valid mail from his domain to his servers?

Re:WTF

[mpe]

Surely they should use example.com (Documented in RFCs to never be a real domain).

Or even simpler they could use an email address they own which feeds to /dev/null, e.g dont.reply@whatevertheircompanyiscalled.com If they insist on using a email address in someone elses domain, even one which does not currently exist or does not currently accept email, they they are asking for this kind of trouble.

Re:WTF

That will do absolutely nothing about the unwanted mail hitting his servers. It will only reduce the amount of mail from the forgers that used the donotreply.com sender address reaching the intended destination.
Of course, only marginally. Almost nobody is using SPF records to block any mail.

Re:WTF

[leenks]

Err, you mean like the RFC specified "message-id", "in-reply-to" and "references" headers?

Re:WTF

Mod parent redundant: whitehouse.gov already gets all the e-mail, not just the bounces.

Re:WTF

[S.O.B.]

Not to mention their children Willn and Cann.

Re:WTF

What question will you ask?

Re:WTF

Check out 'my life as uucp@aol.com' from the risks digest for details about a similar case from an earlier time.

http://catless.ncl.ac.uk/Risks/16.77.html#subj4

Re:WTF

isn't test.com supposed to be a restricted address too? Why doesn't go to a restricted page like example.com does?

Re:WTF

[budgenator]

My best guess is it's not the mail admin who's doing it, but the sale-droid who learned how to Email from his 12 yo daughter, anybody can stick a forged Email header into the "Reply To" field.

Re:WTF

[Dephex+Twin]

The generalization that is described in the sentence is that humans in general aren't malicious people, but they can be very lazy and careless. The reverse has no bearing on people's experiences of reality.

Re:WTF

[sjames]

No.

Re:WTF

[dossen]

If so, that would be a very bad choice indeed!
In the absence of a MX record, a correctly functioning SMTP client must treat an A record like an implicit MX record with preference 0. Go read RFC2821, section 5 - it's all spelled out there.

Re:WTF

[EdIII]

The reverse has no bearing on people's experiences of reality.

Are we in the same reality? :)

The reverse is what I consider to be a parody of the original statement. Where corporations and politicians will feign ignorance and incompetence where more nefarious agendas are being pursued.

So I do agree that your generalization is the original statement, and only in a cynical environment is the reverse considered true at all.

Re:WTF

[EdIII]

Ummmmm, if you CHECK the recipient address..... then a TCP SESSION was ALREADY established . That was my whole point. Furthermore, you are factually incorrect about your statement involving the other checks.

So please keep your insults to a minimum when they are not backed up with actual experience or intelligence. No offense, and I don't mind risking the karma or yet another troll/flamebait to an Anonymous Coward. Thank You Very Much. I don't even know why I waste the time responding to you, since you posted as an AC and most likely will not get it. Drive by Ignorance, I guess. Well if anybody else reads this, they might find it informative.

My whole point was that you are doing too much work if you even have a SESSION IN THE FIRST PLACE.

You wonder what kind of administrator I am, well I am a mail server administrator who runs several dozen domains right now. There are several checks that get performed before you even receive both the TO or FROM headers.

1) You are already establishing a TCP connection with a remote mail server. That takes CPU cycles, bandwidth, etc. I know it may not be much, but when it scales it can matter.

2) Right off the bat, you are going to send them your policies for you mail server. Bandwidth.

3) You will receive the HELO statement from the remote mail server. You should immediately perform an IP Lookup on that statement, and gathering records. More Bandwidth.

4) Now you should receive the FROM header. Now you perform IP Lookup on the domain in the FROM header.

5) With that information you are performing at least an SPF check on the domain, and following SPF and PTR policies. This is what I meant by Reverse DNS, DNS, SPF, etc.

6) It is at this point you receive the "recipient address" or the TO header.

After this point, you can the proceed with other checks if the recipient address checks out and there is no termination required by SPF or PTR policy. This is where you can apply heuristics for Spam, check the sending IP address against Spam Cop and Spam Haus. If it is still okay you can then verify DKIM and do whatever else you want.

Here is a redacted SMTP session log for you take a look at it. You can see the order in which it will perform the various checks and how you are wrong in your statements.

Now, of course the first thing the sending mail server did was to attempt to resolve the MX records for my mail server. If it could not do that or the packets could not reach my mail server, then none of this is even necessary is it?

Sat 2008-03-22 13:52:43: [1028:1] Session 1028; child 1; thread 2584
Sat 2008-03-22 13:52:42: [1028:1] Accepting SMTP connection from [162.84.124.244:2327]
Sat 2008-03-22 13:52:42: [1028:1] 220 ** .com ESMTP ** ; Sat, 22 Mar 2008 13:52:42 -0800
Sat 2008-03-22 13:52:42: [1028:1] 220 Unauthorized Relay Prohibited.
Sat 2008-03-22 13:52:42: [1028:1] 220 All Transactions and IP addresses are logged.
Sat 2008-03-22 13:52:42: [1028:1] 220 UCE/SPAM is NOT TOLERATED.
Sat 2008-03-22 13:52:42: [1028:1] 220 Domains with no reverse-dns lookup are not accepted
Sat 2008-03-22 13:52:42: [1028:1] 220 under any conditions.
Sat 2008-03-22 13:52:42: [1028:1] HELO pool-162-84-124-244.norf.east.verizon.net
Sat 2008-03-22 13:52:42: [1028:1] Performing IP lookup (pool-162-84-124-244.norf.east.verizon.net)
Sat 2008-03-22 13:52:42: [1028:1] * D=pool-162-84-124-244.norf.east.verizon.net TTL=(1440) A=[162.84.124.244]
Sat 2008-03-22 13:52:42: [1028:1] ---- End IP lookup results
Sat 2008-03-22 13:52:42: [1028:1] 250 *** .com Hello pool-162-84-124-244.norf.east.verizon.net, pleased to meet you
Sat 2008-03-22 13:52:42: [1028:1] MAIL FROM:
Sat 2008-03-22 13:52:42: [1028:1] Performing PTR lookup (244.124.84.162.IN-ADDR.ARPA)
Sat 2008-03-22 13:52:42: [1028:1] * D=244.

Re:WTF

Coincidence. That's my dad's name.

Re:WTF

[Xeth]

At least then you can guarantee the bounced emails won't be taking up disk space?

Re:WTF

[craagz]

Thankfully yourcompany.com is still under domain parking. :D

Wikileaks

There is a very easy solution if the owner of donotreply.com thinks this is a problem: sell his domain to Wikileaks for a nice sum, and both parties will be happy!

Re:Wikileaks

[Fjandr]

He doesn't really say it's a problem. He simply gets companies to donate to animal relief causes in order to have their documents pulled from his blog.

It's each company's fault if they send him confidential information. They have no business setting up From: addresses to a domain that they do not control.

Business plan

[Boa+Constrictor]

It's not like he didn't see it coming -- "Unauthorized use of this domain gives me full rights to post any emails involved using the unauthorized address. Don't like it? Don't use it." The website is a blog based on the email he receives at the domain. Exploitative it may be, but I thought most folks with sense used "noreply@ourcompany.com" or variations thereof.

Re:Business plan

As a proud owner of ourcompany.com domain, I don't think your suggestion is sensible at all!

Re:Business plan

[Em+Adespoton]

I wonder how much mail nospam.com gets.... it appears to be held by a portal pumper/domain squatter.

Re:Business plan

Or for that matter, @donotreply.invalid. The .invalid TLD is defined in RFC 2606 as being "for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid."

you can own the headline domain

[iamhigh]

DONTOREPLY.COM is available! Probably gets about as much crap - even slashdotters can't profread.

Re:you can own the headline domain

[BenSchuarmer]

I got your email. --Don

Re:you can own the headline domain

[Teflon_Jeff]

I know I looked into buying donotreply.com a while back, but it was taken. Makes me wonder why he bought that domain...

Re:you can own the headline domain

[solitas]

I know I looked into buying donotreply.com a while back, but it was taken. Makes me wonder why he bought that domain...

Which makes us wonder, in turn, why YOU wanted to buy it...

Re:you can own the headline domain

[Myopic]

You won't have to wonder why, if you read the article.

Re:you can own the headline domain

[Teflon_Jeff]

Kicks and giggles. I thought it would be funny to have an @donotreply.com e-mail address. had I known about all the crap that would filter through, I probably would have sold it.

Re:you can own the headline domain

[Teflon_Jeff]

The article is blocked at my work. It's not worth the trouble of manually adding the IP into the safe list. Have to stay under the radar.

