What Happens To Bounced @Donotreply.com E-Mails

An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

*Cough*

[geekoid]

wikileaks might be a good place to expose those documents. Hey, They sent them to YOU. It's will only take a few and this will be curbed.

Re:*Cough*

[slawo]

In return he could sue the hell out of them for falsifying their e-mail headers and addresses and for using his domain name without his permission.
In addition I'm pretty sure someone could probably find a way to use US copyright laws and make them pay money for using his domain name (Intellectual Property) without his permission.

WTF

[Poromenos1]

What idiot decided this was good policy anyway? What happened to donotreply@companydomain.com?

Re:WTF

[iamhigh]

Well, if you are signing up for a network management seminar, or something of the like, then you might also be the person that gets abuse@yourcompany.com, admin@yourcompany.com, it@yourcompany.com and a host of other generic email addresses. So perhaps you don't want them to even have your domain name?

Re:WTF

[LMacG]

Having worked at Capital One, I can assure you that there is absolutely no shortage of idiots running around.

Re:WTF

[gEvil+(beta)]

I already get enough crap email as it is!

- Dylan O'Notreply

Re:WTF

[OglinTatas]

Well, the CEO Don o'Treply was getting tired of getting everyone's bounced emails, THAT's what happened.

Re:WTF

[rkanodia]

Because then, when people reply anyway, you get junk mail at your own servers. Using donotreply.com directs the problem to other people.

Re:WTF

[EdIII]

That is what you are supposed to do of course. If you are operating a mail server you are NEVER supposed to put information for domains you don't control into the headers. That is what spammers do.

Now that I have thought about it a bit more, this is about the money. If they put donotreply@companydomain.com, then the inevitable replies would eat up their bandwidth and processing power on their incoming mail servers.

By forging that information, which is not good policy, they are intentionally redirecting that reply to somewhere else. They may have thought that the sending mail server would simply give a permanent delivery failure notice to the sender, but in this case that forged information leads to an active mail server which accepts all of those emails.

Who is the bigger "butthead" here? The companies intentionally forging their emails or the guy who owns this domain and is exploiting this companies (after they have already harassed him) to save a couple of animals?

Re:WTF

May I suggest reading RFC 2606, Reserved Top Level DNS Names. There is example.com for a reason.

http://tools.ietf.org/html/rfc2606

Re:WTF

[sjames]

Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.

Re:WTF

[AnotherBlackHat]

If the idea is to pick an email address that isn't in use, I recommend one ending with ".invalid" as in "address@is.invalid" or "noreply@domain.invalid"

Re:WTF

[vux984]

Never attribute to malice, or even conscious though, what can be attributed to incompetence.

Anyone bright enough to -think- having the messages bounce to another domain would save them money should be able to think that maybe just maybe if they have the messages bounce to another domain that this other domain might actually exist, accept that bounced mail, and even read it.

If they really wanted to save money, and not take that risk they could blacklist an address at their mail gates front door. That would eliminate most, but not all the cost of handling the return mail.

And it would be a simple matter to simply have it go to "donotreplay@donotreplay.company.com" which wouldn't have an MX record configured, and would thus never get anywhere. And being a subdomain of your own, it wouldn't be incidently delivered to someone else either.

Re:WTF

[HTH+NE1]

I've always been partial to disabled@bedridden.invalid.

I've also wondered if routing your mail using user%example.org@example.com notation still worked. Could one give out an address like user%example.com@spamfilter.example to run it through a spam filtering service and reject any mail that didn't come via spamfilter.example (if spamfilter.example allowed such relaying syntax)?

Sorry, first disclosure, I can't even patent it now.

Re:WTF

[Myopic]

Even better yet, accept email replies and provide conscientious service to your customers.

Why even have a donotreply@company.com? How about customerservice@company.com? I guess that would make it too easy to get customer service.

Re:WTF

[Damocles+the+Elder]

What's in your inbox?

Re:WTF

[elronxenu]

And that's just fundamentally wrong. You can automatically filter out bounce messages and spam. When a message gets through the first level of checking, it can be tied to a customer, so the support person can know all that there is to be known about the customer at the time of reading the email.

If you're sending communication as email, you should expect communication as email back.

