Researchers' Typosquatting Stole 20 GB of E-Mail

NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

People are dumb, so...

Back in the early days of the web, a friend of mine registered a domain that was a legitimate spelling of a big company; just not the one that company was actually using. He set up a mail server on it and in a day received over 100 e-mails. Was really weird. Why were so many people sending e-mail to the wrong domain? They just assumed it would be right?

Re:People are dumb, so...

[tomhudson]

1. Enable catch-all email accounts on all domains you own
2. ...
3. PROFIT!

20 gigs sounds like a lot, but since these were corporations, you can expect that a lot of them were huge Microsoft Word attachments with one-liners like "Peter: Remember to complete your TPS report by Friday." and equally vacuous Powerpoint slide decks. And people trying to email DVDs. And pr0n - lots of pr0n, if it was government employees.

Re:People are dumb, so...

[jandrese]

Also, chances are 99% of that was spam.

Re:People are dumb, so...

[interval1066]

People aren't dumb, just busy. I do recognize the need for people to do their own due diligence to some extent but comments like yours, no offense, paint people as a bunch of sheep lamely pushing at buttons. The true picture is that these are by and large very busy people conducting business with a multitude of contacts and business correspondence that they have to perform every day, and not all of them, in fact very few of them, are really very IT savvy. IT isn't their business. And its usually not a matter of simply pushing buttons; many times its copying, pasting, attaching forms, scanning, and typing new contact names into contact books. With millions of people conducting transactions on the web every day some domains are going to get munged. Yeah, they need to make sure they are addressing their business correctly, but simply painting them as "dumb" is dismissive and disingenuous.

Re:People are dumb, so...

[Drencrom]

They do the same with SSH. The other day I mispelled homelinux.org (that's a dyndns domain) and ended up in some server asking my password. They listen to SSH for all domains *.mispelled-homelinux.org (I don't remember the exact name) and harvest logins and passowrds. Luckily I only allow public keys in my home router so I could notice.

Re:People are dumb, so...

[PoopCat]

but simply painting them as "dumb" is dismissive and disingenuous

You *really* must be new here.

Re:People are dumb, so...

[interval1066]

Yeah, that's a good argument. Another one is "People are dumb", and as lame as "I'm too tired to get a glass of water, why don't you get if for me."

Re:People are dumb, so...

[Scoth]

Could be lots of reasons. I'm not sure it'd be the same now, but when I was doing home end-user tech support in the late 90's and early 2000s a lot of people genuinely didn't get that email didn't work like the postal service where typos would likely be corrected and the mail still get where it was going. I was yelled at by more than one (mostly older) person who didn't understand why their email didn't arrive after we "fixed it".

I kind of expect it's also just a lot of people don't know/don't care and aren't paying attention.

Re:People are dumb, so...

[mlts]

I do key authentication over the Net for the same exact reason. If I log into the wrong site, who cares if they get a public key ID or material, unless they have a TWIRL machine or a quantum computer to factor keys in logarithmic time.

Plus, it is only common sense to have public key only authentication, especially with all the brute force attempts done these days. Of course, systems like SSHGuard or custom scripts to have iptables deny IP addresses are useful, but nothing beats completely locking out an attack avenue completely.

Re:People are dumb, so...

[reub2000]

Really, store e-mails in an address book. It should also be obvious that any e-mail addresses communicated verbally are prone to typos.

I guess the other question is why such sensitive stuff is being sent in an e-mail in clear text.

Re:People are dumb, so...

Didn't SSH warn you about a changed host key first?

Re:People are dumb, so...

[keitosama]

Not when accessing a misspelled domain name, but being the first connection to a new server, SSH would ask if it should add the keys to known_hosts.

Re:People are dumb, so...

[wwphx]

SUDO Get me a glass of water.

Good test.

[140Mandak262Jamuna]

Every damn email they suctioned up has stern boilerplate warning: "This email is intended for XYZ only. If you are not XYZ and you got this email, and if you don't delete it and forget what you have read immediately we are going to pretend we could come after you like gangbusters". Let us see if that stupid boilerplate text has any legal standing.

Anyway, of the 20 Gig they collected, I am sure 19.9 Gig was this boilerplate text.

Re:Good test.

[bmo]

>Let us see if that stupid boilerplate text has any legal standing

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

--
BMO

Re:Good test.

[tomhudson]

The boilerplate has no legal force. First, it's like someone sending you unsolicited snail mail - anyone who sends you, say, an unsolicited book by snailmail can't then send you a demand to pay for it - it's already yours.

Additionally, boilerplate "contracts", even ones you agree to, are governed by different laws than regular contracts (search for "contract of adhesion" or "standard form contract").

Re:Good test.

[duguk]

>Let us see if that stupid boilerplate text has any legal standing

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

-- BMO

Not true, at least in the UK:

Interfering with mail - Postal Services Act 2000 Section 84
Triable Summarily (Magistrates court)
6 Months and or a fine (Max)

A person commits an offence if they without reasonable excuse intentionally delay or open a postal packet in the course of transmission by post or intentionally opens a mail bag.

A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

If you work for the Post service you could commit other offences under Section 83 triable either way (Magistrates or Crown court) and get a sentence of 2 years and or a fine.

Re:Good test.

"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

Re:Good test.

[jeffmeden]

It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just read this now you owe me twenty quid".

Re:Good test.

[Hooya]

I always thought that was bullshit. How do i *Know* if the email was intended for me? because it's got my email address, that's how.

Now, how can someone demand that i "promptly delete" the email? i have server logs, backups, and a whole array of things (required - as i understand it - as part of SOX) that would have to be scrubbed. Who's paying? The sender wants me to foot the bill to do all that when i had NO say in whether or not I got the email? How about if I sent the sender an email everyday - unintentionally - and ask that they scrub all of it off their servers? Would they do it? Just because I said so?

I would love to send the senders of those fucking boilerplates something to the effect of - "since apparently you want me to observe a contract that i didn't agree to - which i did by scrubbing all the traces of your email - now it's your turn: the bill is $10,000, pay up, the invoice is in the mail".

Re:Good test.

[QuantumRiff]

At least 1.3GB must have been the pretty little green text (sometimes with a graphic of a tree) to "think of the environment before printing this email...

Re:Good test.

[onepoint]

100 megs of useable data is what we are talking about.
what that might cover is legal issues, user names and passwords and the like ...

so the ability to profit is present, and just like spam, you only need a few to make it worth while

Re:Good test.

[duguk]

It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just read this now you owe me twenty quid".

While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

If this was applied to mail, not only would it be that they 'know or suspect to have been delivered incorrectly', they are certainly acting with intent. It would be hard to claim they didn't "know or suspect" these mails were not meant for them!

Sure, the boilerplate is meaningless; but to take the postal analogy further - this would be like me deliberately opening a company with a similar name in a similar road to another; with the sole reason of opening their post. It would take a serious stretch of the imagination to say this has been delivered 'correctly', and pretty obvious that it should be unlawful.

This is sure to have happened in the past, I'm sure someone somewhere has mismatched names with addresses on a mail merge. So if I received a bank statement, with your name but my address on it - would you say it was legal for me to open it?

In any case, as confirmed in the Regulation of Investigatory Powers Act 2000:

It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

Re:Good test.

[duguk]

"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

Either way, as confirmed in the Regulation of Investigatory Powers Act 2000:

It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

Re:Good test.

[trum4n]

You have to "open" email, just to see who it's sent too.OOPS. TOO LATE.

Re:Good test.

[Bob+the+Super+Hamste]

We had some "security" training here at work about just that topic a couple of months ago. Basically what I gathered is that it is similar to the BS in EULAs that they put in there just in case case law or an actual law is written that makes it enforceable. But in general those notices carry no weight.

Re:Good test.

So...what you're saying is that I could not open or throw away mail that is addressed to someone that does not live in my house, yet has my address on it?
Pretty soon, I'm going to be crushed under the weight of all the mail addresses to "homeowner" or "recipient"!

Or, am i expected to find out where this person is, and do the Post's job for them? (fat chance).

Re:Good test.

[duguk]

You have to "open" email, just to see who it's sent too.OOPS. TOO LATE.

No, at least in theory, you don't. SMTP literally has an "envelope"; it should be all the server looks at to relay/deliver messages.

Re:Good test.

In the UK they can also take fat kids away from their fat parents. If that happened in the US, I'm not sure what we'd do with all the displaced fat people.

Re:Good test.

[Chris+Mattern]

A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.

Re:Good test.

[Medievalist]

that is addressed to someone else.