Re:you can own the headline domain

[PitaBred]

Run a recent SSH server at home, and use it as a transparent proxy (if you use Windows, PuTTY is pretty easy to set up a port forward, google for it). That's what I do when I need to get around HTTP blocks on client sites. Usually SSH is not a blocked port, much less to "consumer" IP blocks.

Re:you can own the headline domain

[sentientbeing]

....Its 'Proofread'

Re:you can own the headline domain

[evilad]

Ha! I was nearly terminated from a client site for this exact dodge. Should've gone, too. It was only a sign of how much worse things would get.

Re:you can own the headline domain

Domain Name: DONTOREPLY.COM

Registrant [1298015]:
                Moniker Privacy Services
                20 SW 27th Ave.
                Suite 201
                Pompano Beach
                FL
                33069
                US

Domain servers in listed order:

                NS0.DNSMADEEASY.COM
                NS1.DNSMADEEASY.COM
                NS2.DNSMADEEASY.COM
                NS3.DNSMADEEASY.COM
                NS4.DNSMADEEASY.COM

                Record created on: 2008-03-21 15:53:06.0
                Database last updated on: 2008-03-21 16:03:23.54
                Domain Expires on: 2009-03-21 15:54:21.0

Re:you can own the headline domain

[budgenator]

years ago I had a better one, lots of forgotten passwords get emailed to qwerty@poiuyt.com, now poiuyt.com is just a link-farm and probably worse.

forgery?

[gEvil+(beta)]

There's gotta be some ridiculously arcane law on the books somewhere whereby the practice of using a false "from" header would be considered forgery.

Re:forgery?

[GregGardner]

Whether it is arcane or not is debatable, but the CAN-SPAM Act of 2003 specifically prohibits using a false "From" header.

http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm

"It bans false or misleading header information. Your email's "From," "To," and routing information - including the originating domain name and email address - must be accurate and identify the person who initiated the email."

Re:forgery?

[repvik]

Does it matter? The "From: " header does not need to be forged. The "Reply-To: " header OTOH...

Re:forgery?

[holmedog]

That's F'ing insane. I seriously can't believe they put that in there. I write perl/c scripts daily that send out emails and use a From address that doesn't get replied to.

Icing on the cake is that almost all CEO's do this, their secretaries send out emails with FROM: Boss@company.com. Good stuff.

Re:forgery?

[WK2]

Of course sending a false "from" header is forgery. It is the definition of forgery. The only questions is if it is illegal, which my sibling post says violates the CAN-SPAM act. Remember kids, you "CAN SPAM" as long as you follow some simple rules. And don't worry about violating the rules, because nobody can sue you for damages if you do.

Re:forgery?

what does it say about 'Reply-to:' smartypants?

Re:forgery?

[Mushdot]

A few posts have mentioned that companies must be forging headers for their return email address. While technically that may be true, has no-one considered that this is simply stupidity on the part of the admin at the company end and not some desire to offload unwanted mails and bandwidth on someone else?

Maybe they saw another company using the donotreply address and thought "hey, I'll use that too" and the usage propagated throughout the IT (idiot techie) world from a 'monkey see, monkey do' mentality.

Re:forgery?

[mabhatter654]

I'm hungry for toasted cheese and Hormel meat product now!

Re:forgery?

[damiam]

Those restrictions only applies to commercial emails, as is implied by the header on the page you linked to ("Facts for Business"). The text of the bill confirms this:

(1) PROHIBITION OF FALSE OR MISLEADING TRANSMISSION INFORMATION- It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message, or a transactional or relationship message, that contains, or is accompanied by, header information that is materially false or materially misleading. For purposes of this paragraph--

(A) header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading;
(B) a `from' line (the line identifying or purporting to identify a person initiating the message) that accurately identifies any person who initiated the message shall not be considered materially false or materially misleading; and
(C) header information shall be considered materially misleading if it fails to identify accurately a protected computer used to initiate the message because the person initiating the message knowingly uses another protected computer to relay or retransmit the message for purposes of disguising its origin.

Re:forgery?

[budgenator]

It bans false or misleading header information. Your email's "From," "To," and routing information - including the originating domain name and email address - must be accurate and identify the person who initiated the email.

That doesn't seem to apply to the "Reply To" field IANAL YMMV.

Is he going to sell his domain now?

[CriminalNerd]

I'm sure a whole lot of people are suddenly interested in owning this domain (and/or similar variations) given this new tidbit.

I wonder how long it's going to take for domain squatters or other people to attempt to approach this guy with an offer, and I wonder if he'll accept said offer. This might not bode well for the populace in general if companies don't wake up to their idiotic IT policies.

Re:Is he going to sell his domain now?

[Phisbut]

I'm sure a whole lot of people are suddenly interested in owning this domain (and/or similar variations) given this new tidbit.

I bet noreply.com would get just as much mail, and the domain is for sale now.

Re:Is he going to sell his domain now?

[luke923]

nobody.com expires in August. I'm sure that would get lots of mail, too.

Stupid on both sides

[EdIII]

Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

Sounds like he is the one being hurt here. Of course somebody has to own that domain (I guess) and he decided too. Terrible domain name, but still not his fault.

Which brings me to:

Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.

All of these organizations and companies are just being cute by forging their FROM headers. Technically that should not be allowed, but you can do it anyways. They don't want to deal with it and they create "one-way" traffic by inserting bogus information into that header.

The problem is that bogus information is an actual domain that is active and running a mail server. They are treating it like is a reserved word.

The lawsuits are funny, since the header information will show conclusively that those people intentionally redirected the traffic to this guy. If anything, he can counter-sue.

The only thing I can think of is that donotreply.com becomes a reserved word, which is probably easier than getting all those mail administrators to change their behavior, or to get smarter.

In any case, the domain owner is without fault on this one. Unless you count being stupid as a fault, which picking that domain is a little unwise.

Re:Stupid on both sides

[similar_name]

Don't forget do-not-reply.com and any other variation. It might not be so easy to reserve every bogus email that people use.

Re:Stupid on both sides

[MMC+Monster]

Unless you count being stupid as a fault, which picking that domain is a little unwise. Well, he could always give it up. I think it's a pretty cool domain name, but would not bother with it, given the amount of extraneous traffic associated with it.

Re:Stupid on both sides

[fbartho]

hey! I know a good triple of bogus words: Google and Gmail and Googlemail. Let's keyword those. NOONE would ever think of using those as valid addresses.

(just supporting your comment that it might not be easy to define "bogus domain")

Re:Stupid on both sides

[EdIII]

I don't think he will give it up. He says he, "receives millions of wayward e-mails each week".

I operate an email servicing company. The costs of the bandwidth alone for millions of emails each week is NOT cheap. The server may not have to be that expensive, as it is only about 2 to 10 emails per second (approx. 2 per million), which is not that outrageous. Disk space is cheap these days and he can delete a lot of stuff coming in pretty fast.

However, that bandwidth is costing him money. A fair amount of it too. Hard to say, since he is in Seattle. I would think a couple hundred bucks a month all day long if not more.

So if he is spending that kind of money to keep it, it must be making him money. That's just my opinion....

Re:Stupid on both sides

[Dhalka226]

Well, I think you're giving the site operator a bit too much credit. I took a look at the actual site at that domain. I don't know if it was always this way or become it at some point in the past, but it looks like it exists for no other reason than to post these emails and make fun of the companies involved, seemingly exclusively, all the way back to late 2005 when their current site's archives end. I dug into their "Old Site" archives and it looks like this behavior began on January 30, 2004. The difference in dates isn't as impressive as it sounds; there are only 5 entries between the very first entry ever and the "I'm going to start posting these emails."

At the bottom of his site is some pseudo-legalese trying to say he's going to bill people for the emails and then post them: "Use of the domain donotreply.com is billed at $100 per day or $1 per email minimum - post billed. This domain is not for sale, nor to be used in unauthorized mailings,addresses, or automated systems. Any use of the domain that results in damage to the server may incur additional billing. Please contact chet at poe-news.com for other pricing and the billing mailing address. Unauthorized use of this domain gives me full rights to post any emails involved using the unauthorized address. Don't like it? Don't use it."

He's not a victim. Really, he's just a bit of a douche.

Re:Stupid on both sides

[EdIII]

I had not read that far yet in the article. I know, I know a ./'er not reading the article.. for shame.

He is a "douche". But he is also a technically correct douche, the best kind douche :)

The companies are douches for forging their headers, and he is a douche for deliberately exploiting those douches. So in fact, he may be a double-douche.