Business plan

[Boa+Constrictor]

It's not like he didn't see it coming -- "Unauthorized use of this domain gives me full rights to post any emails involved using the unauthorized address. Don't like it? Don't use it." The website is a blog based on the email he receives at the domain. Exploitative it may be, but I thought most folks with sense used "noreply@ourcompany.com" or variations thereof.

Stupid on both sides

[EdIII]

Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

Sounds like he is the one being hurt here. Of course somebody has to own that domain (I guess) and he decided too. Terrible domain name, but still not his fault.

Which brings me to:

Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.

All of these organizations and companies are just being cute by forging their FROM headers. Technically that should not be allowed, but you can do it anyways. They don't want to deal with it and they create "one-way" traffic by inserting bogus information into that header.

The problem is that bogus information is an actual domain that is active and running a mail server. They are treating it like is a reserved word.

The lawsuits are funny, since the header information will show conclusively that those people intentionally redirected the traffic to this guy. If anything, he can counter-sue.

The only thing I can think of is that donotreply.com becomes a reserved word, which is probably easier than getting all those mail administrators to change their behavior, or to get smarter.

In any case, the domain owner is without fault on this one. Unless you count being stupid as a fault, which picking that domain is a little unwise.

Re:you can own the headline domain

[BenSchuarmer]

I got your email. --Don

I have a suggestion:

[Lxy]

1. Company A uses companya@donotreply.com as it's return address

2. Donotreply owner sets up an autoreply for companya@donotreply.com. This auto-reply should be inappropriate, goatse is definitely an option.

3. Company A loses customers in droves, problem solved.

Re:I have a suggestion:

[zotz]

Sounds a bit like the tactic my grandfather said he used to solve a problem...

He had a phone number for years.

Out of the blue, he started getting calls in the middle of the night from security guards checking in on their rounds.

Seems a security company had started up and had a number close to his and the guards were mistakenly calling his number instead of theirs.

He asked the company to change their number. They said no and told him to change his.

The next time he got a call in the middle of the night, he told the guard that he could go home for the night.

Company calls up the next day all upset that he sent the guard home and telling him he couldn't do that.

He says he could and would keep on as long as the calls continued.

Number changed. Calls stopped.

(This is from memory, the details may not be 100% accurate, the gist of the story is as he told me.)

all the best,

drew
http://packet-in.org/wiki/index.php?title=Main_Page
Packet In - net band. Libre music available gratis. Could be for a limited time only. Then again, it could last as long as copyrights...

RFC 2606

[mmontour]

RFC 2606 (dated June 1999) solves this problem by defining reserved domains such as "example.com" (for use in documentation) and:

            ".invalid" is intended for use in online construction of domain
            names that are sure to be invalid and which it is obvious at a
            glance are invalid.

I did this once.

[ScottForbes]

Many years ago I (briefly) owned the e-mail address uucp@aol.com, which received all sorts of interesting messages from platforms that blindly assumed everyone else was running Unix too. After suspending the address and asking AOL to put it on their reserved list (which they did), I wrote it up for the RISKS Digest.

Re:I did this once.

[kju]

I had a similar experience. A mobile phone operator (now defunct) allowed its customers to get mailadresses under their domain. So i got postmaster@domain which was accepted happily by the system. I deleted the alias a few days later though, because the amount of mail really got out of hand. I heard from another sysadmin who using the forged name "Andreas Buse" registered the mailadress abuse@... with his provider. :-)

Reminds me of my younger days

[eln]

I remember during my very first paying job as a sysadmin (1997-ish), I was tasked to set up a new mail server. For some reason, I decided as part of my testing to send email to an "invalid" remote address that I came up with off the top of my head (bob@bob.com I think it was, or maybe foo@foo.com or something like that). So, I wrote a script that just sent thousands of emails out at once to this address. Within maybe 20 minutes, I get an angry phone call from the domain owner telling me to stop spamming him.

I learned my lesson, though. Now I never put my real phone number in the whois record for my domains.

Re:Never thought of "donotreply.com"

[rasman1978]

That's so unprofessional!

I always just use me@yourmomshouse.com.

Heh - Been there, done that

[filesiteguy]

Reminds me of when I was the email admin at Hershey Business Systems - a Los Angeles based integrator - in the '90s. Because the domain - hbsi.com - was taken, the owners took hershey.com back in 1994.