It was addressed to me; I own the address that received it, it is mine. According to the laws you've quoted, anyway, which strictly forbid opening mail addressed to other people. Only I may legally open it; it is mine.

I get a dozen emails a month on my gmail account that are intended for a person with a name very similar to mine.

These emails are all addressed to me, although that's not who they should have been sent to. The person sending intentionally sent it to me - they typed my address and pressed 'send' - so under the laws you've quoted nobody else may open it, only me.

I try and try to get these people (who are mostly British real estate salesmen) to stop sending me these emails which sometimes contain confidential information relating to their clients. The tossers apologize and promise never to do it again (and occasionally do stop for a week or two, then start up again). It appears that many British land brokers are not just poor typists, but also idiots.

Re:Good test.

[shentino]

You don't need it for real mail because tampering with an envelope addressed to someone else is a federal offense.

Re:Good test.

[duguk]

So...what you're saying is that I could not open or throw away mail that is addressed to someone that does not live in my house, yet has my address on it? Pretty soon, I'm going to be crushed under the weight of all the mail addresses to "homeowner" or "recipient"!

Or, am i expected to find out where this person is, and do the Post's job for them? (fat chance).

If you're the homeowner or recipient, then you are the addressee... no need to be facetious.
If it has someone elses name on it, no you cannot legally open it, at least by the law of the UK.
If you set up a similarly named address, for the sole purpose of intercepting mail, then I would expect that yes, you're still breaking the law.

Re:Good test.

[JSBiff]

With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).

If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them. I suppose the courts could look at a mis-sent item as never actually having ownership transferred, if there's a lack of clear indication that ownership *has* been transferred (e.g. when you buy a book from Amazon, you have a receipt which clearly shows you purchased the item, and that ownership would transfer to you; if someone sends you something by mistake, there's no such basis for anyone to believe that the sender intended to transfer ownership).

Re:Good test.

[duguk]

A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.

As others have pointed out, delivered!=addressed.

i.e. just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)

Re:Good test.

[_0xd0ad]

You're supposed to mark it "no longer at this address - return to sender", black out the barcode at the bottom with a marker, and put it in the outgoing mail.

Re:Good test.

OK, let's play.

It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

So you aren't allowed to mess with someone else's mail. Except the addressee on these was found by the mail system. The mere act of sending mail to an addressee implies intent, thus the mail reached the intended recipient.

An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

So if something is delivered incorrectly, then, again, you're not allowed to mess with it, even if the address is correct but out of date. With email, this isn't an issue. Email protocols specify that addresses are unique and a message only gets delivered to an EXACT MATCH. Thus it is impossible for email to be "incorrectly delivered" in the sense this law is speaking of. Thus, this doesn't apply.

It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

Only a MITM (such as a relay) could do this with email. Since that's not what's going on here, this doesn't apply.

tl;dr - Email doesn't follow most of the postal rules because of the relative infallibility of machines, thus most postal privacy laws don't apply.

Re:Good test.

[0racle]

Example:

Me: bob@aple.com
Not Me: bob@apple.com

Amy means to send to bob@apple.com but can't be bothered to be careful and sends to bob@aple.com.

Can I read it?
Of course. It is addressed to me so "offence to open, destroy, hide or delay any post that is addressed to someone else" doesn't apply. It was addressed to me and therefore delivered to me so "someone knows or reasonably suspects the post has been incorrectly delivered" so this too doesn't apply. Also, I did not delay delivery since it was addressed to me and probably delivered in a prompt manner.

Now, you are going to point out this part - "someone knows or reasonably suspects the post has been incorrectly delivered" and say that since I don't know Amy I should reasonably suspect her messages are not for me. I do get mail from people I don't know, it is rare but it does happen. I do not have any reason to assume any e-mail was not intended for me until I have opened the message and seen it's contents. This is not a physical package, e-mail out of the blue is not that uncommon.

And just to throw water on the whole thing, I doubt that you could get laws governing physical mail to cover e-mail.

Re:Good test.

[nabsltd]

While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

I do not think that word means what you think it means.

By definition, if something is addressed to you and you get it, then you are the "recipient". It does not matter what the thing is that you received, or why you received it. And, even the UK law you quote agrees with this definition, and gives only examples of when the mail is "addressed to someone else". This law is the US is similar. For example, the Post Office even made ads about how receiving something by mail that you did not request doesn't make you obligated to pay for it, because scammers were sending unrequested items via the mail and enclosing bills, then suing for non-payment.

Re:Good test.

[blair1q]

19.9 Gig was pr0n, lolcats, and "Undeliverable Message" replies.

Re:Good test.

[trum4n]

Well the servers arn't making the mistake...

Re:Good test.

[gstoddart]

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.

Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.

At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.

I don't think you can make the claim that you just happened to be receiving these emails.

Re:Good test.

[_0xd0ad]

No, not really. If you're a BCC'd recipient you wouldn't even be able to tell from the headers. All you'd see is a delivered-to header and obviously that has to be you since you received it. It's the RCPT TO field that determines who actually receives the e-mail, not the To, Cc, or Bcc headers (the Bcc header is stripped out anyway).

Re:Good test.

[GNious]

Those laws have to REALLY annoy GMail and News International

Re:Good test.

[Chris+Mattern]

If it has my address on it, how am I even supposed to know it's not for me before I open it?

Re:Good test.

[nedlohs]

If they addressed it to me i'm pretty sure it does - or am I supposed to use magical powers to determine I should open that piece of mail with my name and my address on it?

This is not "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 14 Station St" It is not even "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 12 Station St". This is "Bob Smith at 12 Station St" getting mail addressed to "Bob Smith at 12 Station St".

Sure the sender screwed up an actually meant to send it to Bill, but are you seriously saying Bob is going to be breaking the law by opening it.

And that could happen with physical mail - it's not such a stretch to put the a letter in the wrong envelope. I'm sure someone somewhere has sent TIm's wedding invitation to Jane because they screwed up when putting 200 personalised invites into 200 addressed envelopes. Or a letter printer and envelope printer got out of sync in some automated setup.

Re:Good test.

[duguk]

Email doesn't follow most of the postal rules because of the relative infallibility of machines, thus most postal privacy laws don't apply.

You're right - I agree entirely. But I wasn't the one who compared the email with postal services;
I simply took issue with 'bmo' comparing the two when there ARE laws in the UK about opening post not to the addressee.

I don't even believe the postal laws should apply to email; I believe the law should only come into effect where it's clear the 'typosquatted' domain is there for fraud.

Re:Good test.

[nedlohs]

With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).

I can suspect that all you want. You'd still be wrong.

https://postalinspectors.uspis.gov/investigations/MailFraud/fraudschemes/othertypes/UnsolicitedFraud.aspx

If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them.

You have an agreement with netflix before they sent them that you would return them. If netflix sent you some DVDs to someone who hadn't requested them out of the blue, then that person now owns those DVDs.

Re:Good test.

[duguk]

I should reasonably suspect her messages are not for me. I do get mail from people I don't know, it is rare but it does happen. I do not have any reason to assume any e-mail was not intended for me until I have opened the message and seen it's contents.

In the case of the post (not that I believe it should apply, just that's what we're talking here); if the letter was addressed to your name and the address was incorrect, it would be a simple case of mistaken identity, and although probably illegal somehow - I'm sure it wouldn't be enforced.

If you'd set up aple.com for the deliberate purpose of fraud, (like those in the article have) then you can "reasonably suspect the post has been incorrectly delivered".

Re:Good test.

[duguk]

No, not really. If you're a BCC'd recipient you wouldn't even be able to tell from the headers. All you'd see is a delivered-to header and obviously that has to be you since you received it. It's the RCPT TO field that determines who actually receives the e-mail, not the To, Cc, or Bcc headers (the Bcc header is stripped out anyway).

Yes, BCC is another reason why the original comparison (from 'bmo') to post vs email is not a fair comparison; and why the laws (that really do exist in the UK) shouldn't apply to email.

Re:Good test.

[Lucidus]

U.S. postal regulations explicitly state that if you receive unsolicited goods in the mail, they are yours to do with as you wish - you have no obligation to the sender. The liability is always with the sender. This is to discourage certain obvious scams.

If something is delivered to you which is clearly intended for someone else (i.e., right address, wrong name), things might get more complicated. I don't know the legalities in that case.

Re:Good test.

[duguk]

If it has my address on it, how am I even supposed to know it's not for me before I open it?

Do you not have a name, Chris Mattern? =)

Re:Good test.