Re:Stupid on both sides

[Hatta]

The companies who email him are not victims either, and still bigger douches.

Re:Stupid on both sides

[BlueCollarCamel]

Unless you use Google Apps to do the mail handling for you.

Re:Stupid on both sides

[ceoyoyo]

He's probably not a victim, unless he actually intended to do something with the site before he realized how much crap e-mail it would get. He's not a douche though. In all the postings I read he removed any sensitive information. He's actually doing both the companies AND their customers a really huge favor. If he didn't own this domain do you think it would be someone who blacked out the sensitive info, or someone who tried to "monetize" it?

Re:Stupid on both sides

[proselyte_heretic]

The owner of the domain loses nothing, he posts interesting emails to his blog, and requires companies to donate to a charity for him to remove it. If he was in dire financial straits, he could post more (and more sensitive) emails, and pocket the take-down fee. Sounds to me like free income.

Re:Stupid on both sides

[Splab]

Well for one thing he could sell all the bounces to spammers, any mail that arrives as a reply mail is a confirmed email address saving spammers quite a lot of time.

Also you can probably do all sorts of nice data mining on the information - or even just a simple search for certain "interesting" keywords (ig. top-secret, internal, for your eyes only) and dig up all sorts of interesting stuff you can sell to media.

Re:Stupid on both sides

[Forty+Two+Tenfold]

All of these organizations and companies are just being cute by forging their FROM headers. Well, let's see how much spam comes from "legitimate" source.

Re:Stupid on both sides

[borfast]

The domain owner is not stupid. He possibly bought the domain because he had other plans for it. The web is full of sites with "cool" and "funny" domain names like this one. Why should this be different? What he should do is let the banks and companies sue him for having their private documents, and then counter-sue and make a big pile of money. That would probably teach something to those stupid admins. But even if it didn't, at least he'd be rich. I know I'd hope that it would go on, if I were him.

Re:Stupid on both sides

[TapeCutter]

It must be quite a workload to find and redact 'sensitive' info. What makes you think he destroys that info when he finds it? What is his motive and reward for all that 'wasted' effort? My bullshit meter says this guy is in it to make a buck.

Speaking of extortion, some people have found a way to cash in on 'cyber bullying'.

Re:Stupid on both sides

Yea I'm not the Russian mafia or anything but I can see how that information could be valuable... I mean... Internal emails from Iraq? As a public service I'd love to have those find their way to Wikileaks or something.

(captcha: retard)

Re:Stupid on both sides

[WithLove]

Delivery errors would also come back, fwiw.

Re:Stupid on both sides

[ceoyoyo]

Maybe, but there's no evidence of it. If he were in it for the cash I would expect him to keep quiet lest someone actually listen to him and tighten up their e-mail procedures.

The only evidence is that he's doing a public service by exposing companies doing something stupid with your sensitive information. It's just too bad he doesn't have a searchable list of domains he gets e-mail from so we could all find out who to avoid.

Re:Stupid on both sides

[Rinikusu]

Sounds like a great marketing ploy to me. Imagine all the unique email addresses he collects every day. I've heard lists of valid, unique email addresses can go for some decent money from scammers/spammers...

Re:Stupid on both sides

[scooter.higher]

He did just that... see my other comment: http://it.slashdot.org/comments.pl?sid=495758&cid=22826932

Re:Stupid on both sides

[TapeCutter]

"If he were in it for the cash I would expect him to keep quiet lest someone actually listen to him and tighten up their e-mail procedures"
He could post it on /. and simply wait for someone to offer him enough cash to part with the site and it's archives.

Re:Stupid on both sides

[ceoyoyo]

Okay, to test that hypothesis: if that were his plan he would probably not post stories about what he was doing until shortly before the Slashdot submission. So the site would have very little history. Personally, while I was building the archive I'd serve up either nothing, or a fake page designed to make it look like the whole domain was not only unoccupied but actually invalid.

Observation: According to the wayback machine, the domain basically offered e-mail addresses for the first couple of years, then he started posting stupid company e-mails in 2004. Four years is quite a while to be planning to use Slashdot as free advertising. Not that its impossible, but a little long range for the average Internet scammer.

Re:Stupid on both sides

[bitmonk]

Some providers charge only for outgoing traffic, so he may be paying only for traffic to the weblog.

Re:Stupid on both sides

[TapeCutter]

I agree with what you say and admit I have been playing devil's advocate. The fact of the matter is that we don't know what this guy does with the emails (other than post redacted copies), taking what he says at face value is a leap of faith that personally I am not ready to take.

OTOH: When arguing in an information vacum the benifit of doubt belongs to the accused.

Re:Stupid on both sides

[ceoyoyo]

I agree, it's absolutely unacceptable for him to be getting these e-mails. The companies involved need to fix it right away. What's really awful is that, according to him, the ones he's contacted and informed that they're spewing sensitive data out to third parties on the Internet aren't the least bit interested in fixing the problem.

Re:Stupid on both sides

All of these organizations and companies are just being cute by forging their FROM headers.

It's more than cute, it's not legal.

Technically that should not be allowed...

Legally, its not allowed under the CAN-SPAM act. Forging the header is a pretty big no-no.

Cease and Desist Letters for legally owned domains

[PhreakOfTime]

I find myself in a somewhat similar situation. I was supposed to do some work for a company who later ended up folding because of 'bad management', and I was left holding the bag on the domain I purchased at their instruction, that they never paid me for.(they didnt want to buy it, I dont know?).

Other than getting all the requests for 'why havent you paid us yet', the end result is that almost 2 years later these people are COMING AFTER ME WITH A CEASE AND DESIST LETTER and demanding that I turn over this domain and others to them for free because it 'infringes on their copyright'. Although, I honestly can say Im not suprised that Caton Commercial, the real estate company who is operating as the umbrella company for all these shell companies who eventually go under, doesnt know its ass from a whole in the ground.

Knowing full well that this sort of behavior is borderline as far as being professional, I posted the full contents of the Cease and Desist Letter sent by a Mr John Argoudelis online so anyone thinking of working with this company may come across this sort of behavior and maybe think twice. Lawyers and Real Estate agents.... whew... what a combo of integrity!

The company is also involved in numerous court cases relating to other aspects of their business practices. Ive posted a short description of the Will County court cases that caton commercial is involved in at my blackjack and hookers site.

In fact, forget the blackjack!

Never thought of "donotreply.com"

[Duncan+Blackthorne]

I have used "no.one@nowhere.org" and "some.one@somewhere.org" as bogus email addresses before, but never thought of using "donotreply.com" for anything. In fact, I'd pay good money (and have offered several times, only to be ignored) to have an email address @somewhere.org or @nowhere.org..

Re:Never thought of "donotreply.com"

[rasman1978]

That's so unprofessional!

I always just use me@yourmomshouse.com.

Re:Never thought of "donotreply.com"

[SanityInAnarchy]

There's also example.com.

Re:Never thought of "donotreply.com"

[morari]

I always liked shoveitupyour@ss.net

*shrugs*

Re:Never thought of "donotreply.com"

[daveywest]

My email of choice is not@chance.com

Re:Never thought of "donotreply.com"

[John+Hasler]

> I always liked shoveitupyour@ss.net.

I'm sure Sharper Solutions LLC would really appreciate that.

Re:Never thought of "donotreply.com"

There's also example.com. which unfortunately is completely safe

Re:Never thought of "donotreply.com"

[Em+Adespoton]

I had an email address at somethingorother.com for years until they dot-collapsed. Now it appears to be another portal-stuffer.

Re:Never thought of "donotreply.com"

[The+Mgt]

I have used "no.one@nowhere.org" and "some.one@somewhere.org" as bogus email addresses before

Damn, can't get the Picard facepalm ascii past the lameness filter.

Re:Never thought of "donotreply.com"

me@yourmomshouse.org -- orgy? or orgasm??

maybe better? :P

  -- quickly

I have a suggestion:

[Lxy]

1. Company A uses companya@donotreply.com as it's return address

2. Donotreply owner sets up an autoreply for companya@donotreply.com. This auto-reply should be inappropriate, goatse is definitely an option.

3. Company A loses customers in droves, problem solved.

Re:I have a suggestion:

[EdIII]

Your that type of kid that put the flaming bag of dog doody on my front porch aren't you?

Yeah you are... I got your number :)

Re:I have a suggestion:

[zotz]

Sounds a bit like the tactic my grandfather said he used to solve a problem...

He had a phone number for years.

