What Happens To Bounced @Donotreply.com E-Mails

An anonymous reader writes "The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com. Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

*Cough*

[geekoid]

wikileaks might be a good place to expose those documents. Hey, They sent them to YOU. It's will only take a few and this will be curbed.

WTF

[Poromenos1]

What idiot decided this was good policy anyway? What happened to donotreply@companydomain.com?

Stupid on both sides

[EdIII]

Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

Sounds like he is the one being hurt here. Of course somebody has to own that domain (I guess) and he decided too. Terrible domain name, but still not his fault.

Which brings me to:

Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.

All of these organizations and companies are just being cute by forging their FROM headers. Technically that should not be allowed, but you can do it anyways. They don't want to deal with it and they create "one-way" traffic by inserting bogus information into that header.

The problem is that bogus information is an actual domain that is active and running a mail server. They are treating it like is a reserved word.

The lawsuits are funny, since the header information will show conclusively that those people intentionally redirected the traffic to this guy. If anything, he can counter-sue.

The only thing I can think of is that donotreply.com becomes a reserved word, which is probably easier than getting all those mail administrators to change their behavior, or to get smarter.

In any case, the domain owner is without fault on this one. Unless you count being stupid as a fault, which picking that domain is a little unwise.

Re:WTF

[rkanodia]

Because then, when people reply anyway, you get junk mail at your own servers. Using donotreply.com directs the problem to other people.

My domain

[Cytlid]

Because I have the existential geek name, as it appears in so many tech books, I registered Fredtest.com. You would be surprised how many other IT Fred's out there send mail to Fred@fredtest.com.

I got bored with replying (some guy in SanDiego is a real estate agent for ReMax, I don't think he ever got it), so I just limited what my mail server will accept.

  Now it just bounces back to the sender and hopefully they think "oops, perhaps I shouldn't do that", which is what I believe this guy should do. Discourage the bad behavior, don't exploit it.

Re:WTF

[EdIII]

That is what you are supposed to do of course. If you are operating a mail server you are NEVER supposed to put information for domains you don't control into the headers. That is what spammers do.

Now that I have thought about it a bit more, this is about the money. If they put donotreply@companydomain.com, then the inevitable replies would eat up their bandwidth and processing power on their incoming mail servers.

By forging that information, which is not good policy, they are intentionally redirecting that reply to somewhere else. They may have thought that the sending mail server would simply give a permanent delivery failure notice to the sender, but in this case that forged information leads to an active mail server which accepts all of those emails.

Who is the bigger "butthead" here? The companies intentionally forging their emails or the guy who owns this domain and is exploiting this companies (after they have already harassed him) to save a couple of animals?

Sell captured emails

[OrangeTide]

He should provide a search feature for all the email, archive it. and then sell full content any email on the site for $1. There might be interesting stuff he's catching, especially if legal departments of various companies are going after him.
(no I didn't RTFA)

Re:WTF

[AnotherBlackHat]

If the idea is to pick an email address that isn't in use, I recommend one ending with ".invalid" as in "address@is.invalid" or "noreply@domain.invalid"

Re:WTF

[vux984]

Never attribute to malice, or even conscious though, what can be attributed to incompetence.

Anyone bright enough to -think- having the messages bounce to another domain would save them money should be able to think that maybe just maybe if they have the messages bounce to another domain that this other domain might actually exist, accept that bounced mail, and even read it.

If they really wanted to save money, and not take that risk they could blacklist an address at their mail gates front door. That would eliminate most, but not all the cost of handling the return mail.

And it would be a simple matter to simply have it go to "donotreplay@donotreplay.company.com" which wouldn't have an MX record configured, and would thus never get anywhere. And being a subdomain of your own, it wouldn't be incidently delivered to someone else either.

step 3

[Scrameustache]

The lawsuits are funny, since the header information will show conclusively that those people intentionally redirected the traffic to this guy. If anything, he can counter-sue.

Sounds like a business plan!

Re:you can own the headline domain

[Teflon_Jeff]

I know I looked into buying donotreply.com a while back, but it was taken. Makes me wonder why he bought that domain...

Re:A possible use for example.com

[noidentity]

I remember once getting an incensed missive from the owner of asdfg.com who complained about emails we were sending him regarding updates of our product. Turned out that a user had entered that domain when he registered the product in an attempt to not get our emails.