[Darinbob]

But it doesn't have your name on it, so you can't open it under the laws of many countries. You need more than just the address for it to be your, it must have address and name or say "occupant" or the like. There is also a test that courts would apply about whether it was reasonable for you to assume that it was intended for you or not. It's one thing to make an honest mistake, but if you are reading the previous tenant's post then you are on shaky legal grounds depending upon where you live.

Re:Good test.

[amRadioHed]

You don't seem to want to acknowledge the difference between incorrectly delivered and incorrectly addressed. If someone puts my address in the To field and it arrives in my inbox then it was correctly delivered. Whether they intended for me to receive the email or not is not relevant to the laws you referenced.

Re:Good test.

[CBravo]

I hear a new scam born... And you invented it. That means you are responsible for all damage that results, right?

At least morally ;-)

Re:Good test.

[Darinbob]

The name is a part of the address! If the letter says "Bob Smith" and you are not "Bob Smith" then it is NOT addressed to you even if the street address matches yours.

Re:Good test.

[duguk]

If they addressed it to me i'm pretty sure it does - or am I supposed to use magical powers to determine I should open that piece of mail with my name and my address on it?

This is not "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 14 Station St" It is not even "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 12 Station St". This is "Bob Smith at 12 Station St" getting mail addressed to "Bob Smith at 12 Station St".

Sure the sender screwed up an actually meant to send it to Bill, but are you seriously saying Bob is going to be breaking the law by opening it.

And that could happen with physical mail - it's not such a stretch to put the a letter in the wrong envelope. I'm sure someone somewhere has sent TIm's wedding invitation to Jane because they screwed up when putting 200 personalised invites into 200 addressed envelopes. Or a letter printer and envelope printer got out of sync in some automated setup.

You've made a few errors there. This is "12 Staton St" getting mail addressed to "Bob Smith at 12 Station St". It would be unfortunate in the postal system if the a duplicate name lived at the mistaken address. If there is a "Bob Smith" at the real address, it's unlikely, but surely it would be a "Reasonable Excuse" - as defined in the law you replied to.

However, in this case, the fake "Bob Smith" has set up a house called "12 Staton St" and hoping people get the wrong address; and he isn't really even called "Bob Smith" at all. That's why the law states: "know or suspect to have been delivered incorrectly".

The original argument from 'bmo' was "You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases." - that's not the case for post in the UK.

However - what works in the real world shouldn't always apply on the Internet...

Re:Good test.

[duguk]

You don't seem to want to acknowledge the difference between incorrectly delivered and incorrectly addressed. If someone puts my address in the To field and it arrives in my inbox then it was correctly delivered. Whether they intended for me to receive the email or not is not relevant to the laws you referenced.

If we're going to take the Post metaphor so seriously; presumably if it's in your inbox - but clearly not for you; then you cannot open it since 'Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.'.

However, of course, if you aren't sure if it is for you; then that would likely be a 'reasonable excuse' to open it under the law.
Presumably once you have opened it and realised it is not for you, you would follow the boilerplate and delete the message.

Seriously, I'm not condoning that these laws should apply to email - but if we are going to make a comparison, at least get your facts right.

Re:Good test.

[amRadioHed]

There you go again. If it has my address then it's not incorrectly delivered. What is it about that you don't get?

Re:Good test.

[nedlohs]

I was only respinding to this part:

just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)

Which has nothing to do with email and domain squatting and so on.

If my name is Bill Smith and I live at 12 Station St and your bank decides to send your bank statement to me addressed as:

Bill Smith
12 Station St.

Then surely it can not be against the law for me open the letter? How do I know it isn't for me before I open it?

Re:Good test.

I don't know about you, but until I open an email it never says that it is addressed to my name. At the point I realize it's been misdirected, I've already skimmed everything on the screen.

Re:Good test.

[shentino]

Or giving Satan an EULA when he comes to collect your soul.

Re:Good test.

[Miseph]

It was delivered to a person other than the recipient. That means it was incorrectly delivered. Whether it was incorrectly delivered because the person who addressed it made a mistake or because the person who delivered it made a mistake is immaterial to the fact that it was not delivered to the right person.

Furthermore, the rules in question belong to a legal system which is explicitly designed to handle such questions and come to meaningful answers based on the details of precisely what happened. You may believe that opening mail addressed to a person who shares a name with your next door neighbor at your address is within your rights, but if a judge and/or jury do not agree with your reading of the law that will trump any and all nitpicking and semantics.

Re:Good test.

[Chris+Mattern]

Ding ding ding! We have a winner!

Re:Good test.

[tomhudson]

No, they can't. A publisher sent me an unsolicited book, based on a mailing list that I would be a likely sucker. I kept the book, tossed out the invoice. Legally, the book is mine, and I have no legal obligation to either pay for it or return it.

Your netflix example is silly - you have an agreement to lease the DVDs with them.

Sending it to a mistaken address is a different story as well.

But sending unsolicited material to the RIGHT recipient transfers ownership, plain and simple.

Re:Good test.

[PoopCat]

WTFety-F? How can an email be delivered to a person other than the recipient? The recipient is exactly who the email was delivered to, that's the very definition. I'll spare you further embarrassment and presume you meant 'intended recipient' - but in that case, how can the *actual* recipient know what was going through the mind of the sender, based solely on the fact that the email APPEARED IN HIS OR HER MAILBOX?

Re:Good test.

[idontgno]

Yes, BCC is another reason why the original comparison (from 'bmo') to post vs email is not a fair comparison; and why the laws (that really do exist in the UK) shouldn't apply to email.

Of course it can apply to email. Trivial technical differences can be swept away with cracking good courtroom theatrics and a friendly judge. I'm sure Crown Prosecution considers it merely a brisk challenge, not some kind of crippling and disqualifying shortcoming in the law.

Any law is applicable to any act if you're willing to squint enough.

Re:Good test.

[idontgno]

Hey! You must work for my company!

TBH, I'm waiting for a directive to come down from our Green Compliance Weasel Team to font switch colors in that boilerplate "sustainability" blurb because we're exhausting the world's supply of green photons or something.

Re:Good test.

[shentino]

They are not completely useless.

First of all they put you on notice that the contents are confidential, and zap any pretention that the person sending has granted express consent.

So they function more as evidence and notice than they do as a binding agreement.

Re:Good test.

[duguk]

While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

I do not think that word means what you think it means.

By definition, if something is addressed to you and you get it, then you are the "recipient". It does not matter what the thing is that you received, or why you received it. And, even the UK law you quote agrees with this definition, and gives only examples of when the mail is "addressed to someone else". This law is the US is similar. For example, the Post Office even made ads about how receiving something by mail that you did not request doesn't make you obligated to pay for it, because scammers were sending unrequested items via the mail and enclosing bills, then suing for non-payment.

That's irrelevant. I can't (literally nor legally) start a fake company with the same address as another, without it being unlawful to open their post.

I.e. it may have been delivered to your letterbox, but that doesn't mean you can legally open a letter from the bank that's addressed to your parents from the comfort of your basement.

Re:Good test.

[duguk]

WTFety-F? How can an email be delivered to a person other than the recipient? The recipient is exactly who the email was delivered to, that's the very definition. I'll spare you further embarrassment and presume you meant 'intended recipient' - but in that case, how can the *actual* recipient know what was going through the mind of the sender, based solely on the fact that the email APPEARED IN HIS OR HER MAILBOX?

Seriously? I was making a comparison to the post office; because that's how the conversation started. Go back to the beginning of the thread and you might not feel so angry.

For example, if this were to apply to the mail; if for example you have a wildcarded email, and you receive that is not addressed to your normal email address and with a different name would imply that it is not for you. Thankfully there is a fairly clear part of the law that speaks of "reasonable excuse". An identical name or insufficient information would be an example of this.

However, setting up a fake domain name that is similarly named to another, under the UK law, you could be fairly sure that you "reasonably suspect the post has been incorrectly delivered" and therefore opening it (under the UK law) would be illegal...

I'm not saying I agree with the law; but BMO (above) said "You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases." - that's not true under the UK law. If you receive a bank statement with someone else's name on it, it almost certainly wouldn't be lawful to open it.

Hope we're clear on that now.

Re:Good test.

[duguk]

Well the servers arn't making the mistake...

I'm sure it's not the customers' mistake when the bank sends their statement to the wrong address.
That doesn't mean you can legally open it if it's clear you "know or suspect to have been delivered incorrectly" under the UK postal law.

The law doesn't explain what those indications might be, but if we're going to apply the UK postal law to email; these are considerations that should be made.

Re:Good test.

[tomhudson]

Except that any disclosure to a 3rd party, even by accident (the sole exception being if the 3rd party gained the knowledge through criminal action), makes the contents and knowledge gained public wrt that 3rd party.