Out of the blue, he started getting calls in the middle of the night from security guards checking in on their rounds.

Seems a security company had started up and had a number close to his and the guards were mistakenly calling his number instead of theirs.

He asked the company to change their number. They said no and told him to change his.

The next time he got a call in the middle of the night, he told the guard that he could go home for the night.

Company calls up the next day all upset that he sent the guard home and telling him he couldn't do that.

He says he could and would keep on as long as the calls continued.

Number changed. Calls stopped.

(This is from memory, the details may not be 100% accurate, the gist of the story is as he told me.)

all the best,

drew
http://packet-in.org/wiki/index.php?title=Main_Page
Packet In - net band. Libre music available gratis. Could be for a limited time only. Then again, it could last as long as copyrights...

Re:I have a suggestion:

I concur, we already do this when people link to our images, we swap in "2 girls and a cup" or something offensive. They very quickly stop linking to images :)

Re:I have a suggestion:

[rickb928]

My family used to have a number just 3 off from a very popular pharmacy in town. We got wrong numbers on a regular basis, but shrugged it off.

One night, very late, someone called and was quite upset that not only weren't we the pharmacy, but that we couldn't transfer their call to the pharmacist. This in the days when yoh could choose pluse or tone dial phones. My mom lost her cool and gave the caller quite a talking to.

The pharmacy owner called the next day and began to chew me out (I was home sick, sheesh) for being so rude to callers that had made such an innocent mistake. I shared with him what my mom said the caller said. And I let him know that I'd have my mom call him as soon as she got in.

We know the pharmacist's home numnber. He's on the City Council. Needless to say, my mom didn't call him until a little later in the evening. And he was both rude and upset. Especially when he realizes that he actually knows my mom from business dealings (ok,ok, she represented several manufacturing firms). We (I was her partner in crome a lot) attend the next Council meeting. He spies us.

Never heard from him again. We had that number for 12 years. He got over it. People still called all hours of the day and night. We usually just hung up after that.

Ah, the good old days of rotary dial.

Re:I have a suggestion:

We had a problem like that at a store where I used to work. It had a number similar to a local Taxi company.

The owner was a bit of a Bastard. When folks would call and ask for a cab, he'd say "Ok; there in 10 minutes" and hang up. Personally I thought this was a bit shitty but what could I do.

Re:I have a suggestion:

[Cyko_01]

4. ???

5. PROFIT!!!

Re:I have a suggestion:

[schon]

A few years ago, I started getting phone calls from people asking for "Leanne". Turns out "Leanne" had recently moved, and was giving out my number (mistakenly) to her friends. The calls started coming at all hours of the day and night.

I started telling the callers to tell "Leanne" that she was giving out the wrong number, and to let her friends know about it, but the calls kept coming.

One day at about 4AM, I got woken up with asking if "Leanne" was home. I had an epiphany, and told them "no, she died today." The caller was dumbstruck. I told him that she got hit by a bus on the way home. The caller asked the obligatory "is there anything I can do?" and I said "Yes - can you call all of her friends and let them know the funeral is on Tuesday?"

That was the last call for "Leanne" I ever got.

Re:I have a suggestion:

[TheSkyIsPurple]

Cab company in Dulles does this regularly to me when I'm town. (After the third time, I finally started to remember who these jackasses were)

Re:I have a suggestion:

[zotz]

Well, my grandfather was a nice man. I saw him that way, and it seems that's how he was seen around town.

This type of problem seems to be fairly common.

I get lots of calls for Bay Street Garage and for some family, and occasional calls for Sandilands. I know of other places that have this issue.

I just be as nice as possible about it but I don't get them all through the night.

all the best,

drew
http://packet-in.org/wiki/index.php?title=Main_Page
Packet In - Net band...

Re:I have a suggestion:

[witherstaff]

Goatse? Why not the FBI link that gets the feds knocking down the doors. So we have

3. Company A's customers go to jail in droves.

4. Company A looks into what the problem is. Company's A employees go to jail.

5. ?
6. Profit!

Re:I have a suggestion:

[mcsynk]

A family friend of ours had a phone number very close to that of the Doctor's surgery. They received calls at all hours and politely asked the doctor to change their number. Having refused several times, our friend began giving everybody that called up a two o'clock appointment for the next day. The doctor did change their number and the calls soon stopped!

Re:I have a suggestion:

Err, what?

Least coherent post ever.

RFC 2606

[mmontour]

RFC 2606 (dated June 1999) solves this problem by defining reserved domains such as "example.com" (for use in documentation) and:

            ".invalid" is intended for use in online construction of domain
            names that are sure to be invalid and which it is obvious at a
            glance are invalid.

A possible use for example.com

[stevel]

ICANN reserved example.com, example.org and example.net for use in documentation and other places where you want to put an "example" domain name, but I find that most people are not aware of this. Email sent to these domains is discarded.

For reply addresses, a more reasonable protocol would be to use the sender's actual domain but with an invalid username, as Poromenos1 suggests. A further problem of using a domain not your own as a sender address is that the recipient's email server may block it due to SPF records or other checks on sender domains.

I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.

Re:A possible use for example.com

[Niten]

Good point, but just to nitpick:

A further problem of using a domain not your own as a sender address is that the recipient's email server may block it due to SPF records or other checks on sender domains.

SPF policies apply only to the envelope sender address, not the message's From: header.

Re:A possible use for example.com

[noidentity]

I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.

I usually just do admin@domain, where domain is the domain of the stupid website I'm trying to access which pointlessly requires me to register first. The solution is to not require registration, rather than trying to block all the bullshit addresses the user might enter.

Re:A possible use for example.com

[RyoShin]

I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.

Heh. When I'm feeling less vulgar and need a fake address, I use the e-mail address "bob@bob.com". I never thought about who might actually get the e-mails and see what kind of sites I visit. Visiting bob.com just now, I can't tell what the hell they do, so I'm not as worried about them getting annoyed by reckless e-mail.

However, I do know the annoyance that what wrong addresses can do. Even on a single-user basis, it can be annoying as hell. I have an alternative gmail address that was supposed to be used for purely business purposes ("what's a tukaro?"). I have a rather generic name, even including the middle name, so it took some time to find one that fit and was free.

As it turns out, someone decided to get this same handle, but for a yahoo (or some other) account. I'm not sure if the guy was moving from or to the account, but he changed his address and wound up changing a lot of his accounts to use my gmail address. It was funny at first when I'd get a newsletter or something (just removed myself), but then he would order stuff with my e-mail address. (The companies he signed up with apparently don't bother to confirm addresses when you change them, so I got no mail when he did so.) First was a record from some Yahoo! store. I explained the situation, he had paid and everything, but they cancelled the order and said it was fraud. (They later added an update with the e-mail I sent them.) Not my intention, but on well.

Later he purchased a vase or something from Overstock.com. I was able to change his password to get in (good thing they don't just send a plain-text one) and got his mailing address (I had access to the phone number but did not write it down). I then contacted Overstock about the situation- they said they would try to contact him and continue to ship the order. A day or two later he had recovered the account and changed the address.

I was fine to let it be at that point, but this guy must have been some great kind of idiot. A few months later he apparently needs a loan for a car, so he heads to Roadloans.com. Not only does he put in my address, but he summarily gets denied and my account is suddenly littered with spam. I don't post this address anywhere (except for one resume page on a personal domain, which a bot would have to luck upon because it's not linked anywhere and has a non-obvious URL), so I'm fairly certain his sign up with roadloans caused it.

At this point, I got fed up, grabbed the physical address I had for him, and wrote out a rather stern letter telling him that he needs to stop this, that I'm getting tired of it, and that he should consider himself lucky that the account didn't belong to a nefarious individual. I sent it off in the mail and haven't had a problem since. The first and last thing I got meant for him had a time difference of a year and a half. Makes me wonder what else he's signed me up for.

Rather funny after the fact, but fairly annoying during the whole thing. I still get spam to that account, too, though it's decreased. I can't imagine the aggravation that would be caused from hundreds or more people putting his domain address down.

Re:A possible use for example.com

[John+Hasler]

> For reply addresses, a more reasonable protocol would be to use the sender's actual
> domain but with an invalid username...

No, more reasonable would be to use "anything.invalid" as ".invalid" is a reserved top-level domain.

Re:A possible use for example.com

[wayne]

SPF policies apply only to the envelope sender address, not the message's From: header.

Most of the time, the email address in the "From:" header gets copied to the envelop "from". And, most importantly in this case, the envelop "from" is where bounces get sent to, so the bounces he receive could have been stopped if he had published an SPF record *and* everyone checked it.