My favorites:

Sent: Sunday, July 04, 1999 8:12 AM
To: kai@hershey.com
Subject: From: Kim!!
Hi! grandma I am so thankful that you came all the
way from Florida to see me and by the way..... thanx
for the choc cookie!! and next time you come over
could you bring the extra pleasure condoms. I need
them for me and Ryan.
love you Grandma!!
Kim

Sent: Monday, July 05, 1999 12:09 PM
To: Kim
From: Kai
Subject: From: Kim!!

Kim:

We are not your grandmother.

Kai Ponte
Hershey Business Systems

Then there was this one from an AOL member (figures):

From: TrtleGrl69@aol.com
Sent: Wednesday, August 11, 1999 2:19 PM
Subject: no response to our email dealing with
            dead bugs in my payday
I am extremely disappointed at the fact you have not
responded to this incident. I'm upset that I purchased a
payday and began eating it and ended up seeing a worm like
bug with bug carcasses and holes in and on the candy
bar.
I ... will continue to write you until I get a response.
Talk about extremely bad customer service.
Chad Weaver

I liked my response:

From: Ponte, Kai <kai@hershey.com>
Sent: Monday, August 30, 1999 7:20 AM
To: TrtleGrl69@aol.com
Subject: RE: no response to our email
                          dealing with dead bugs in my payday

The worm like creature you found - was it alive?

Did it taste good?

Kai Ponte
Information Technology Specialist
Hershey Business Systems

They should be using...

[msauve]

donotreply.invalid or example.com. These are reserved for just this sort of thing by RFC 2606.

In a similar manner, people wanting fake IP addresses to use for documentation, training, etc., should use addresses in the 192.0.2.0/24 range, which is reserved by RFC 3330.

Re:forgery?

[GregGardner]

Whether it is arcane or not is debatable, but the CAN-SPAM Act of 2003 specifically prohibits using a false "From" header.

http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm

"It bans false or misleading header information. Your email's "From," "To," and routing information - including the originating domain name and email address - must be accurate and identify the person who initiated the email."

He's not just some guy in Seattle...

[Mr2001]

The guy who runs donotreply.com is Chet Faliszek, one half of the "Chet and Erik" who ran the gaming humor site Old Man Murray and then went on to write the dialogue for Portal.

Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards!

Re:He's not just some guy in Seattle...

[megaditto]

Sorry, we forgot about your prize. Contact Chet at chet@donotreply.com.

Re:you can own the headline domain

[Teflon_Jeff]

Kicks and giggles. I thought it would be funny to have an @donotreply.com e-mail address. had I known about all the crap that would filter through, I probably would have sold it.

Maybe...

[msauve]

but that's not a forgone conclusion.

"Under the common law and many statutes, an intent to take money or property to which one is not lawfully entitled must exist at the time of the threat in order to establish extortion...A person who acts under a claim of right (an honest belief that he or she has a right to the money or property taken) may allege this factor as an Affirmative Defense to an extortion charge. What constitutes a valid claim of right defense may vary from one jurisdiction to another. For example, M, a department store manager, accuses C, a customer, of stealing certain merchandise. M threatens to have C arrested for Larceny unless C compensates M for the full value of the item. In some jurisdictions it is only necessary for M to prove that he or she had an honest belief that C took the merchandise in order for M to avoid an extortion conviction. Other jurisdictions apply a stricter test, under which M's belief must be based upon circumstances that would cause a reasonable person to believe that C took the item. Another, more stringent, test requires that C in fact owe the money to M."

If by putting fake header in an email, you're filling my email inbox, you're causing me damage, both in terms of stolen resources (you are consuming both bandwidth and storage space, both of which I pay for), and my own time in sorting through the chaff. You owe me for my costs, both in actual dollars and in time and effort. You can choose pay me a reasonable fee to cover my costs and efforts, or I'll let the government show you why you shouldn't have done it in the first place.

BTW, don't assume that law is the same as ethics. There are a lot illegal actions which are perfectly ethical, and vice versa. I choose ethics over law (which, at least in the US, has little meaning).

Re:at least the US

[tsm_sf]

No offense, but attitudes like that will kill this country. The "good enough" or "at least we're better than X" line of thought leads us into a race to 2nd from the bottom.