So don't count on them for keeping trade secrets, for example, private.

Re:Good test.

[trum4n]

But 90% of users cant figure out who email is to, without opening it.

Re:Good test.

[Medievalist]

But it doesn't have your name on it

Yes it does. All the mis-sent email I get all has my name and my address on it. Otherwise it would not have been delivered to me.

Re:Good test.

[Synerg1y]

it is legal for me to own gogle.com anywhere if it's not registered, google can't take it from me by any means, if you (the user) goes to gogle.com, google will count it as a legitimate hit, but what actually happens when you go to gogle.com? :) Exactly, google owns it, among a hord of other commonly misspelled variants of google and its services. This is called intelligence and wise investing in IT infrastructure. The company that owns a domain such as @sony.com should also own @osny.com, @soyn.com, etc... not like these domains cost a fortune compared to the hits they generate / in this case information they save. Can everybody afford to this? Hell no, can all the fortune 500 companies afford to do this? They spend more on bonuses per department, so yes, easily.

On that note, I've never heard of an experiment like this, I've heard of shadow domains to try and steal information, ex. gogle.com looks EXACTLY like google.com but is actually redirecting you to some crazy sites. Maybe this might be the wake up call needed for those IT departments, shame those domain names are already bought :P

Re:Good test.

[duguk]

I was only respinding to this part:

just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)

Which has nothing to do with email and domain squatting and so on.

If my name is Bill Smith and I live at 12 Station St and your bank decides to send your bank statement to me addressed as:

Bill Smith 12 Station St.

Then surely it can not be against the law for me open the letter? How do I know it isn't for me before I open it?

That's what I'm saying - if my name is Bill Smith and you cannot possibly "know or suspect to have been delivered incorrectly", then surely you opening it to find out would be considered a "reasonable excuse" under the law, no?

Re:Good test.

[bmo]

But it's not addressed to someone else.

I call myself Bob. If someone sends mail to me addressed to Bob at Anytown, USA, and they really meant to send it to Alice at Anytown, USA, it doesn't matter who it was "meant for" - the outside of the envelope clearly says "Bob Anytown, USA"

I fucking own it. Go ahead, try to sue me.

--
BMO

Re:Good test.

I would like to note that it state opened. Since an e-mail is data it can be read directly without being 'opened'. The only protection that is available to them is if it's encrypted. Here in the us that would make it illegal to decrypt under the DMCA, with a few exceptions. I believe the EU has a similar law that would protect encrypted e-mails as well.

Re:Good test.

[mlts]

I know this is might be a dumb idea, but instead of relying on a dubious disclaimer, why don't companies encourage internal employees and partners to use S/MIME, or even better PGP encryption?

PGP can be used with ADKs (additional decryption keys) to ensure recovering of data (important for regulations and legal compliance.) S/MIME can be used, although it might be less secure if you don't watch your CAs. Almost all general purpose MUAs support S/MIME and have some type of plug-in for PGP/gpg. Even the mailer in iOS 5 has S/MIME key support. Barring that, it isn't too tough to copy and paste text to a PGP decoder.

With PGP, gpg, or S/MIME, if a message gets delivered to the wrong person, unless the mis-addressed party has the resources of a country intelligence department, it really doesn't matter.

Why isn't encryption more prevalent these days?

Re:Good test.

[reub2000]

Well if you register a domain like hotmsil.com, most people would assume that mail being sent there was intended for addresses ending in hotmail.com.

Re:Good test.

[duguk]

I would like to note that it state opened. Since an e-mail is data it can be read directly without being 'opened'. The only protection that is available to them is if it's encrypted. Here in the us that would make it illegal to decrypt under the DMCA, with a few exceptions. I believe the EU has a similar law that would protect encrypted e-mails as well.

That's irrelevant - the original post was about applying the postal laws to email. If these domain squatters 'knows or reasonably suspects the post has been incorrectly delivered'; then if we were to apply these laws to domains and email - it would be illegal. Encryption is entirely irrelevant.

Re:Good test.

[adolf]

It appears that many British are just idiots.

There. Fixed that for you.

Re:Good test.

"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

Correct! Actual cases where mail correctly addressed and sent to that address, but opened by another recipient at that address ruled as not illegal. eg. correctly addressed mail sent to BillGates@microsoft.com and opened by SteveBalmer == not illegal, incorrectly addressed mail sent to BillGates@mikrosoft.com and opened by anyone at mikrosoft.com also not illegal.

Morons of the world unite and demand laws against bad weather and sharp corners on furniture.

NOTE: to the best of my, qualified, knowledge - ignorance is only an excuse when defending against liability for dispensing bad legal advice (seriously). They pound that into you at the "College of Knowledge" before you're are licensed to practise.

Re:Good test.

that is addressed to someone else.

It was addressed to me; I own the address that received it,

Nice try, but FAIL.

The laws for electronic mail are based on snail mail laws. If it's delivered to the right house, any occupant of that house can open the mail. It's when it's addressed to hotmail.com and you are with dick.com you have problems. That's why reading the legislation doesn't make you a lawyer. Big difference between *recipient* and *address*. NOTE: (not you) people without a clue, quoting laws pertaining to evidence (ie Regulation of Investigatory Powers Act 2000) to support their "belief", are no substitute for a qualified legal opinion.

Re:Good test.

The "think of the environment before printing this email..." line is mostly used by people who already use a huge e-mail footer, so even for an e-mail contain just 3 lines of useful text, the "think of the environment" line gets pushed to the second page when printed. This does not only waste 100% extra paper, if this extra sheet is not instantly thrown away, it could also end up waisting staples to combine the two pages.

Re:Good test.

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

In the digital age, any legal parallels with the analog past are null and void. Money talks and it talks louder today than ever before.

Re:Good test.

[tomhudson]

To answer your last question "Why isn't encryption more prevalent these days", it's because it's not integrated into the individual services - people have to *THINK*, and thinking is hard. Plus, they don't realize that there is a problem in the first place.

Barring that, it isn't too tough to copy and paste text to a PGP decoder.

For the majority of the population, yes, it IS too tough. We're talking about users who are, in some many cases, barely over the "the coffee cup holder in my computer is broken" level. When you ask them to type a web site address in the url bar, they type it into the search box instead - and keep complaining that they can't find the newly-registered domain, because even though it's been propagated for 3 days, Google hasn't found it yet (this last was from a programmer who has since stopped programming, thank $DIETY_OR_DARWIN_PICK_YOUR_POISON).

Look at how many businesses are using Google Docs to store their company data, internal communications, etc., outside their control. And using gmail for stuff that should be private. When you think of it. that's insane ... totally gonzo.

I for one am sick of the whole "if you have nothing to hide" lame excuse for turning me into a product to be sold to advertisers. I am *not* a product. I am *not* a number. I am *not* a statistic to be sliced and diced and analyzed and fed the thin gruel that passes for "what's hot today." A few of us started discussing solutions to this in one of my journal entries yesterday here. Please feel free to throw bricks as needed :-)

Re:Good test.

[mlts]

I agree 100%. The "if you have nothing to hide" BS rings hollow as soon as you replace "law enforcement" with "thieves". When I send out a signed/encrypted statement to a client via PGP, it is encrypted not to keep the po-po out, but to keep who may be listening on the line off, be it a dodgy wi-fi spot, or somewhere along the line things got compromised, such as a compromised CA.

Same reason I lock my doors. Let other people make it easy for the criminal element to victimize them.

What people fail to realize with the cloud concept is that some data center somewhere has to store the data, and that cost is going to be passed onto someone. Storing a company's assets on Google Docs means that blackhats have more eggs in one basket, and if Sony (which was known for hyper-aggressive legal action against anyone who appeared to crack any of their security measures) was completely owned, then anyone can be taken over. Keeping one's data at home means that a cracker now has to choose targets, as opposed to just spending time going after the big juicy one.

Basic security 101 states to keep things separate as much as possible. With cloud computing, businesses and individuals are encouraged to do the diametric opposite -- store everything in one location.

What people don't realize is that the info that they willingly give out may be what hangs them later on in life. Say their local government decides to go on a "proactive anti-terrorist campaign", does a search on FB for people who like a certain group or philosophy. By simple weighting of statements and then a subsequent sending out of police to do knocks on doors, those people can be removed from society in minutes.

On a longer term scale, what goes onto FB will affect job prospects later. For example companies who riffle through FB profiles and look for terms that are potentially racist, then stamp "UNHIRABLE" on people's foreheads. Even with FB stuff set private, it isn't hard for employers to demand friend access, and recently, a friend of mine had in the employment contract that hiding messages from the employer's "friend" account was grounds for immediate termination.