Re:A possible use for example.com

[stevel]

No, more reasonable would be to use "anything.invalid" as ".invalid" is a reserved top-level domain. The problem with that is that many email servers will reject mail apparently sent from nonexistent domains. This is why so much spam has the sender spoofed from valid domains (with made-up usernames.) Complicating the issue is that it there are so many different spam filtering mechanisms out there, some of dubious correctness.

My domain

[Cytlid]

Because I have the existential geek name, as it appears in so many tech books, I registered Fredtest.com. You would be surprised how many other IT Fred's out there send mail to Fred@fredtest.com.

I got bored with replying (some guy in SanDiego is a real estate agent for ReMax, I don't think he ever got it), so I just limited what my mail server will accept.

  Now it just bounces back to the sender and hopefully they think "oops, perhaps I shouldn't do that", which is what I believe this guy should do. Discourage the bad behavior, don't exploit it.

Re:My domain

[mstahl]

These are bounced emails though, where company A has sent an automated email to a customer or something, and the email the customer gave them was wrong. So, if he did that, they'll just keep bouncing back and forth and back and forth.

So far

[papermate]

Faliszek says his blog has raised roughly $5,000 for local dog pounds. He could probably raise more money by suing them for all that spam.

Reminds me of the time...

[x1000101]

I had an email addy from a large internet provider and apparently a lot of people thought it was theirs! Interesting emails I would get from peoples, friends, wives, coworkers...etc... even signup/login information for some websites. Replied to some people telling them I wasn't who they thought I was and one of them flipped out and told me off...

Fowarding + Wikileaks = hilarity

For some real fun, he should forward all of the incoming mail to wikileaks.

Re:Cease and Desist Letters for legally owned doma

[moderatorrater]

In fact, forget the blackjack! I went to hookers.com, and it doesn't look like your site at all! In fact, it's...

Just a minute, my boss just walked up with a box.

Sort of like copying to file...

[ShaunC]

For a long time, I had the screen name "File" on AOL. I'm not sure where the practice originates (perhaps Lotus), but many, many AOL users would compose an email and cc it to "File" thinking they were saving a copy for themselves. I wound up with all sorts of interesting stuff over the years.

Re:Sort of like copying to file...

[Nimey]

That's not an email practice; back when I was in high school in the mid-'90s I typed up orders for my Air Force JROTC unit, and there was always a copy of the order printed and placed in the file (plus one for the Colonel, another for the Sergeant, and one to be posted where cadets could read it). In those days we hadn't quite heard of email yet.

Basically you had a bunch of Clueless AOLers who hadn't mentally made the leap to computers.

Re:Sort of like copying to file...

[Nairanvac]

Like what?

I did this once.

[ScottForbes]

Many years ago I (briefly) owned the e-mail address uucp@aol.com, which received all sorts of interesting messages from platforms that blindly assumed everyone else was running Unix too. After suspending the address and asking AOL to put it on their reserved list (which they did), I wrote it up for the RISKS Digest.

Re:I did this once.

[kju]

I had a similar experience. A mobile phone operator (now defunct) allowed its customers to get mailadresses under their domain. So i got postmaster@domain which was accepted happily by the system. I deleted the alias a few days later though, because the amount of mail really got out of hand. I heard from another sysadmin who using the forged name "Andreas Buse" registered the mailadress abuse@... with his provider. :-)

Sell captured emails

[OrangeTide]

He should provide a search feature for all the email, archive it. and then sell full content any email on the site for $1. There might be interesting stuff he's catching, especially if legal departments of various companies are going after him.
(no I didn't RTFA)

Reminds me of my younger days

[eln]

I remember during my very first paying job as a sysadmin (1997-ish), I was tasked to set up a new mail server. For some reason, I decided as part of my testing to send email to an "invalid" remote address that I came up with off the top of my head (bob@bob.com I think it was, or maybe foo@foo.com or something like that). So, I wrote a script that just sent thousands of emails out at once to this address. Within maybe 20 minutes, I get an angry phone call from the domain owner telling me to stop spamming him.

I learned my lesson, though. Now I never put my real phone number in the whois record for my domains.

Re:Reminds me of my younger days

[DirePickle]

Poor bob@bob.com! That used to be my default email to use when registering at potentially-spammy sites!

Re:Reminds me of my younger days

[Monkeyman334]

I had a friend that worked for a major online phone book. Among the features was a reverse lookup. As a joke, they found a guy named "I. P. Freely" and put his phone number in the example block. So, if someone was feeling adventurous or curious they'd look it up and get a good laugh. Well, one day they got a phone call, it was I. P. Freely, and he politely asked that his name be taken off the example.

I didn't learn any lessons. It just made me wonder why on earth someone named I. P. Freely would use his initials in the phone book instead of his full name.

Re:Reminds me of my younger days

[hardburn]

I hope you were being sarcastic, because otherwise, I think you learned the wrong lesson . . .

Re:Reminds me of my younger days

[robertjw]

I learned my lesson, though. Now I never put my real phone number in the whois record for my domains.

Classic.

Re:Reminds me of my younger days

[hughperkins]

Yeah, I did the same thing at work, sent bunches of mails to "foo", via Lotus Gateway. Turned out there was a "Huang Foo" who got them all :-D

Re:Reminds me of my younger days

Ha... I sent email to "fred@barney.com" when I got my first email account or something like that... First reply I ever got, back in 1996!

Re:Reminds me of my younger days

[scooter.higher]

Maybe his parents were really mean and I. P. stood for Insert Penis.

Re:Reminds me of my younger days

[Phurge]

hilarious. I have also used bob@bob.com . so easy to type

donotreply.com

[hansamurai]

This is a fun site to read, but it doesn't appear he has updated it in over a month! Hopefully not all of these companies have caught on by now...

"I'll do a quick summery..."

[CFrankBernard]

Excellant!

Re:Cease and Desist Letters for legally owned doma

[karnal]

A Quad-core xeon?

Faliszek?

[Netsabes]

Faliszek? Chet Faliszek? A "Seattle-based programmer"? Ah! That must be half of Old Man Murray, then. Also the writer of Valve's upcoming Left 4 Dead.

Been there, done that

[HardCase]

I used to have me@myself.com from mail.com (I guess they've morphed into something else). I thought that it would be cute. It was an utter waste of my bandwidth.

I used to host nospin.com. You wouldn't believe all of the bizarre crap that came in for Bill O'Reilly. I used to forward them on, but the sheer volume and, well, stupidity made me trash them instead.

blahblah.com

[MrMunkey]

I used to work for a company where the owner's son owned the domain blahblah.com. It was a way for this guy (in his 30's) to have a forum and talk with what seemed to be teens. Anyway, we had to block all the junk mail that came in. That's when I opted for a spam blocking service through Sprint so that we didn't have to deal with all the traffic. How many times have you put in blah@blahblah.com on some stupid form?

Re:blahblah.com

[techno-vampire]

How many times have you put in blah@blahblah.com on some stupid form?

I haven't done that, but I used to do something much worse. At one point, for my sins, I served time on the helldesk of an ISP. Every now and then I'd make a note of the email address of a foul-mouthed, abusive caller who really didn't deserve the good service i tried to give everybody. For the next several weeks I'd have fun signing them up for mailing lists, newsletters and using their name on those stupid webforms that want your email address even though they have no legitimate use for it.

Who is getting all my mail?

Is it you?

Sincerely,
Slashdot_User@127.0.0.1

Re:Cease and Desist Letters for legally owned doma

[sjames]

Just re-direct all email and web for that domain to a collection agency. You might even be able to contract for finder's fees.

That or put up a zone file pointing to 127.0.0.1 for the A record.

Damn! I wish I had this domain!

[kimvette]

I wish I had this domain! Getting insider info on all these companies - - one could make a fortune on the stock market!

Heh - Been there, done that

[filesiteguy]

Reminds me of when I was the email admin at Hershey Business Systems - a Los Angeles based integrator - in the '90s. Because the domain - hbsi.com - was taken, the owners took hershey.com back in 1994.

My favorites:

Sent: Sunday, July 04, 1999 8:12 AM
To: kai@hershey.com
Subject: From: Kim!!
Hi! grandma I am so thankful that you came all the
way from Florida to see me and by the way..... thanx
for the choc cookie!! and next time you come over
could you bring the extra pleasure condoms. I need
them for me and Ryan.
love you Grandma!!
Kim

Sent: Monday, July 05, 1999 12:09 PM
To: Kim
From: Kai
Subject: From: Kim!!

