Slashdot Mirror
What Happens To Bounced @Donotreply.com E-Mails
An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"
wikileaks might be a good place to expose those documents. Hey, They sent them to YOU. It's will only take a few and this will be curbed.
The Kruger Dunning explains most post on
What idiot decided this was good policy anyway? What happened to donotreply@companydomain.com?
Send email from the afterlife! Write your e-will at Dead Man's Switch.
It's not like he didn't see it coming -- "Unauthorized use of this domain gives me full rights to post any emails involved using the unauthorized address. Don't like it? Don't use it." The website is a blog based on the email he receives at the domain. Exploitative it may be, but I thought most folks with sense used "noreply@ourcompany.com" or variations thereof.
DONTOREPLY.COM is available! Probably gets about as much crap - even slashdotters can't profread.
No comprende? Let me type that a little slower for you...
There's gotta be some ridiculously arcane law on the books somewhere whereby the practice of using a false "from" header would be considered forgery.
This guy's the limit!
Sounds like he is the one being hurt here. Of course somebody has to own that domain (I guess) and he decided too. Terrible domain name, but still not his fault.
Which brings me to:
All of these organizations and companies are just being cute by forging their FROM headers. Technically that should not be allowed, but you can do it anyways. They don't want to deal with it and they create "one-way" traffic by inserting bogus information into that header.
The problem is that bogus information is an actual domain that is active and running a mail server. They are treating it like is a reserved word.
The lawsuits are funny, since the header information will show conclusively that those people intentionally redirected the traffic to this guy. If anything, he can counter-sue.
The only thing I can think of is that donotreply.com becomes a reserved word, which is probably easier than getting all those mail administrators to change their behavior, or to get smarter.
In any case, the domain owner is without fault on this one. Unless you count being stupid as a fault, which picking that domain is a little unwise.
I find myself in a somewhat similar situation. I was supposed to do some work for a company who later ended up folding because of 'bad management', and I was left holding the bag on the domain I purchased at their instruction, that they never paid me for.(they didnt want to buy it, I dont know?).
Other than getting all the requests for 'why havent you paid us yet', the end result is that almost 2 years later these people are COMING AFTER ME WITH A CEASE AND DESIST LETTER and demanding that I turn over this domain and others to them for free because it 'infringes on their copyright'. Although, I honestly can say Im not suprised that Caton Commercial, the real estate company who is operating as the umbrella company for all these shell companies who eventually go under, doesnt know its ass from a whole in the ground.
Knowing full well that this sort of behavior is borderline as far as being professional, I posted the full contents of the Cease and Desist Letter sent by a Mr John Argoudelis online so anyone thinking of working with this company may come across this sort of behavior and maybe think twice. Lawyers and Real Estate agents.... whew... what a combo of integrity!
The company is also involved in numerous court cases relating to other aspects of their business practices. Ive posted a short description of the Will County court cases that caton commercial is involved in at my blackjack and hookers site.
In fact, forget the blackjack!
1. Company A uses companya@donotreply.com as it's return address
2. Donotreply owner sets up an autoreply for companya@donotreply.com. This auto-reply should be inappropriate, goatse is definitely an option.
3. Company A loses customers in droves, problem solved.
There is no reasonable defense against an idiot with an agenda
:wq
RFC 2606 (dated June 1999) solves this problem by defining reserved domains such as "example.com" (for use in documentation) and:
".invalid" is intended for use in online construction of domain
names that are sure to be invalid and which it is obvious at a
glance are invalid.
ICANN reserved example.com, example.org and example.net for use in documentation and other places where you want to put an "example" domain name, but I find that most people are not aware of this. Email sent to these domains is discarded.
For reply addresses, a more reasonable protocol would be to use the sender's actual domain but with an invalid username, as Poromenos1 suggests. A further problem of using a domain not your own as a sender address is that the recipient's email server may block it due to SPF records or other checks on sender domains.
I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.
Because I have the existential geek name, as it appears in so many tech books, I registered Fredtest.com. You would be surprised how many other IT Fred's out there send mail to Fred@fredtest.com.
I got bored with replying (some guy in SanDiego is a real estate agent for ReMax, I don't think he ever got it), so I just limited what my mail server will accept.
Now it just bounces back to the sender and hopefully they think "oops, perhaps I shouldn't do that", which is what I believe this guy should do. Discourage the bad behavior, don't exploit it.
FLR
Just a minute, my boss just walked up with a box.
For a long time, I had the screen name "File" on AOL. I'm not sure where the practice originates (perhaps Lotus), but many, many AOL users would compose an email and cc it to "File" thinking they were saving a copy for themselves. I wound up with all sorts of interesting stuff over the years.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Many years ago I (briefly) owned the e-mail address uucp@aol.com, which received all sorts of interesting messages from platforms that blindly assumed everyone else was running Unix too. After suspending the address and asking AOL to put it on their reserved list (which they did), I wrote it up for the RISKS Digest.