E-mails are a treasure trove too. Even more insidious is that people are wising up that Facebook is public, and not to post there. However the same data mining can be done to mail as well. A repressive government can find a person of interest, then check who emails to/from and what the contents are. Then it is trivial to send a couple people to pick up that person and introduce them to room 101.

One doesn't have to be paranoid about it -- one doesn't have to have a version of PGP predating a certain day in 1994, and Symantec's PGP utility is what I use if on Windows for pure convenience sake. However, it would be nice if people just started encrypting what they said to private keys, although signing before encryption would add a layer of security and prevent fake mail.

Maybe it might be time for some more PGP/gpg tools to make life easier as well. PGP/gpg keyserver code needs a facelift, and better options for replicating keys, as well as allowing keys to be marked as revoked if signed revokers say so, as well as giving notice about ADKs used.

Of course, having more MUAs support OpenPGP stuff directly would be nice, as opposed to having to cut/paste, or use Hushmail's web page for decryption of stuff if one doesn't have access to a PGP app.

Re:Good test.

[lsatenstein]

There is a difference between paypal.org and paypall.org

Which is the correct URL?

Re:Good test.

[AK+Marc]

In New Zealand, it's fraud to use money that wasn't intended for you, even if it made it into account on error of the sender. So if someone "accidentally" transfers $1,000,000 into your account, you commit a felony if you take it out and spend it. So you are wrong.

Re:Good test.

[WindShadow]

Not true, at least in the UK:

Interfering with mail - Postal Services Act 2000 Section 84 Triable Summarily (Magistrates court) 6 Months and or a fine (Max) A person commits an offence if they without reasonable excuse intentionally delay or open a postal packet in the course of transmission by post or intentionally opens a mail bag. A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

And there's the rub, if the mail is delivered as addressed, can it be said to be delivered incorrectly? This is why lawyers exist, to convince a judge or jury that what the law says is not what it means.

If you work for the Post service you could commit other offences under Section 83 triable either way (Magistrates or Crown court) and get a sentence of 2 years and or a fine.

Re:Good test.

[PoopCat]

The recipient is the person who received the transmission, be it via physical or electronic delivery. THAT was the part I was responding to; giving you the benefit of the doubt by assuming you might have meant "intended recipient" was mere charity on my part, since you seemed to have trouble with the concept of "recipient". No anger, I assure you.

In case you're still not clear: if an email appears in my inbox, I am the recipient. If a postcard appears in my physical mail box, I am the recipient. In both cases, regardless of the intent of the sender.

Re:Good test.

[PoopCat]

What if the domain is hotmale.com?

Who is this "most people" of which you speak?

Re:Good test.

[Medievalist]

All the mail I get is addressed to me. It has my name on it, my address on it. It has my name in the SMTP envelope, it has my name in the salutation, it has my name in the "To:" field.

The lusrs that sent it typed in the wrong address, but the person they wanted to send it to has the same name I do. Capisce?

Human names are not reliably unique.

Ummm...OK

Ummm...OK

Behind the Keyboard

(posting AC because I'm at work...)

Proof that the biggest security vulnerability remains behind the keyboard.

NO TYPING!

[ColdWetDog]

The attacker relies on the fact that users will always mistype a certain percentage of e-mails they send.

Who is doing this? Who types email addresses and doesn't use a contacts list or similar?

I suppose this is Window's fault but typing is so 20th Century....

Re:NO TYPING!

How the hell is this Windows' fault?
For the sake of humanity, don't reproduce.

Re:NO TYPING!

[ArrowBay]

True, contact lists and autocomplete should eliminate this... in theory.

In practice, there are legitimate holes in the system. Maybe you fatfinger the address when sending from your smartphone, where you can't access your contact list. Or maybe a colleague or client mistypes the address in an e-mail to multiple people, and then you simply "reply all" not realizing that address was wrong -- which sends the mail to the wrong address, but also gets your e-mail software to assume that's a valid address to add to your contact list.

It also has nothing to do with Windows, unless Microsoft is more omnipowerful than I thought...

Re:NO TYPING!

[jeffmeden]

Any sufficiently advanced operating system would have known who you meant to email and automatically routed the message regardless of your inability to type "landolakes.com" without making a mistake. Duh.

Re:NO TYPING!

I dislike Windows as well but Outlook does auto-complete email addresses so you can't place the blame there. Additionally companies usually have global contact lists so I'm not sure why people are manually typing these email addresses, especially since these corporate users are undoubtedly using Outlook.

Re:NO TYPING!

[phallstrom]

You have to type it in the first time -- unless they sent you an email. So.... type it in wrong. Send off an email. Oops. Now it's in your mail app's magical "previous recipients" list. Update your official contact list. Send them another email. But your mail app decides to use the previous recipient entry since it's "more recent" (or whatever) than your official contact entry. Unless you click on the person's name to verify the updated address you'll never know and another misdirected email is sent.

In my experience a much bigger problem is folks who deal with a lot of third party contacts... John Smith at CompanyA and John Smyth at CompanyB. The user starts typing "John" and lets it auto complete. Maybe they even see the first "Sm" and assume it's good. And off the email goes to the wrong people. When I worked in IT I'd get frantic calls from people asking if I could stop an email from going out because they'd realize it just after sending it...

Re:NO TYPING!

Windows has fucking nothing to do with it, retard.

Re:NO TYPING!

[SleazyRidr]

When you're working with someone from a different company, they won't be in your company's address book, so you have to type it in at least once to get it into your personal address book. If your company manages it well, that'll go into the corporate address book, but you'll still need to add people from other companies from time to time.

Re:NO TYPING!

Don't worry, it's never gonna happen, he's a Linux user,.

Re:NO TYPING!

[Nethemas+the+Great]

Actually it might be Window's fault for your preconceptions however it isn't for the email. Properly interpreting a noisy communication of an email address would be the responsibility of the email client application not the OS, for the OS has no business dealing with such high level issues.

Re:NO TYPING!

[Nethemas+the+Great]

There's also the good fun of these contact lists being created on the spot by means of "first entry". If you entered it in wrong the first time there will be a contact entry made with the wrong address. Any future emails will have a far greater chance of auto-correcting to the incorrect address and all it takes is a person not paying attention to send it off as such.

Re:NO TYPING!

It't not just third parties. Payroll recently hired someone that shares my first and last name and since I show up in the company address book first, I've been getting a number of rather sensitive emails that should probably be going to payroll and no one else. The problem is how do you know that "John Smith" is the John Smith you are looking for when you start typing the name in the auto-complete box.

Re:NO TYPING!

[Reverand+Dave]

Totally 20th century. Personally, I only use eye movements and slight neck twitches for e-mail inputs. In fact, this post is composed solely of copied and pasted letters and characters.

Re:NO TYPING!

[bigredradio]

You must be new here.

Re:NO TYPING!

I type the addresses *most* for the time. About the only time I do not type the full email is at work, where once I type a few chars the name pops up.

After having my free mail accounts hacked and everyone in my address books spammed like it was coming from me, I deleted all the contacts from online email accounts. I have everyone in a file stored locally and I either copy & paste or just type in the ones I pretty much have memorised at this point. And occasionally I do get 1 or 2 wrong. But for me its worth it since some of my less technically inclined friends don't seem to have a problem getting a blank email with a single strange link and clicking it. They amuse if it came from me it must be ok, or that I some how owe them free tech support because "my" email "they" opened caused them a problem.

Long story short, there are those of us who still type in addresses.

Re:NO TYPING!

[Darinbob]

You don't type? How did you compose your post?

Re:NO TYPING!

[shentino]

Only problem is that a system smart enough to do that is also a system I wouldn't trust because I know the government may wish to have subverted it.

Re:NO TYPING!

[icebraining]

If you have a data plan (well, you can send emails) and you don't have 'access' to your contact list, you're doing it wrong. Even my older-than-the-iphone Nokia S60 phone can sync contacts.

Re:NO TYPING!

[guruevi]

Well, the problem with contact lists (in large companies at least) is that they are maintained by secretaries. If somebody then makes the mistake of typing seibm.com instead of se.ibm.com, EVERYBODY sends the wrong e-mail for hours if not days until it gets discovered.

Re:NO TYPING!

[h4lphl33tor]

Strange, they should only have gotten negative results if they had multiplied.

So what is this an argument for?