Kim:

We are not your grandmother.

Kai Ponte
Hershey Business Systems

Then there was this one from an AOL member (figures):

From: TrtleGrl69@aol.com
Sent: Wednesday, August 11, 1999 2:19 PM
Subject: no response to our email dealing with
            dead bugs in my payday
I am extremely disappointed at the fact you have not
responded to this incident. I'm upset that I purchased a
payday and began eating it and ended up seeing a worm like
bug with bug carcasses and holes in and on the candy
bar.
I ... will continue to write you until I get a response.
Talk about extremely bad customer service.
Chad Weaver

I liked my response:

From: Ponte, Kai <kai@hershey.com>
Sent: Monday, August 30, 1999 7:20 AM
To: TrtleGrl69@aol.com
Subject: RE: no response to our email
                          dealing with dead bugs in my payday

The worm like creature you found - was it alive?

Did it taste good?

Kai Ponte
Information Technology Specialist
Hershey Business Systems

They should be using...

[msauve]

donotreply.invalid or example.com. These are reserved for just this sort of thing by RFC 2606.

In a similar manner, people wanting fake IP addresses to use for documentation, training, etc., should use addresses in the 192.0.2.0/24 range, which is reserved by RFC 3330.

Re:They should be using...

[belg4mit]

Or they could do what everybody else on the planet does: noreply@${localdomain}

How many emails does he get

How many emails does he gets with just "OK" in the body?

step 3

[Scrameustache]

The lawsuits are funny, since the header information will show conclusively that those people intentionally redirected the traffic to this guy. If anything, he can counter-sue. Sounds like a business plan!

I use ....

[rahvin112]

I use bob@aol.com for situations similar to this or where it's just a spam harvesting operation. I sometimes feel bad for Bob, then I remember Bob uses aol and I don't feel so bad for Bob.

Re:I use ....

[ceoyoyo]

Really? I always use bill@microsoft.com when some web page requires a gratuitous e-mail address. :)

Re:I use ....

[bobv-pillars-net]

I used to be bob@html.com, and got around five new mailing-list signups per day. That's where I learned how to properly use bogofilter.

How about nospam.com?

[billsf]

Actually that one is taken and its DNS is: {ns1/ns2.anything.com}. I fully agree these are overly generic (both of the past domains qualify) and should be 'reserved' for nobody, and that isn't {nobody.com}... It all depends on who runs the TLD. Some are more permissive than others. Playing 'by the book', '.com' probably allows some very tacky names -- Its a 'generic domain'. A geographic TLD would take quite some care to avoid misuse. Clearly, names of government agencies are to be avoided, but does '.com'? I don't think any individual would ever get, {fbi.us} or, heaven forbid, {irs.us} or here, {avid.nl} or anything with 'belasting' in it, unless you really are the 'tax people'.

At first I thought all this (domain hacks) was quite funny. However, it is unfortunate so many see the net as one big crime spree.

Re:How about nospam.com?

[koick]

As for fbi.us, according to the whois database, the US Department of Justice does own it, and probably always will.

.invalid exists

[John+Hasler]

> The only thing I can think of is that donotreply.com becomes a reserved word...

".invalid" is already a reserved top-level domain. Thus "donotreply.invalid"
would produce the desired behavior.

> ...which is probably easier than getting all those mail administrators to change their
> behavior, or to get smarter.

This guy seems to be dealing with it. Perhaps he could arrange for incoming emails to be automatically entered into a database searchable at www.donotreply.com. Should be easily doable by hacking on one of the mailing-list packages.

test.com

[Mr.+Jax]

At the last place I worked all the developers constantly used test.com and QA used that domain for testing as well. The server also sent out these emails. Me thinks there are a lot more people sending mail to test.com.

Uh, no...

[msauve]

"they" (the originator) didn't send them to the donotreply.com domain owner. They sent them to some misspelled or otherwise bad address at some _other_ domain, which bounced them to donotreply.com.

Now, it is their own fault that this happened, but it is not correct to say that they sent them to donotreply.com.

Re:Uh, no...

They sent them to some misspelled or otherwise bad address at some _other_ domain, which bounced them to donotreply.com.

They used 'something@donotreply.com' as their email address, even though they didn't own 'donotreply.com'.

Then, they sent email to a bad address at another domain, who then bounced the message too 'something@donotreply.com'.

That's also pretty stupid.

Re:Uh, no...

[plover]

"Bounced" is the term used by the slashdot submitter in the headline. However, most of these emails were actual humans clicking "reply". They were not originally bounced.

Some of them are sad and pitiful, and read a lot like, "Please accept these plans to repay my credit so I can buy my children food this week! I am waiting anxiously to hear from you and your Reply Here link wasn't working so I sent this email instead."

Re:Uh, no...

[budgenator]

Most email clients allow a sender to designate a reply-to address that is different than the "from" address. Many people are morons and will not read the large font heading at the top that says "Do Not Reply" and reply anyways. The clue-less idiots who sent the original Email and didn't want to hear the whiny sniveling replies from the Morons, thought that the Morons would notice that the reply to address was to donotreply.com and not hit the send buttons. If the clueless Idiots had read RFC2606, they would have used invalid.com or example.com or even localhost and created a non-routing reply.

He's not just some guy in Seattle...

[Mr2001]

The guy who runs donotreply.com is Chet Faliszek, one half of the "Chet and Erik" who ran the gaming humor site Old Man Murray and then went on to write the dialogue for Portal.

Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards!

Re:He's not just some guy in Seattle...

[megaditto]

Sorry, we forgot about your prize. Contact Chet at chet@donotreply.com.

Re:He's not just some guy in Seattle...

[Guppy]

The guy who runs donotreply.com is Chet Faliszek, one half of the "Chet and Erik" who ran the gaming humor site Old Man Murray and then went on to write the dialogue for Portal.

Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards! Let me contact our legal department. We'll have Chet's nuts roasting on an open fire.

So, do you think...

[msauve]

that artificial intelligence actually exists, or that an SMTP server has a human routing the mail?

The messages being sent to donotreply.com are being _bounced_ automatically because of some problem, such as having been sent to a misspelled (nonexistent) email address.

The guy has a gold mine, this is illegal...

[msauve]

think about it - the CAN SPAM act makes it a felony for commercial enterprises to "materially falsifi[y] header information," which is EXACTLY what the bozos who cause this problem are doing.

If I owned the domain, I'd be contacting every commercial enterprise who's email got bounced to me, and letting them know that for a nominal fee, they could avoid my getting the feds to take notice of their illegal activities.

Re:The guy has a gold mine, this is illegal...

[JFitzsimmons]

Yay extortion! I'm sure their laywers will love that.

Re:The guy has a gold mine, this is illegal...

[Xanius]

I believe it's called licensing. Common mistake though, the way you inform someone of your intent to license something to them can be the same as the way you tell them you're extorting them.

I see it as he would be leasing them the @donotreply.com email address of their choice and if not then he'll get them in trouble.

Re:The guy has a gold mine, this is illegal...

[budgenator]

but how about this

Dear Sir or Madam;
Your organization has been sending numerous email messages of a commercial nature to our organization in apparent error.
Many of these documents appear to contain sensitive or confidential information and this consumes valuable resources on our part to process these messages in a confidential manner.
Several Federal laws and regulations require level of client professional confidentiality such as SEC regulations and HIPPA.
Several Federal laws prohibit transmission of unsolicited commercial Emails such as the Junk Fax Act and the CAN-SPAM act, and allow for monetary compensation to injured parties.

Please enclose a check for $5,000.00 to cover our expenses and to insure we have sufficient resources to remove these messages in a confidential manner, and promise to not seek relief through litigation for messages received to date. If we do not receive your check within 90 days we will assume that these messages were sent to our organization as a gift and will do with them as we see fit.

In the future, you'll may find it more economical to study a document known as Request for Comments: 2606, Reserved Top Level DNS Names published by the Network Working Group if the Internet Engineering Task Force, RFC2006 recommends using the domain names invalid.com, or localhost. Using these domain names will keep your emails from being routed on the internet.
regards; Budgenator@example.com

Now you are offering them valuable consideration in return for their money and are not committing extortion or blackmail, just make sure it's vetted by your lawyer and enjoy.

Re:Heh - Been there, done that

Could you imagine the look on that drug store clerk's face while he was selling 10 boxes of "extra pleasure" condoms to the gradma?

Foo@bar.com has been my secretary

[OMNIpotusCOM]

for years and he never complains. I liked the Wikileaks idea though.