He should provide a search feature for all the email, archive it. and then sell full content any email on the site for $1. There might be interesting stuff he's catching, especially if legal departments of various companies are going after him.
(no I didn't RTFA)
“Common sense is not so common.” — Voltaire
I remember during my very first paying job as a sysadmin (1997-ish), I was tasked to set up a new mail server. For some reason, I decided as part of my testing to send email to an "invalid" remote address that I came up with off the top of my head (bob@bob.com I think it was, or maybe foo@foo.com or something like that). So, I wrote a script that just sent thousands of emails out at once to this address. Within maybe 20 minutes, I get an angry phone call from the domain owner telling me to stop spamming him.
I learned my lesson, though. Now I never put my real phone number in the whois record for my domains.
Excellant!
A Quad-core xeon?
Karnal
That's so unprofessional!
I always just use me@yourmomshouse.com.
MHNATY.
Reminds me of when I was the email admin at Hershey Business Systems - a Los Angeles based integrator - in the '90s. Because the domain - hbsi.com - was taken, the owners took hershey.com back in 1994.
... will continue to write you until I get a response.
My favorites:
Sent: Sunday, July 04, 1999 8:12 AM
To: kai@hershey.com
Subject: From: Kim!!
Hi! grandma I am so thankful that you came all the
way from Florida to see me and by the way..... thanx
for the choc cookie!! and next time you come over
could you bring the extra pleasure condoms. I need
them for me and Ryan.
love you Grandma!!
Kim
Sent: Monday, July 05, 1999 12:09 PM
To: Kim
From: Kai
Subject: From: Kim!!
Kim:
We are not your grandmother.
Kai Ponte
Hershey Business Systems
Then there was this one from an AOL member (figures):
From: TrtleGrl69@aol.com
Sent: Wednesday, August 11, 1999 2:19 PM
Subject: no response to our email dealing with
dead bugs in my payday
I am extremely disappointed at the fact you have not
responded to this incident. I'm upset that I purchased a
payday and began eating it and ended up seeing a worm like
bug with bug carcasses and holes in and on the candy
bar.
I
Talk about extremely bad customer service.
Chad Weaver
I liked my response:
From: Ponte, Kai <kai@hershey.com>
Sent: Monday, August 30, 1999 7:20 AM
To: TrtleGrl69@aol.com
Subject: RE: no response to our email
dealing with dead bugs in my payday
The worm like creature you found - was it alive?
Did it taste good?
Kai Ponte
Information Technology Specialist
Hershey Business Systems
The Kai's Semi-Updated Website Thingy
donotreply.invalid or example.com. These are reserved for just this sort of thing by RFC 2606.
In a similar manner, people wanting fake IP addresses to use for documentation, training, etc., should use addresses in the 192.0.2.0/24 range, which is reserved by RFC 3330.
"National Security is the chief cause of national insecurity." - Celine's First Law
You can't take the sky from me...
Actually that one is taken and its DNS is: {ns1/ns2.anything.com}. I fully agree these are overly generic (both of the past domains qualify) and should be 'reserved' for nobody, and that isn't {nobody.com}... It all depends on who runs the TLD. Some are more permissive than others. Playing 'by the book', '.com' probably allows some very tacky names -- Its a 'generic domain'. A geographic TLD would take quite some care to avoid misuse. Clearly, names of government agencies are to be avoided, but does '.com'? I don't think any individual would ever get, {fbi.us} or, heaven forbid, {irs.us} or here, {avid.nl} or anything with 'belasting' in it, unless you really are the 'tax people'.
At first I thought all this (domain hacks) was quite funny. However, it is unfortunate so many see the net as one big crime spree.
The guy who runs donotreply.com is Chet Faliszek, one half of the "Chet and Erik" who ran the gaming humor site Old Man Murray and then went on to write the dialogue for Portal.
Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards!
Visual IRC: Fast. Powerful. Free.
think about it - the CAN SPAM act makes it a felony for commercial enterprises to "materially falsifi[y] header information," which is EXACTLY what the bozos who cause this problem are doing.
If I owned the domain, I'd be contacting every commercial enterprise who's email got bounced to me, and letting them know that for a nominal fee, they could avoid my getting the feds to take notice of their illegal activities.
"National Security is the chief cause of national insecurity." - Celine's First Law
for years and he never complains. I liked the Wikileaks idea though.