I usually just do admin@domain, where domain is the domain of the stupid website I'm trying to access which pointlessly requires me to register first. The solution is to not require registration, rather than trying to block all the bullshit addresses the user might enter.

Re:you can own the headline domain

[solitas]

I know I looked into buying donotreply.com a while back, but it was taken. Makes me wonder why he bought that domain...

Which makes us wonder, in turn, why YOU wanted to buy it...

Re:WTF

[Myopic]

Even better yet, accept email replies and provide conscientious service to your customers.

Why even have a donotreply@company.com? How about customerservice@company.com? I guess that would make it too easy to get customer service.

Re:WTF

[Jack9]

Never attribute to incompetence what can be just as easily attributed to malice.
 
That statement works both ways :)

It does not. One is a general rule that holds true in the majority of situations, the reverse does not, which is why the original is recognized at all. It works in this specific case, or you would not even bring it up.

//pedantic

Harvest addresses, sell to spammers

[chmilar]

The guy could make a lot of money harvesting the email addresses, and then selling lists to spammers.

Anyone dumb enough to reply to "donotreply" is likely to buy products from spam emails!

He could probably filter into lists based on the mail initiator, and the contents of the original email (quoted in the reply). Plus, the harvested emails are from currently active, valid accounts. These targeted lists of high-quality chumps would be worth paying extra for.

Maybe...

[msauve]

but that's not a forgone conclusion.

"Under the common law and many statutes, an intent to take money or property to which one is not lawfully entitled must exist at the time of the threat in order to establish extortion...A person who acts under a claim of right (an honest belief that he or she has a right to the money or property taken) may allege this factor as an Affirmative Defense to an extortion charge. What constitutes a valid claim of right defense may vary from one jurisdiction to another. For example, M, a department store manager, accuses C, a customer, of stealing certain merchandise. M threatens to have C arrested for Larceny unless C compensates M for the full value of the item. In some jurisdictions it is only necessary for M to prove that he or she had an honest belief that C took the merchandise in order for M to avoid an extortion conviction. Other jurisdictions apply a stricter test, under which M's belief must be based upon circumstances that would cause a reasonable person to believe that C took the item. Another, more stringent, test requires that C in fact owe the money to M."

If by putting fake header in an email, you're filling my email inbox, you're causing me damage, both in terms of stolen resources (you are consuming both bandwidth and storage space, both of which I pay for), and my own time in sorting through the chaff. You owe me for my costs, both in actual dollars and in time and effort. You can choose pay me a reasonable fee to cover my costs and efforts, or I'll let the government show you why you shouldn't have done it in the first place.

BTW, don't assume that law is the same as ethics. There are a lot illegal actions which are perfectly ethical, and vice versa. I choose ethics over law (which, at least in the US, has little meaning).

Re:WTF

[elronxenu]

And that's just fundamentally wrong. You can automatically filter out bounce messages and spam. When a message gets through the first level of checking, it can be tied to a customer, so the support person can know all that there is to be known about the customer at the time of reading the email.

If you're sending communication as email, you should expect communication as email back.

Re:at least the US

[tsm_sf]

No offense, but attitudes like that will kill this country. The "good enough" or "at least we're better than X" line of thought leads us into a race to 2nd from the bottom.

Re:*Cough*

[slawo]

In return he could sue the hell out of them for falsifying their e-mail headers and addresses and for using his domain name without his permission.
In addition I'm pretty sure someone could probably find a way to use US copyright laws and make them pay money for using his domain name (Intellectual Property) without his permission.

Re:at least the US

[thegnu]

My attitude that the laws here are no match for ethics, and I can only think of an imaginary country where the laws are relatively representative of ethics? I'm not sure you understood what I meant.

In this whole Rev. Wright thing, it's become very very apparent how the media neglects their responsibility to a)elevate the dialog and b)at least show a 5-minute clip before condemning a man. People expect all of their leaders to be saints, and it's ridiculous.

The only thing that Rev. Wright said that was ridiculous was that the govt created the AIDS virus to kill black people. But then, he also believes in a homonid living in the sky, so I give him a free pass on that. Beyond that, he said:

1. God doesn't bless America for killing innocent people, he damns America for killing innocent people.
2. And he said that our violence in the world begets violence at home.

Which are both teachings straight from the motherfucking Bible, everybody. People are pissed because a preacher preaches from the Bible? Come the fuck on.
[/tangent]
oh, look at that. my captcha is "tedious". :-)