What Happens To Bounced @Donotreply.com E-Mails 286
An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"
Business plan (Score:5, Informative)
you can own the headline domain (Score:2, Informative)
RFC 2606 (Score:5, Informative)
".invalid" is intended for use in online construction of domain
names that are sure to be invalid and which it is obvious at a
glance are invalid.
A possible use for example.com (Score:4, Informative)
For reply addresses, a more reasonable protocol would be to use the sender's actual domain but with an invalid username, as Poromenos1 suggests. A further problem of using a domain not your own as a sender address is that the recipient's email server may block it due to SPF records or other checks on sender domains.
I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.
Re:WTF (Score:5, Informative)
http://tools.ietf.org/html/rfc2606 [ietf.org]
Re:WTF (Score:5, Informative)
Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.
They should be using... (Score:5, Informative)
In a similar manner, people wanting fake IP addresses to use for documentation, training, etc., should use addresses in the 192.0.2.0/24 range, which is reserved by RFC 3330 [rfc-editor.org].
Re:forgery? (Score:5, Informative)
http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm [ftc.gov]
"It bans false or misleading header information. Your email's "From," "To," and routing information - including the originating domain name and email address - must be accurate and identify the person who initiated the email."
Re:WTF (Score:3, Informative)
Re:WTF (Score:3, Informative)
That statement works both ways
Nevertheless, your bring up a valid point. However, I have seen some rather malicious behavior coming from the Pointy Haired Ones that looks like incompetence at first glance. That's just their way.
As for the MX record, you are completely correct. The more elegant solution to be sure. The sending mail server will not even be able to resolve it, and no bandwidth is used at all.
Re:WTF (Score:2, Informative)
He's not just some guy in Seattle... (Score:5, Informative)
Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards!
Re:WTF (Score:3, Informative)
Thanks
Robert
Re:WTF (Score:2, Informative)
It is really stupid to put a return address which is not under your control in your emails, no matter if that is a valid third-party-address, an invalid address or a reserved but technically valid address. You do not want emails to you to end up anywhere else, not even in the case of a misconfiguration (for example, when the postmaster of the remote MTA redirects mail addressed to reserved domains to a local address to keep them from going on the net in the event of DNS problems, etc. etc.) You do want all mail meant to reach you to arrive at your MTA, where it can be accepted, dropped or rejected. You also want to encrypt all emails which contain confidential information and make your business partners encrypt all email as well.
example.com or invalid or donotreply.mydomain.com (Score:4, Informative)
Handing mail to example.com is more or less fine - originally there wasn't anything there, though the fine people at ICANN decided to put an explanatory web page there; AFAICT, telnet example.com 25 times out. And "invalid"'s even better, since it NXDOMAINs, and you can use addresses like donotreply@really.donotreply.invalid.
But you can also manage it yourself - use a subdomain like donotreply.mydomain.com, with some appropriate treatment like NXDOMAIN or a stub email server that replies "554 we told you donotreply, please use the URL in our email" or points to 127.0.0.86 or whatever. That way it's obvious who;s managing it.
Of course, if you're using donotreply.com because you're a spammer, none of these explanations matter to you, because you're a rude nyeculturny thug who doesn't mind bothering people. And some fraction of the people who reply to those will be including their credit card numbers, mother's maiden name, and postal address, so that they can collect the Microsoft Lottery or order their Nigerian Herbal Fake Viagra, and well, more power to the folks at donotreply.com for offering to educate those poor suckers
Re:WTF (Score:4, Informative)