What Happens To Bounced @Donotreply.com E-Mails

An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

Business plan

[Boa+Constrictor]

It's not like he didn't see it coming -- "Unauthorized use of this domain gives me full rights to post any emails involved using the unauthorized address. Don't like it? Don't use it." The website is a blog based on the email he receives at the domain. Exploitative it may be, but I thought most folks with sense used "noreply@ourcompany.com" or variations thereof.

RFC 2606

[mmontour]

RFC 2606 (dated June 1999) solves this problem by defining reserved domains such as "example.com" (for use in documentation) and:

            ".invalid" is intended for use in online construction of domain
            names that are sure to be invalid and which it is obvious at a
            glance are invalid.

A possible use for example.com

[stevel]

ICANN reserved example.com, example.org and example.net for use in documentation and other places where you want to put an "example" domain name, but I find that most people are not aware of this. Email sent to these domains is discarded.

For reply addresses, a more reasonable protocol would be to use the sender's actual domain but with an invalid username, as Poromenos1 suggests. A further problem of using a domain not your own as a sender address is that the recipient's email server may block it due to SPF records or other checks on sender domains.

I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.

Re:WTF

May I suggest reading RFC 2606, Reserved Top Level DNS Names. There is example.com for a reason.

http://tools.ietf.org/html/rfc2606

Re:WTF

[sjames]

Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.

They should be using...

[msauve]

donotreply.invalid or example.com. These are reserved for just this sort of thing by RFC 2606.

In a similar manner, people wanting fake IP addresses to use for documentation, training, etc., should use addresses in the 192.0.2.0/24 range, which is reserved by RFC 3330.

Re:forgery?

[GregGardner]

Whether it is arcane or not is debatable, but the CAN-SPAM Act of 2003 specifically prohibits using a false "From" header.

http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm

"It bans false or misleading header information. Your email's "From," "To," and routing information - including the originating domain name and email address - must be accurate and identify the person who initiated the email."

He's not just some guy in Seattle...

[Mr2001]

The guy who runs donotreply.com is Chet Faliszek, one half of the "Chet and Erik" who ran the gaming humor site Old Man Murray and then went on to write the dialogue for Portal.

Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards!

example.com or invalid or donotreply.mydomain.com

[billstewart]

Handing bogus traffic to other people is rude at best, even if it hadn't occurred to you that somebody would register donotreply.com. And any traffic they're getting is either bogus traffic (because people didn't read the message that said to click the web link, not to reply) or autoreplies from robots.

Handing mail to example.com is more or less fine - originally there wasn't anything there, though the fine people at ICANN decided to put an explanatory web page there; AFAICT, telnet example.com 25 times out. And "invalid"'s even better, since it NXDOMAINs, and you can use addresses like donotreply@really.donotreply.invalid.

But you can also manage it yourself - use a subdomain like donotreply.mydomain.com, with some appropriate treatment like NXDOMAIN or a stub email server that replies "554 we told you donotreply, please use the URL in our email" or points to 127.0.0.86 or whatever. That way it's obvious who;s managing it.

Of course, if you're using donotreply.com because you're a spammer, none of these explanations matter to you, because you're a rude nyeculturny thug who doesn't mind bothering people. And some fraction of the people who reply to those will be including their credit card numbers, mother's maiden name, and postal address, so that they can collect the Microsoft Lottery or order their Nigerian Herbal Fake Viagra, and well, more power to the folks at donotreply.com for offering to educate those poor suckers :-)

Re:WTF

[Jesus_666]

Not quite. .invalid is an official TLD.