Idiots are everywhere

[wsanders]

AT least the domain is in the hands of a white hat.

I've seen all kinds of amazing stuff on fax machines - a similar situation:

- Construction documents for a part to a Trident nuclear submarine
- DMV record searches
- Results of drug tests
- Not to mention the occasional credit card number

Remember, kiddies, the law is not on your side. I someone accidentally emails you a credit card number, and you use it, it's still fraud.

Re:Idiots are everywhere

[russotto]

Remember, kiddies, the law is not on your side. I someone accidentally emails you a credit card number, and you use it, it's still fraud.

Yeah, but if someone accidentally emails me a credit card number and I "accidentally" connect up to an open wireless access point and enter that number at a phishing website, the law's not going to be looking for me, most likely.

Re:Stupid on both sides Luck *I* don't own that do

[davidsyes]

main.

If *i* received threatening letters from lame-ass lawywers, i'd set up a business with some RU domain and give them 35% or 55% cut for dealing with such lawyers. Maybe, charge the companies misusing the donotreply.com name. i won't TELL the RU side what to do, but i am sure that once they feel "their profits" being withheld, they'll pay a visit to ALL those lazy slobs misusing "donotreply.com".

But, even if "my people" don't get directly in touch with "their people", just the sheer fear ALONE should force the US government to compel at least military contractors to CLEAN THEIR SHIT UP. Then, start pouncing on the other, non-DOD abusers. Of course, over time, i would eventually see a loss in profits as the cleanup ensued.

none@yo.biz

[Sowelu]

I used to use the email address 'none@yo.biz' a long time ago, when forced to provide an email address that I knew would only bring me pain (ie marketing emails). It's not my fault that, a few years later, .biz became a REAL TLD.

Re:Stupid on both sides That'd be a first... Toxic

[davidsyes]

Shock Syndrome CORRECT Douche... He'd toxically shock them with a bill. After all, it's the abusers who are leaving him with the "bag". He's just making lemonade out of lemons from lemurs.

This happened with PO boxes as well...

[mikael]

This used to happen to people who owned PO Boxes in foreign countries. One time, some people working on charity work kept getting junk mail for fertilizer delivered to their PO Box in Africa. Because they were so far away from the local post office, collecting mail involved a long jeep drive into town to collect the mail from the PO Box. They would be charged a small service fee every time this happened. Despite numerous requests to get the junk mail canceled, the company wouldn't give up. So they go some friends to send back a large box of soil samples through the international Payment-On-Delivery system. They never received another leaflet from the company.

who@givesafuck.com

[steppin_razor_LA]

I used to own givesafuck.com and tried using that as a "for fun" email address (i.e. easy for people to remember). I had to give it up because of the same issues. People were constantly making it up as a fake email address. I amused myself a few times by logging into the accounts people created with my email address and resetting their passwords/etc, but eventually give it up due to the spam load...

noreply@example.com, noreply@here.invalid

[argent]

example.com and the invalid tld are supposed to be used for these things.

Harvest addresses, sell to spammers

[chmilar]

The guy could make a lot of money harvesting the email addresses, and then selling lists to spammers.

Anyone dumb enough to reply to "donotreply" is likely to buy products from spam emails!

He could probably filter into lists based on the mail initiator, and the contents of the original email (quoted in the reply). Plus, the harvested emails are from currently active, valid accounts. These targeted lists of high-quality chumps would be worth paying extra for.

Re:Harvest addresses, sell to spammers

There's probably a lot more money to be made by having a law student sue all the companies that use donotreply.com in a small claims court under the CAN-SPAM act on a contingency basis (e.g. for 1/2 of the proceeds).

well

[overcaffein8d]

there's always http://mailinator.com/

example.com or invalid or donotreply.mydomain.com

[billstewart]

Handing bogus traffic to other people is rude at best, even if it hadn't occurred to you that somebody would register donotreply.com. And any traffic they're getting is either bogus traffic (because people didn't read the message that said to click the web link, not to reply) or autoreplies from robots.

Handing mail to example.com is more or less fine - originally there wasn't anything there, though the fine people at ICANN decided to put an explanatory web page there; AFAICT, telnet example.com 25 times out. And "invalid"'s even better, since it NXDOMAINs, and you can use addresses like donotreply@really.donotreply.invalid.

But you can also manage it yourself - use a subdomain like donotreply.mydomain.com, with some appropriate treatment like NXDOMAIN or a stub email server that replies "554 we told you donotreply, please use the URL in our email" or points to 127.0.0.86 or whatever. That way it's obvious who;s managing it.

Of course, if you're using donotreply.com because you're a spammer, none of these explanations matter to you, because you're a rude nyeculturny thug who doesn't mind bothering people. And some fraction of the people who reply to those will be including their credit card numbers, mother's maiden name, and postal address, so that they can collect the Microsoft Lottery or order their Nigerian Herbal Fake Viagra, and well, more power to the folks at donotreply.com for offering to educate those poor suckers :-)

Chet is the Dude

[Dynamoo]

I've known Chet (in an online sense) for years now. Donotreply.com is a stroke of genius, but I suspect the sheer volume of crud keeps it from being updated more. If you want to have a look at another much more disturbing property of Chet's, check out Portal of Evil. Classy!

Hmm that get me thinking...

[Neanderthal+Ninny]

I wonder about "uraasshole.com", "cantyouread.com" or "wtf.com".

Maybe...

[msauve]

but that's not a forgone conclusion.

"Under the common law and many statutes, an intent to take money or property to which one is not lawfully entitled must exist at the time of the threat in order to establish extortion...A person who acts under a claim of right (an honest belief that he or she has a right to the money or property taken) may allege this factor as an Affirmative Defense to an extortion charge. What constitutes a valid claim of right defense may vary from one jurisdiction to another. For example, M, a department store manager, accuses C, a customer, of stealing certain merchandise. M threatens to have C arrested for Larceny unless C compensates M for the full value of the item. In some jurisdictions it is only necessary for M to prove that he or she had an honest belief that C took the merchandise in order for M to avoid an extortion conviction. Other jurisdictions apply a stricter test, under which M's belief must be based upon circumstances that would cause a reasonable person to believe that C took the item. Another, more stringent, test requires that C in fact owe the money to M."

If by putting fake header in an email, you're filling my email inbox, you're causing me damage, both in terms of stolen resources (you are consuming both bandwidth and storage space, both of which I pay for), and my own time in sorting through the chaff. You owe me for my costs, both in actual dollars and in time and effort. You can choose pay me a reasonable fee to cover my costs and efforts, or I'll let the government show you why you shouldn't have done it in the first place.

BTW, don't assume that law is the same as ethics. There are a lot illegal actions which are perfectly ethical, and vice versa. I choose ethics over law (which, at least in the US, has little meaning).

Re:Heh - Been there, done that

So TrtleGrl69@aol.com is Chad Weaver? Nice screen name. That screen name is enough for me to not take a complaint seriously. Especially knowing that it is representing a guy.

Riiiight.....

[raehl]

Now that I have thought about it a bit more, this is about the money. If they put donotreply@companydomain.com, then the inevitable replies would eat up their bandwidth and processing power on their incoming mail servers.

Because people receiving millions of spam emails a day really care about an extra couple thousand spurious do-not-reply replies.

Emails unwittingly sent in reply to do-not-reply emails consist of such a MINUTE FRACTION of total email traffic it's not even a cost worth worrying about.

at least the US

[thegnu]

I choose ethics over law (which, at least in the US, has little meaning).

Because the laws are better in umm... errr... hmmm... uhh... min...istan?

Re:at least the US

[tsm_sf]

No offense, but attitudes like that will kill this country. The "good enough" or "at least we're better than X" line of thought leads us into a race to 2nd from the bottom.

Re:at least the US

[matpod]

in an 'us and them' race, 2nd from the bottom is the place to be ;)

Re:at least the US

[thegnu]

My attitude that the laws here are no match for ethics, and I can only think of an imaginary country where the laws are relatively representative of ethics? I'm not sure you understood what I meant.

In this whole Rev. Wright thing, it's become very very apparent how the media neglects their responsibility to a)elevate the dialog and b)at least show a 5-minute clip before condemning a man. People expect all of their leaders to be saints, and it's ridiculous.

The only thing that Rev. Wright said that was ridiculous was that the govt created the AIDS virus to kill black people. But then, he also believes in a homonid living in the sky, so I give him a free pass on that. Beyond that, he said:

1. God doesn't bless America for killing innocent people, he damns America for killing innocent people.
2. And he said that our violence in the world begets violence at home.