[JoshuaZ]

One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does). Another more technical response to this is for people to use public key encryption when they are sending sensitive stuff. There's still some danger that they will at some point look up the public key but this will at least reduce problems. And there are obvious ways of distributing a lot of these keys in a secure fashion. For example, when you go to a bank to open a new account they could hand you a physical USB with their public key on it. Similarly, if one is an employee of a company they could physically do the same thing. One has enough real world interactions with people in the sort of circumstances described by the researchers that the thorny problems of key distribution are much simpler. However, I doubt almost anyone will implement this sort of thing since it is a change from the status quo which involves new technology to prevent what they may see as minor risks.

Re:So what is this an argument for?

[SuricouRaven]

The whole point of a public key is that it's public. The bank doesn't need to give you the key on a USB stick - they can just put it on their website. If someone actually tries to impersonate a bank website, then you can let loose the lawyers of war.

Re:So what is this an argument for?

[jeffmeden]

One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does).

Don't forget the very real problem of someone's self-configured email client putting the wrong return address on everything. Although they "should" catch it quite quickly as they see a distinct lack of responses to any emails they sent out, it might not be enough for some people. More strict send rules for all values in the email header could probably eliminate 99% of this traffic from ever happening. Just set the server up to read the recipient, check for similar domains, and weight the domains by "legitimacy" (should be easy in most cases) and if there is a domain with a higher legitimacy than the one used rating the email is queued and the sender gets a note saying that they need to check the recipient and if they really meant to use that address they can click a link to send it on, and if not click a different link and it will be sent to the right domain.

Its not perfect, but the right algorithm could catch a whole lot of this with minimal effort. Come to think of it, I smell a patent...

Re:So what is this an argument for?

No, but getting a bank to sign *your* key might be a great idea since they presumably will have verified your identity already. Might be a more trustworthy system than a key-signing party...

Re:So what is this an argument for?

[JoshuaZ]

That's a really good idea. And it shouldn't be that hard to implement. You could possibly have the software update for new companies. I like your idea a lot.

Re:So what is this an argument for?

[XanC]

Don't be so sure... One of our customers has her reply-to address set to an address pointing to a mailbox she never checks. She tells you her email address is X, and she does get mail addressed to X. But her emails come "from" (and "reply-to") Y. Y happily accepts mail, so there's no bounce or anything, it's just that it's a totally unused box at a no-longer-used domain.

She doesn't seem to think this is a problem...

Re:So what is this an argument for?

[Chris+Mattern]

One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important.

Another obvious lesson is that once you've sent mail to wrong address, autocomplete will helpfully fill in that wrong address next time.

Re:So what is this an argument for?

[jackbird]

AOL's webmail autocompletes EVERYTHING YOU'VE EVER TYPED that matches, including truncated and nonresolving email addresses. You have to manually dig into options and delete the duplicate/false 'contacts.'

This is not new

[arunce]

Even I receive once and again this kind of emails, legitimate emails and almost all from the same people, once they make one mistake, more will follow. Sometimes I warn, sometimes I don't. I'm not their employee.

Re:This is not new

"Thank you for the information I can now use to sell on the black market"

Common problem...

[drosboro]

I get the same situation. I've got a ".ca" with my last name, and a Canadian lawyer with the same last name has the ".com". I get a bunch of their email on my "catch-all", which is awkward, given the confidential nature of things you may discuss via email with your lawyer.

Re:Common problem...

Confidential things? Over email? Is this 1983?

Re:Common problem...

[Abstrackt]

To date, I've only met one lawyer who encrypted legal communications. You think it would be more commonplace than it is for exactly the reason you described.

Re:Common problem...

[Fnord666]

Confidential things? Over email? Is this 1983?

Doesn't matter. There will always be failures in any manual process. About once a week I get multi-page faxes to my home phone number, destined for law firms in my home town, that contain confidential information. In those cases I contact the firm and forward the information to them in whatever manner they ask, then destroy my copy. Funny thing is that in most cases, the real fax number isn't even close.

Re:Common problem...

[Culture20]

If you *think* you're conversing with your lawyer, but it's really someone else, is it still privileged info?

Re:Common problem...

[psydeshow]

Anyone who can come up with a way to sign and encrypt email that makes sense to lawyers (my lawyer still uses AOL!) will make a helluva lot of money.

They should have been doing it ten years ago. It should be illegal to send attoney-client privileged emails in plaintext. But guess who makes the laws?

Re:Common problem...

[Bob+the+Super+Hamste]

Have you ever tried contacting the lawyer suggesting that he use encryption. As you are in Canada and the lawyer is in the US you wouldn't be subject to the US laws. I have actually had a similar problem but where people try to send me thing but it goes to a different person in the company. Apparently there is another person with the same first and last name as mine in the company but they are over in England. If I ever get a chance to go over to England I may have to look him up. Every once in a great while I get some of his e-mail because someone selected the wrong one of us from the world wide address book.

Re:Common problem...

Perhaps you've heard of this thing called PGP, which more or less every mailer supports. It's been around since the early 90s.

There's nothing unsuitable about email for confidential information. Email can be used incompetently, but so can anything.

Re:Common problem...

[WorBlux]

Yes, it it's addressed to the lawyer, but thats not to say how it might be used out of court.

Re:Common problem...

[WorBlux]

You can use imap to pull mail in from yahoo to his computer, and use any sane mail client with will encrypt outgoing mail (PGP extensions). Instruct clients to do the same or use hushmail (which does PGP automatically)

Re:Common problem...

[drosboro]

Actually, both I and the lawyer are in Canada (ironically, their offices are about a 10 minute drive from my house). And I have contacted them - spoken to one of their lawyers in person, actually, when my realtor used them to execute my paperwork when I bought my house... but, as other commenters have pointed out, they aren't too quick on the uptake with things like PGP...

Re:Common problem...

[Imrik]

Most likely it's because there is little incentive to use encryption. While there is the potential for public release, any supposedly private communications with your lawyer are subject to legal protections and can't be used in court.

Re:Common problem...

[MichaelSmith]

Perhaps you've heard of this thing called PGP, which more or less every mailer supports.

Not Outlook.

Large firms to monitor domain registrations

[PolygamousRanchKid+]

From TFA:

Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.

I guess a domain registration police department will become common in large firms now.

Re:Large firms to monitor domain registrations

[Monchanger]

I guess a domain registration police department will become common in large firms now.

That's been a good idea since companies first started building a web presence. It's part of your brand and you want to make it's not tarnished. It should be one of the responsibilities of a corporate IT security department alongside encrypting laptops and intrusion detection.

Probably cheaper to outsource at least the detection part to a company who specializes in exactly that thing. I'd be surprised to hear no company provides such a service by now; especially registrars who deal with domain names 24x7 and certificate authorities who rely on domain name accuracy for security.

Re:Large firms to monitor domain registrations

[blair1q]

two things about it, though:

1. getting all of the typo-domains near your trademark can be expensive or impossible

2. if any are legitimate, you're just going to have to negotiate with them for what to do with missent emails

Re:Large firms to monitor domain registrations

[Jeng]

At my work we have people sending stuff to a similar domain on a regular basis. We have info@*****inc.com while his is info@*****.com , the owner of the domain is nice enough to forward on the emails at least.

I own a domain name

[rk]

That has a similarity in name to one of the US Navy's aircraft carriers. I used to get a fair amount of email for people on that ship. Nothing classified (I would've been really disappointed and shocked, but probably not surprised), but there was one sailor in particular who must've had quite a taste for porn because that address got so much porn spam it was amazing.

Re:I own a domain name

[chinton]

You're right, there is only one sailor with a taste for porn... ;-)

Re:I own a domain name

Lonestar!

Re:I own a domain name

[blair1q]

The number with a taste for it is enormous. The number who don't know they can be disciplined for using the ship's internet connection to obtain it is closer to 1.

In other news, Navy ships have internet connections. Not gob-smacking, but pretty cool.

Re:I own a domain name

[nine-times]

You would have been shocked but not surprised?

Re:I own a domain name

You're right, there is only one sailor with a taste for heterosexual porn... ;-)

FTFY.

Re:I own a domain name

This also used to happen with fax numbers that where similar to government/military/police fax numbers. There was a more recent case where the fax number if a Dutch police office was very similar to the fax number of the editor of a Dutch newspaper....

Stolen email?

[bmo]

No mail was stolen. It was delivered exactly where it was addresst.

It's the fault of the monkey behind the keyboard and nobody else.

--
BMO

Re:Stolen email?

[Kreylix]

Making the title of this post extremely poor.

Re:Stolen email?

[Trax3001BBS]

Your right. I was going to ask why these Researcher's weren't being charged,
but they did nothing wrong.

Re:Stolen email?