This used to happen to people who owned PO Boxes in foreign countries. One time, some people working on charity work kept getting junk mail for fertilizer delivered to their PO Box in Africa. Because they were so far away from the local post office, collecting mail involved a long jeep drive into town to collect the mail from the PO Box. They would be charged a small service fee every time this happened. Despite numerous requests to get the junk mail canceled, the company wouldn't give up. So they go some friends to send back a large box of soil samples through the international Payment-On-Delivery system. They never received another leaflet from the company.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
I used to own givesafuck.com and tried using that as a "for fun" email address (i.e. easy for people to remember). I had to give it up because of the same issues. People were constantly making it up as a fake email address. I amused myself a few times by logging into the accounts people created with my email address and resetting their passwords/etc, but eventually give it up due to the spam load...
Evolution: love it or leave it
The guy could make a lot of money harvesting the email addresses, and then selling lists to spammers.
Anyone dumb enough to reply to "donotreply" is likely to buy products from spam emails!
He could probably filter into lists based on the mail initiator, and the contents of the original email (quoted in the reply). Plus, the harvested emails are from currently active, valid accounts. These targeted lists of high-quality chumps would be worth paying extra for.
Reading Slashdot is ruining my spelling and grammar.
Handing mail to example.com is more or less fine - originally there wasn't anything there, though the fine people at ICANN decided to put an explanatory web page there; AFAICT, telnet example.com 25 times out. And "invalid"'s even better, since it NXDOMAINs, and you can use addresses like donotreply@really.donotreply.invalid.
But you can also manage it yourself - use a subdomain like donotreply.mydomain.com, with some appropriate treatment like NXDOMAIN or a stub email server that replies "554 we told you donotreply, please use the URL in our email" or points to 127.0.0.86 or whatever. That way it's obvious who;s managing it.
Of course, if you're using donotreply.com because you're a spammer, none of these explanations matter to you, because you're a rude nyeculturny thug who doesn't mind bothering people. And some fraction of the people who reply to those will be including their credit card numbers, mother's maiden name, and postal address, so that they can collect the Microsoft Lottery or order their Nigerian Herbal Fake Viagra, and well, more power to the folks at donotreply.com for offering to educate those poor suckers
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If by putting fake header in an email, you're filling my email inbox, you're causing me damage, both in terms of stolen resources (you are consuming both bandwidth and storage space, both of which I pay for), and my own time in sorting through the chaff. You owe me for my costs, both in actual dollars and in time and effort. You can choose pay me a reasonable fee to cover my costs and efforts, or I'll let the government show you why you shouldn't have done it in the first place.
BTW, don't assume that law is the same as ethics. There are a lot illegal actions which are perfectly ethical, and vice versa. I choose ethics over law (which, at least in the US, has little meaning).
"National Security is the chief cause of national insecurity." - Celine's First Law
No offense, but attitudes like that will kill this country. The "good enough" or "at least we're better than X" line of thought leads us into a race to 2nd from the bottom.
Literalism isn't a form of humor, it's you being irritating.
Some of them are sad and pitiful, and read a lot like, "Please accept these plans to repay my credit so I can buy my children food this week! I am waiting anxiously to hear from you and your Reply Here link wasn't working so I sent this email instead."
John
Node.com had a number of similar problems.
It first existed before canned sendmail configurations from vendors were common, when mail bounced from site to site much like Internet packets from router to router (rather than straight over the net to the target's Mail Transfer Agent), and most sites hacked up their own MTA configurations. A significant number of system administrators (especially at big companies and universities) got the bright idea that their users were likely to follow the manual too closely and send mail to "user@node.com". So they'd hotwire their MTA config such that mail to "@node.com" would bounce the mail with a friendly note to the user.
Of course that massively disrupted mail to node.com. So the sysadmin, from time to time, had to hunt down another "helpful" site's mail admin and educate him.
He also set up a "user"(@node.com) account and used the "vacation" program to send the "helpful letter", thus providing the service for the entire net. Vacation saves the incoming mail, too. It turns out the "problem" was essentially non-existent. "user@node.com" only got one or two mails per month - at least until some idiots used "user" and "node.com" as the default fields in their mailing list signup pages... And then the spammers got hold of it...
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
My attitude that the laws here are no match for ethics, and I can only think of an imaginary country where the laws are relatively representative of ethics? I'm not sure you understood what I meant.
:-)
In this whole Rev. Wright thing, it's become very very apparent how the media neglects their responsibility to a)elevate the dialog and b)at least show a 5-minute clip before condemning a man. People expect all of their leaders to be saints, and it's ridiculous.
The only thing that Rev. Wright said that was ridiculous was that the govt created the AIDS virus to kill black people. But then, he also believes in a homonid living in the sky, so I give him a free pass on that. Beyond that, he said:
1. God doesn't bless America for killing innocent people, he damns America for killing innocent people.
2. And he said that our violence in the world begets violence at home.
Which are both teachings straight from the motherfucking Bible, everybody. People are pissed because a preacher preaches from the Bible? Come the fuck on.
[/tangent]
oh, look at that. my captcha is "tedious".
Please stop stalking me, bro.