What Happens To Bounced @Donotreply.com E-Mails

An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

Business plan

[Boa Constrictor]

It's not like he didn't see it coming -- "Unauthorized use of this domain gives me full rights to post any emails involved using the unauthorized address. Don't like it? Don't use it." The website is a blog based on the email he receives at the domain. Exploitative it may be, but I thought most folks with sense used "noreply@ourcompany.com" or variations thereof.

you can own the headline domain

[iamhigh]

DONTOREPLY.COM is available! Probably gets about as much crap - even slashdotters can't profread.

RFC 2606

[mmontour]

RFC 2606 [rfc-editor.org] (dated June 1999) solves this problem by defining reserved domains such as "example.com" (for use in documentation) and:

            ".invalid" is intended for use in online construction of domain
            names that are sure to be invalid and which it is obvious at a
            glance are invalid.

A possible use for example.com

[stevel]

ICANN reserved example.com, example.org and example.net for use in documentation and other places where you want to put an "example" domain name, but I find that most people are not aware of this. Email sent to these domains is discarded.

For reply addresses, a more reasonable protocol would be to use the sender's actual domain but with an invalid username, as Poromenos1 suggests. A further problem of using a domain not your own as a sender address is that the recipient's email server may block it due to SPF records or other checks on sender domains.

I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.

Re:WTF

[Anonymous Coward]

May I suggest reading RFC 2606, Reserved Top Level DNS Names. There is example.com for a reason.

http://tools.ietf.org/html/rfc2606 [ietf.org]

Re:WTF

[sjames]

Surely they should use example.com (Documented in RFCs to never be a real domain). It has no MX and points to a simple web page that just says it's an example for documentation and gives a link to the relevant RFC.

They should be using...

[msauve]

donotreply.invalid or example.com. These are reserved for just this sort of thing by RFC 2606 [rfc-editor.org].

In a similar manner, people wanting fake IP addresses to use for documentation, training, etc., should use addresses in the 192.0.2.0/24 range, which is reserved by RFC 3330 [rfc-editor.org].

Re:forgery?

[GregGardner]

Whether it is arcane or not is debatable, but the CAN-SPAM Act of 2003 specifically prohibits using a false "From" header.

http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.shtm [ftc.gov]

"It bans false or misleading header information. Your email's "From," "To," and routing information - including the originating domain name and email address - must be accurate and identify the person who initiated the email."

Re:WTF

[assassinator42]

Most do. I just searched through my emails and found none that had a "donotreply.com"ish domain. Most were either something like donotreply@example.com or something@noreply.example.com.

Re:WTF

[EdIII]

Never attribute to incompetence what can be just as easily attributed to malice.

That statement works both ways :)

Nevertheless, your bring up a valid point. However, I have seen some rather malicious behavior coming from the Pointy Haired Ones that looks like incompetence at first glance. That's just their way.

As for the MX record, you are completely correct. The more elegant solution to be sure. The sending mail server will not even be able to resolve it, and no bandwidth is used at all.

Re:WTF

[Anonymous Coward]

That doesn't work if your mail server is on an IP address without an assigned domain name. Many mail exchanges will not accept messages originating from mail servers without a domain name, so naming donotreply.com or something similar as the message origin is the only way to get these messages to some people.

He's not just some guy in Seattle...

[Mr2001]

The guy who runs donotreply.com is Chet Faliszek, one half of the "Chet and Erik" who ran the gaming humor site Old Man Murray [oldmanmurray.com] and then went on to write the dialogue for Portal.

Incidentally, they never did send me a prize for winning that CrateMaster contest. Bastards!

Re:WTF

[Robert The Coward]

You would likely get branded a spammer and end up on a few black list.

Thanks
Robert

Re:WTF

[Anonymous Coward]

Those are RESERVED names, which means you're not supposed to use them in internet traffic.

It is really stupid to put a return address which is not under your control in your emails, no matter if that is a valid third-party-address, an invalid address or a reserved but technically valid address. You do not want emails to you to end up anywhere else, not even in the case of a misconfiguration (for example, when the postmaster of the remote MTA redirects mail addressed to reserved domains to a local address to keep them from going on the net in the event of DNS problems, etc. etc.) You do want all mail meant to reach you to arrive at your MTA, where it can be accepted, dropped or rejected. You also want to encrypt all emails which contain confidential information and make your business partners encrypt all email as well.

example.com or invalid or donotreply.mydomain.com

[billstewart]

Handing bogus traffic to other people is rude at best, even if it hadn't occurred to you that somebody would register donotreply.com. And any traffic they're getting is either bogus traffic (because people didn't read the message that said to click the web link, not to reply) or autoreplies from robots.

Handing mail to example.com is more or less fine - originally there wasn't anything there, though the fine people at ICANN decided to put an explanatory web page there; AFAICT, telnet example.com 25 times out. And "invalid"'s even better, since it NXDOMAINs, and you can use addresses like donotreply@really.donotreply.invalid.

But you can also manage it yourself - use a subdomain like donotreply.mydomain.com, with some appropriate treatment like NXDOMAIN or a stub email server that replies "554 we told you donotreply, please use the URL in our email" or points to 127.0.0.86 or whatever. That way it's obvious who;s managing it.

Of course, if you're using donotreply.com because you're a spammer, none of these explanations matter to you, because you're a rude nyeculturny thug who doesn't mind bothering people. And some fraction of the people who reply to those will be including their credit card numbers, mother's maiden name, and postal address, so that they can collect the Microsoft Lottery or order their Nigerian Herbal Fake Viagra, and well, more power to the folks at donotreply.com for offering to educate those poor suckers :-)

Re:WTF

[Jesus_666]

Not quite. [wikipedia.org] .invalid is an official TLD.