They may not have broken any laws, that remains to be seen. However, it's clear what they did was unethical and they did not act in good faith. They knowingly attempted to receive misaddressed e-mails. That's not ethical behavior.

Re:Stolen email?

[Jeng]

They may not have broken any laws, that remains to be seen. However, it's clear what they did was unethical and they did not act in good faith. They knowingly attempted to receive misaddressed e-mails. That's not ethical behavior.

They were attempting to quantify how much a problem this is. Can you suggest other ways this could have been done that you think would have been more ethical?

Re:Stolen email?

[Darinbob]

But the recipient was fraudulently pretending to be someone else. This is not a case of accidentally having a similar email address, instead the domains were created specifically to intercept misaddressed email. The con man should be considered guilty and not blame it solely on a naive victim.

Re:Stolen email?

[bmo]

>But the recipient was fraudulently pretending to be someone else

Nope. Nobody was representing themselves as "important.institution.com," they were representing themselves as "important.insttution.com"

It's the old whitehouse.gov/whitehouse.com "problem."

Even the US government couldn't make whitehouse.com change their name.

--
BMO

Re:Stolen email?

[bmo]

I have to append this. The only way to get someone to change his/her domain is trademark law and icann dispute resolution.

If it's not dispute resolution through icann, then there's no changing it.

--
BMO

Re:Stolen email?

The title of the GP cannot be called extremely poor. It was written exactly how it was conceived (in bmo's idiot half-brain).

It's the fault of the monkey behind the keyboard and nobody else.

Re:Stolen email?

Ah, I see. You've never, ever made an error in your life that was used unfairly against you.

But there's always the first time, right? Let's see. "addresst" ? What kind of a nincompoop who can't spell types that? You're such a fucking idiot, aren't you? Can't spell, and can't even turn on a spell checker. Moron. Everybody knows now.

See how it feels?

Re:Stolen email?

> addresst

Oh, scandinavian ancestors? God :)

This is why I turned off my catch-all

[Quila]

My domain is a letter off from a big company's, and I used to get what looked like pretty sensitive email all the time. After a few attempts to tell employees to stop doing it, I just turned off the catch-all.

Re:This is why I turned off my catch-all

[Animats]

Me too. I have a .com domain which is the same as a school domain in .co.uk. I used to get a fair amount of their mail, until I turned off the catch-all address.

(That was years ago. Today, if you have a catch-all address, you get to see the same spams come in for a long list of common names.)

Re:This is why I turned off my catch-all

[laejoh]

That's exactly why I have a xxx domain!

+1 for security research

This type of research is priceless to IT, demonstrating the weaknessess of our systems is the best way to plan security strategies.. good work :)

This reminds me

[ThatsNotPudding]

must check if Slashdot.xxx is still available.

Hmm, on second thought, no one would ever go there.

Re:This reminds me

$200 to register a .XXX AND it's gonna be filtered everywhere.... fuck the XXX tld

Re:This reminds me

Cowboy Neal would, and he'd probably search for "taco". And now I will be forever cursed with that mental image.

Dear god, no. CAPTCHA = "swollen". Kill me already.

Re:This reminds me

[blair1q]

They will if I squat on Slashdot.Com at the right time...

Self funding research

[RNLockwood]

"The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

I wondered how they could pay for their research in this era of vastly reduced funding - it's self funding!

Re:Self funding research

[Riceballsan]

Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail. Even your bottom of the line MMORPG sends a note to it's users saying a GM will never ask for or send your password via e-mail, but our fortune 500 companies can't match that level of security? Typical e-mail passes unencrypted past so many hands it isn't funny, the typical e-mail from home to work, passes unencrypted across a wifi network, that may or may not be compromised if it was even bothered to be secured, to your ISP where low wage monkeys may or may not have access, accross the cloud where it will pass through unknown number of nodes, to the entery mailservers at said company, that may or may not be managed by medium wage contractors that know they only have the job for a few months at best anyway, finally to the person who it is intended to go to. Yeah I see no reason to think twice before sending my SSN CC# and confidential data through an e-mail.

Re:Self funding research

I used to know a guy who ran a local ISP and his hobby was to read his customer's e-mail.

Re:Self funding research

Better question, why do email applications default to sending unencrypted e-mail in the first place? The default should be encryption turned on. If you want to fix the problem, you need to go to the source.

Re:Self funding research

[blueg3]

Better question, why do email applications default to sending unencrypted e-mail in the first place? The default should be encryption turned on.

You can't default to something that requires a preliminary exchange of information. While you can encrypt the SMTP exchanges, the e-mail itself can only be meaningfully encrypted if the recipient transmits his key to the sender beforehand (using a mechanism that prevents a man in the middle attack on the key exchange).

Re:Self funding research

[blair1q]

They reported in their findings the emails sent to people who didn't pay.

Note the absence of any mention of pr0n or affairs.

Re:Self funding research

[blair1q]

It didn't say "top secret". It just said sensitive security info. What's significant gold to a h4xx0r may be gibberish to some, or mundane to those who requested it.

Re:Self funding research

Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail.

You don't know that they are.

I can require TLS on outbound mail, refusing to send the message if the receiving MTA doesn't support TLS. I can route my outbound email through a security service that will hold the message in a database and email the recipient a notification that a secure message has been sent to them, requiring them to log into a web site (via HTTPS) to read the message online without the message ever being sent plain-text anywhere. In either case, the sender understands that the contents of the message are sensitive and normal plain-text email is not secure, they've been instructed by their IT department in how to send a message securely, and they are taking the extra steps to follow that procedure.

On the receiving end, if I'm a large bank, I can require every firm I do business with to force the use of TLS encryption when sending mail to my domains. Once they've signed a form declaring that they're in compliance with the policy, my TLS enforcement department (I am not making that up, large banks have these) will test it by refusing TLS from that firm's domain and seeing if their servers fall back to plain text or not. If they can't pass the test, we'll stop doing business with them. (I could also refuse to accept incoming plain-text email, but of course that would clearly violate RFC 3207 section 4 [previously RFC 2487 section 5] which explicitly says not to do that.)

None of this changes the fact that the sender typed the wrong address.

Both my wife and I regularly receive email...

[manonthemoon]

intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.

We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email. Interesting conundrum.

This research result is not at all surprising- it is the same thing, just at a bigger scale and deliberate.

Re:Both my wife and I regularly receive email...

[Registered+Coward+v2]

intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.

We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email. Interesting conundrum.

This research result is not at all surprising- it is the same thing, just at a bigger scale and deliberate.

I have a similar problem from time to time with my gmail account. In addition to your comments, some people seem to think that first.last and firstlast at gmail are different email addresses, as a result I periodically get emails for people who screwed up signing up for an online account, and since the company gladly accepted any email address as unique as long as it didn't match an existing one, signed me up.

When it obviously an error I replay saying - pops wrong person. All but one generally reply with a thanks. There was though, one luser who insisted *he* had the right email address and went so far as to suggest, when I asked him to simply verify the address with the person (it was a small private school), I change *my* gmail account because he *knew* his emails were going through. So, off to junk went any emails from his domain, since I learned a long time ago that stupid was unfixable. I figured sooner or later the real recipient would miss something important and fix the problem. Eventually, the emails stopped coming, so i guess he figured it out.

Re:Both my wife and I regularly receive email...

[Jeng]

We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email.

You can find the real recipients actual email addresses with just a little leg work. Just reply to the sender and let them know the situation and ask if they could send you the correct email address or other contact information.

Re:Both my wife and I regularly receive email...

[Darinbob]

I have received email meant for someone else for over a decade. This comes from different sources, almost all of it advertising for a particular town and a few makes of automobiles or mortgages. My email is something like "john@abc.com" and easy to remember by any and all, since I snagged it early before all the rush to get email addresses. I suspect this other person filled out some forms with this email address even though his actual address is "john.smith@abc.com" or "john3317@abc.com" or something like that. Or maybe he is even deliberately given out a phony email that sounds sort of like his name, so that he can keep the sales goons happy but not get any spam.

Re:Both my wife and I regularly receive email...

[ImprovOmega]

I feel obliged to point out that 'abc.com' is an actual domain name. They've actually reserved example.com for just such uses as this. This way, if there actually is a |john|.|smith|at|abc|.|com| he won't get scraped up by a spambot from your illustration.

doppelgänger

[TangoMargarine]

No reason to waste a perfectly good umlaut, right?

steal is a little strong

[YesIAmAScript]

They captured 20GB of email.

They didn't really steal it, people addressed the email to them, they just did it errantly.