Which are both teachings straight from the motherfucking Bible, everybody. People are pissed because a preacher preaches from the Bible? Come the fuck on.
[/tangent]
oh, look at that. my captcha is "tedious". :-)

Re:at least the US

[tsm_sf]

I did totally misunderstand you.

NO! not example.com

[reiisi]

donotreply@we-really-mean-it.invalid, maybe, as has been mentioned.

But, of course, if they have so much traffic going to their do-not-reply address (after filtering spam), they have a serious business problem that they are trying to solve by opening a hole to someone else's cistern. That is not a good indication for the future of the business.

Serious business problems are all too often just tomorrow's business opportunity come knocking in disguise.

ITYM

[reiisi]

com.test and com.invalid are implicitly mentioned, but they aren't in use.

mod ac parent up!

[reiisi]

(Helping the clueless see the clues, maybe:)

Those are RESERVED names, which means you're not supposed to use them in internet traffic. It is really stupid to put a return address which is not under your control in your emails, no matter if that is a valid third-party-address, an invalid address or a reserved but technically valid address. You do not want emails to you to end up anywhere else, not even in the case of a misconfiguration (for example, when the postmaster of the remote MTA redirects mail addressed to reserved domains to a local address to keep them from going on the net in the event of DNS problems, etc. etc.) You do want all mail meant to reach you to arrive at your MTA, where it can be accepted, dropped or rejected. You also want to encrypt all emails which contain confidential information and make your business partners encrypt all email as well.

filter and sort

[reiisi]

Internal mail to donotreply@company.com in one bucket.

Further sort that bucket by obviously forged headers and go hunting for deployed bots to re-format.

The rest of the internal stuff goes to the internal ombudsman, who is instructed to scan for serious issues and bounce the rest back to the replier, possibly CC-ed to the replier's manager, with a note that donotreply means do not reply.

Costs a little, but drastically improves both internal communication and the rate of finding the bots.

External stuff into another bucket, again sorted into spam (to the null device, unless the company can afford to hire someone to examine the spam for attacks), bounces, and possible valid attempts to contact the company. Send the latter to customer service. Even the bounced addresses could be used to trim the promotional mailing lists.

When there is too much of the stuff going either to the ombudsman or to customer service, something is wrong. Management should want that information so they can go try to find out what's wrong and fix it.

Information is useful. Why should people in IT be helping their companies throw out potentially useful information?

crudware.com == Microsoft

[flyingfsck]

An interesting trick: Type crudware.com into the Firefox address bar. It will do a Google 'I'm Feeling Lucky search and send you to Microsoft! Honest! Try it!

But you're still running from the problem.

[reiisi]

That mail that goes to whatever donotreply address you are using has useful information in it, along with the spam.

Apply spam filters, send the rest to customer service. If there's still too much for them to handle, their management can determine criteria for tossing some of it, and IT should help them set the filters.

bounces are easy to filter

[reiisi]

I know, it's the one-man shop, and he has a deadline to meet after he gets his microsoft server 2000 box set up.

Someone needs to educate him on lost business opportunities. Then he knows how to bill himself for the hour or two setting the filters up.

Re:Heh - Been there, done that

[Agripa]

The worm like creature you found - was it alive?

Did it taste good?

My response would be based on an apocryphal story about a homemaker who wrote a similar letter of outrage to Quaker Oats expressing her displeasure after finding weevils in her newly opened cylinder of oats. She received a copy of her original letter stamped:

Send this chick the bug letter.

mail server without a domain name?

[reiisi]

I know people do it, but why?

I would tend to think that the mail server without the domain name is a symptom of the problem to be solved first. If you have some situation where you're sending mail and don't want replies, you really should be questioning why you are sending e-mail.

One-way communication is not communication. If there is a reason to send something, there is a reason to at least accept an ack.

Otherwise, you're like the guy who hires kids to go plaster the town with handbills and doesn't care about the litter left behind, or the bundles of handbills that get dumped in dumpsters instead of handed out. Maybe you think you can't afford to deal with it, but it's bad business practice, and is someday going to eat your lunch (cost you fines, get your company boycotted, result in deforestation, etc.).

Re:mail server without a domain name?

[mabhatter654]

great explanation!

I like the idea that other people have of using a "blackhole" email address on YOUR domain, because that can be setup to not even send the mail from the responders servers. But you are correct, how useful is an email if you don't allow the regular "reply" button to work?

He was leaving a step out, I suppose ...

[reiisi]

... in solving the larger problem.

Even when you ostensibly don't want replies, putting up a brick wall is just bad business. Lots of lost opportunities.

Spam filter the donotreply@companydomain.com mail, and send the rest to customer service if external source, or the ombudsman if internal. Otherwise, you're losing important information.

donotreply@companydomain.com.invalid might be useful in some cases where you want people to at least be thinking far enough to strip the .invalid before hitting the send button.

Although, if I really did have a reason to build a brick wall, donotreply@nodnsrecords. companydomain.com or donotreply@blackholeontheborder.companydomain.com would serve to at least keep the potentially embarrassing stuff bound back to my domain before hitting the bit bucket.

You really don't want to tell people to not reply at the same time as telling them (via the headers) to go shout their replies on some arbitrary street corner in some arbitrary city where you won't ever know that they are embarrassing you or worse. (passwords, credit card numbers, etc. kind of embarrassment.)

nospam.com

[reiisi]

My memory is that used to be a legitimate a-mail provider.

not stupid

[reiisi]

He bought it as a joke, he said.

He infers that he is keeping it as a public service.

If I had the money and time, I think I'd do the same.

But I'd also load my site with pages that show the places to make appropriate minimal settings with the common servers, and the explanations of how each option works.

And at the bottom of each page offer consultation on mail setup for doing a proper job of catching the donotreply replies and filtering and sorting them.

node.com had similar problems.

[Ungrounded+Lightning]

Node.com had a number of similar problems.

It first existed before canned sendmail configurations from vendors were common, when mail bounced from site to site much like Internet packets from router to router (rather than straight over the net to the target's Mail Transfer Agent), and most sites hacked up their own MTA configurations. A significant number of system administrators (especially at big companies and universities) got the bright idea that their users were likely to follow the manual too closely and send mail to "user@node.com". So they'd hotwire their MTA config such that mail to "@node.com" would bounce the mail with a friendly note to the user.

Of course that massively disrupted mail to node.com. So the sysadmin, from time to time, had to hunt down another "helpful" site's mail admin and educate him.

He also set up a "user"(@node.com) account and used the "vacation" program to send the "helpful letter", thus providing the service for the entire net. Vacation saves the incoming mail, too. It turns out the "problem" was essentially non-existent. "user@node.com" only got one or two mails per month - at least until some idiots used "user" and "node.com" as the default fields in their mailing list signup pages... And then the spammers got hold of it...

Irony

[jvschwarz]

Perfect timing on this article.

Earlier this week I was put on a project to provide an encrypted email solution between our company and one of the companies listed on the donotreply site. I haven't decided on how to use this information yet!

Re:example.com or invalid or donotreply.mydomain.c

[Vertigo+Acid]

And yet, you aren't even practicing what you preach.
I'm sure the folks at mydomain.com are tired of getting bogus traffic from people writing examples with their domain rather than a .example TLD

My phone # gets you good info and pizza.

[professorguy]

My home phone ends with 9800 and the local pizza parlor's phone is 9700. It's not a busy place and we get maybe a call or two a month (at dinner time of course).

I thought about what to do and here's my solution: When someone calls for a pizza I say "you probably want xxx-9700, his pizza is great." A friendly person who gives you useful information in response to a mistake--it's so rare and unlikely, most people are very nice and I never seem to have to give it out twice to the same person.

Jeez. Is it so hard to be nice? Sure, I could screw the pizza place, but I don't understand why I should. The guy's just trying to make a living, which is hard enough without some misguided vigilante punishing your customers for an honest mistake.

Re:My phone # gets you good info and pizza.

[zotz]

"Jeez. Is it so hard to be nice? Sure, I could screw the pizza place, but I don't understand why I should. The guy's just trying to make a living, which is hard enough without some misguided vigilante punishing your customers for an honest mistake."

When I get mistaken numbers here, I am nice about it. But if you read my original post on this, it was not a case of a business customers dialing the wrong number at any time. It was a case of the company's employees calling the wrong number in the middle of the night and waking up the household. And then getting biggity about it. A whole nother ball game.

all the best,

drew
http://packet-in.org/wiki/index.php?title=Main_Page
Packet In - net band