Re:steal is a little strong

[MichaelSmith]

I am made to use MS exchange and outlook at work now. Outlook maintains some local cache of email addresses for autocompletion purposes, and when it proposes recipients it hides the domain names. Some of our engineers work on site with our customers and use the customer IT systems so when send mail to a co-worker I have no way to know if this is their internal account or their on site account. I complain to IT about this but they just shrug. If a domain with a typo gets in to the cache I may never know that it is there.

A similiar situation, different media.

(back when)

I had two phone lines one strictly for the modem.
The modem line was a prefix away from the local mass transit's

I would use the line for long distance calls as it wasn't limited as my
other line was; anytime I hooked the modem line to a phone it would ring.

Answering it I would get a question, not if this was the right place but
the hours of a bus route.

I ended up never answering it and pity the poor soul who ended up with
the number when I gave it up.

Not surprising

[YrWrstNtmr]

I have a very short (3 letter) AOL email address from days long gone by. I still check it every other week or so. I've been on a boy scout troop mailing list a few states away, a kindly grandmothers All Family contact list, and a few mislabeled business communications, most notably, someone buying a car in England.

I emailed one guy back who was writing to his military son. He got all kinds of pissed off, and accused me of 'intercepting his emails'. Sorry dude...YOU screwed up.
I always try to email them back to correct the problem, and usually they do.

Re:Not surprising

[MichaelSmith]

One list I was on (maybe a java community list or some such) was got used for trolling. Somebody subscribed this guy to the list and he went absolutely psycho whenever he got a message, which was every five minutes or so. After a few attempts at helping him unsubscribe the list admins just quietly removed him.

Re:Not surprising

[cffrost]

I emailed one guy back who was writing to his military son. He got all kinds of pissed off, and accused me of 'intercepting his emails'.

What an asshole. Here's what I would have wrote back:

Dear Parent,
I regret to inform you that your son was killed in action while on latrine duty. His death has been ruled a suicide, as he was found partially submerged in a latrine bowl. His corpse was buried at sea, as this was the most expedient way to dispose of it.
    -Sgt. Slaughter

Does intent count towards the law?

I know the law varies where ever you go. But in general (or for the various locations of people here on /.) how does intent count towards the law?

If I *wrongly* address (e)mail to the wrong person and they open it, sure it was my fault. And the person who opened it should not be liable because it was addressed to their address rightly or wrongly.

But what about when a person does research and sees that the average person makes a certain mistake, fairly regular. (such as spelling teh instead of the)

If you set up and address with the intent to deceive, how does that play out in court? In the case (of the UK quote in these postings) it does say "...without reasonable excuse intentionally..."

I've been doing this for more than two decades

My name is David Smith, and I use my name as part of my email address. I get more misdirected mail than I can track. I have even made the acquaintance of several other David Smiths across the world and have been redirecting their mail to them.

Re:I've been doing this for more than two decades

[MichaelSmith]

Back when webrings were popular was contacted by a guy who wanted to create a Michael Smith webring. I think we had about fifty members. Thats not bad considering that everybody had to have their own web site and this was in the mid 1990s. Don't ask me about creating a "smith" webring though.

Typing is the solution, not the problem.

[Medievalist]

I administrate several email domains.

The people who turn off autocomplete and type all their email addresses by hand do not make these mistakes, because they have significant amounts of practice typing them correctly.

The people who use email clients that remember and autocomplete addresses don't ever integrate the RFC822 parse logic into their brains or fingers, so they always type .com for .net and .org addresses, and they always type smith when they mean smythe, and then forever after their mis-populated contacts list misdirects their email.

Seriously, decades of experience here; I remember when SMTP was an exotic protocol. I get many error messages every day from the email servers, and many of those errors are from misaddressed messages, and the people responsible simply are NOT the ones typing in email addresses from memory. It's the contacts list people, always, nearly every single time.

Based on the traffic through our mail gateways

[SkimTony]

That's an underestimate. Sadly.

Did this at an old employer

[cluedweasel]

I used to work for an Infiniti car dealership. I noticed how many people referred to the brand as "Infinity" instead, so I registered an alternative to the dealerships domain with the last "i" changed to a "y". That domain received well over 50 e-mails a week, not just sales inquiries, but finance and corporate mail too. Management weren't too happy, but I pointed out that it was better I'd registered it than someone outside of the company.

Re:Did this at an old employer

[lsatenstein]

Did you charge stamp money to deliver the mail to them?

1-800-OPERATER, anyone?

[rocket+rancher]

Reminds me of MCI typosquatting ATT's operator-assisted collect call service, 1-800-OPERATOR, by using 1-800-OPERATER. It was about twenty years ago, but I do remember ATT changing that promotion to 1-800-CALL-ATT, after losing something like half a million dollars to MCI in the first month because of poor spellers.

Doesn't appear to apply

That doesn't cover this case. No mail bag was opened so clause 1 doesn't apply. Clause 2 appears to apply something where a post for "123 Fake street" was delivered to you at "125 Fake Street", saying you can't just open it because the mailman dropped it in the wrong slot. That is not what happened in this case, in this case the mail was addressed to "125 Fake Street", and delivered to "125 Fake Street."

          Same thing here -- the title is wrong, the researchers did not steal any E-Mail whatsoever. The E-Mail was addressed to their domains, and simply misaddressed.

Re:Doesn't appear to apply

And in fact "typosquatting" does happen in the UK with real physical mail and it is not illegal.

One of the obsolete UK railway companies ceased to legally exist. Making it possible to create a new company named that. Somebody did so, presumably intending to some day create merchandise which would legally use this significant name, which would have some cachet in the hobbyist market, but wouldn't cause any real confusion.

But instead they got piles of mail intended for whatever railway company was currently responsible for this or that problem somewhere in the country. Demands for payment of utility bills, requests for authority to dig things up, and so on. They opened these letters, and they wrote very caustic replies, pointing out the foolishness of sending letters to a company based on the fact that it has the same name as a company which was at some previous time responsible for something.

After a while they got threatening legal letters, and they began writing back to the client (not the lawyer) pointing out that a lawyer who can't even send their threatening letters to the right people is maybe not worth hiring. This resulted in even more useless threatening legal letters.

Re:Doesn't appear to apply

[duguk]

And in fact "typosquatting" does happen in the UK with real physical mail and it is not illegal.

One of the obsolete UK railway companies ceased to legally exist. Making it possible to create a new company named that. Somebody did so, presumably intending to some day create merchandise which would legally use this significant name, which would have some cachet in the hobbyist market, but wouldn't cause any real confusion.

But instead they got piles of mail intended for whatever railway company was currently responsible for this or that problem somewhere in the country. Demands for payment of utility bills, requests for authority to dig things up, and so on. They opened these letters, and they wrote very caustic replies, pointing out the foolishness of sending letters to a company based on the fact that it has the same name as a company which was at some previous time responsible for something.

After a while they got threatening legal letters, and they began writing back to the client (not the lawyer) pointing out that a lawyer who can't even send their threatening letters to the right people is maybe not worth hiring. This resulted in even more useless threatening legal letters.

I'm fairly sure I've heard of this. But this new company wasn't deliberately set up for confusion; and it has no other running company to be confused with. If the company name or addressee is the same, it would be difficult for them to know it was a misdelivered package.

Its not relevant whether it was delivered to the right box; because the law clearly states "without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly".

That is, unless you can think of a way of ensuring post is misdelivered to you, whilst making sure you never even begin to suspect that it wasn't meant to be delivered to you.

My reply was meant to be a poke at the lack of knowledge surrounding the postal system (the OP was misinformed over the law), and how these laws cannot be related to email. However, if you want to apply them - you can't simply interpret them how you want. This thread has taken it way too seriously and completely missed the point.

I get a lot of that

[MichaelSmith]

I own netapps.com.au for my own business and back in the day I got a lot of email intended for netapps.com. I always notified the originator of the mistake. Bounce spam is so common these days that I configure my mail server to accept all mail. I never bounce for address unknown.

PGP

[xororand]

That's what you get for not using PGP.
If you send secret corporate information on the equivalent of postcards, you have no right to complain.

Re:A similiar situation, different media.

[SkimTony]

My grandmother has a home number that was a prefix off from a local movie theater (they have long since changed it). They received a lot of calls for a while, and answered with something along the lines of "No, the correct number is ___." My grandfather had asked the theater to change their phone number, and they refused.

So, since they were uncooperative, my uncles decided to stop being helpful when people called the wrong number. They had a lot of fun making up fake movie times, fake movie names, and bogus specials (Bring a friend for free on Tuesdays! Get free popcorn if you give the following password between 5 and 6 on Saturday night!). Ah, to be a fly on the wall when those patrons walked into the theater...