Did any one see this article in the NY Post this week? It’s about the guy who owns the donotreply.com domain. Apparently, he gets lots and lots of very private e-mails, due to companies using the domain in e-mails, not realizing that it actually exists. He started a blog, in which he posts some of the e-mails, much to the dismay of companies such as Halliburton, among others! Fascinating and scary. Check the address before you click reply! Yikes! :eek:
Oh wow man…I can’t BELIEVE that these companies do something stupid like that! As an email provider, it just boggles the mind.
I see in his blog he called the IT dept of one of the offenders, autonation.com. They didn’t believe him!
How can you have your head so far up your ass that:
- You don’t see the harm in using a domain that’s not yours for public email communication.
- Your systems let you send email that is not from a domain you have control over
- You don’t believe an email came from your system when someone shows you an email with full headers showing email coming from your system.
Is there maybe some divide between IT people who work exclusively on closed networks and IT people who understand public networks?
Just crazy! The blog is a good read, btw.
I was thinking the same thing…how could anyone be so stupid? I mean, I know virutally nothing about this stuff, but even I could have figured out that anythingyoucanthinkofintheworld.com is a possible actual domain name. Why would anyone assume something is a “dummy” address unless they checked to be sure?
I just sent the article to a friend, and her response was, “That’s unbelievable!” To which I replied that it was very, very believable, unfortunately.
I’m looking forward to reading the blog.
That is just classic. I am at a complete loss as to why, if you are going to create reply-to address that isn’t supposed to go anywhere, you wouldn’t use an address that is so blatantly non-existent that there is absolutely no possible way that it could go anywhere. Even using whoever@donotrep.ly would work if you’re really hell bent on making your instructions known by your return address. At the absolute minimum, use an obviously fake ccTLD that doesn’t and probably never will exist.
All the same, the blog is a great read. I particularly liked his dig at TSYS:
Jeez, give the engineers some credit, will ya? 
According to RFC 2606, there are four top level domain (TLD) names set aside exactly for this purpose. (For those who have no desire to read an RFC, they’re: .test, .example, .invalid, and .localhost). The blame rests squarely on the shoulders of ignorant (and I mean that in a non-perjorative sense) sysadmins or IT workers.
why don’t the emails come from donotreply@cogswellcogs.com, instead of cogswellcogs@donotreply.com? seems like a no-brainer.
Because then those emails would still end up with some sort of email administrator at cogswellcogs.com, and the point is that these companies don’t want the emails coming to them at all.
Which, as has already been pointed out, is extremely lazy and stupid.
Wouldn’t it be really easy to configure your mail server to route those to dev/null?
I’m not really an IT guy, but I believe the answer to that is “yes.” However, to repeat, the people involved in this process are obviously lazy, so it’s difficult to imagine them taking the time to do that.
No. Forward thinking is really, really hard.
Great story.
This reminds me of the guy (here in Arizona) who got “NOPLATE” as his license plate. He finally had to give it up after receiving zillions of citations for vehicles that didn’t have a license plate…
I don’t think those were intended for the purpose of using as a non-existent e-mail address though, according to the RFC. If hundreds of e-mails were being sent to donotreply@mycompany.invalid, how much work would it create for DNS computers or SMTP servers to handle it?
While I agree that extra traffic might be an issue, the RFC does explicitly state: “".invalid" is intended for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid.” The term “online” kind of indicates it’s meant to be handled in all real-world, operating systems.
I can’t attest to whether common DNS software does this, but it seems to me that anyone doing the coding would be well-versed enough that they’d put in explicit code to simply drop “.invalid” and “.example”, so those messages would never even hit the DNS system. (Of course, “.test” is for testing the DNS code and “.localhost” should be handled locally, so those shouldn’t be dropped.) At least, that’s what I’d do.
Dang…it’s my OP, and the conversation is so far over my head, I can’t participate! That’s ok, though…carry on. 
Well, since I assume you won’t mind having some ignorance fought, I’ll give a shot at raising your head such that it’s directly in the line of fire.
I’ll assume that you already grasp the basics of the article – namely, that the donotreply.com domain “owned” by the person receives the email sent there. RFC is short for Request for Comments, which are public, formal specification documents created by network engineers. These are “gold standards” of the networking world – one might think of them as akin to the International Building Code as it relates to building construction. While it is possible to disregard these rules, doing so will often break functionality. That’s generally the worst that happens, because as of now there is no “Department of Internet Police”. (Although the Chinese government, the RIAA, and various other groups (often governmental) are certainly working on it.)
The internet’s domain name system (DNS) is specified by a set of RFCs; probably its most important use is to create the “phone book” that maps names to computer identifiers (IP addresses). For instance, as of this writing, the IP address 208.100.26.199 maps to boards.straightdope.com. RFC 2606 specifies some Reserved Top Level DNS Names (TLDs) to “avoid conflict and confusion” by setting aside some names that no one is to use except for the purposes outlined in that RFC. So, assuming everyone follows the rules, there will never be a website, email address, etc. that ends with the TLD “.invalid”, which is supposed to clearly mark a name as being…um…invalid. Clever network engineers.
Of course, as is evident from the OP article, none of the RFCs reserve the domain donotreply.com. But many sysadmins / IT workers are not quite as clever, nor as knowledgable, as the network engineers, although they may entertain such delusions. So, assuming they’re not just ignorant in the first place, they then violate the rules set out in the RFCs and much penis ensues. (Not to mention potential litigation when private information ends up…oh, joy of joys…where it is supposed to go.) Or, perhaps, they’re just lazy…which may very well just be a manifestation of an overdeveloped sense of cleverness (or vice-versa).
Now, Arnold Winkelried pointed out that messages sent to addresses using those reserved TLDs would have to be processed somewhere along the way, potentially bouncing around in the ether consuming computer resources until some server, somewhere, recognizes the bogosity of the address and either discards or returns it. My comment was that while true, if I were writing the DNS software, I would check the domain name not long after message reception and simply drop it if it ended with “.invalid” or “.example”, saving everyone much time and effort. Them’s the rules.
So, what else? Ah, yes. /dev/null, which can be thought of as a data “black hole” – in Unix-like systems, any data sent there is simply discarded without prejudice, never to be seen or heard from again. That’s where I’d send the “.invalid” and “.example” messages if I were writing DNS software. It wouldn’t be very difficult for the sysadmin of cogswellcogs.com to add a special rule to their email server that routes emails addressed to donotreply@cogswellcogs.com similarly.
But where’s the fun in that?
You’re expecting modern IT grunts and sysadmins to even know what an RFC is, much less have read the important ones? Most of them barely even know their CAT5s from their RJ11s without consulting Webopedia.
Thanks for that, Digital…you explained it very clearly. But it still leaves me with a WTF? in my mind, because for me as a layperson, I don’t get how these folks could BE ignorant of fact that donotreply.com is not one of the domains reserved by the RPCs (I mean, as I said before, even I know that pretty much anything is a potential “real” domain name)…why would anyone be so stupid as to make such a wild assumption?
Missed this comment before…it goes back to my question…do you even HAVE to know all this to be able to figure out that donotreply.com might be an actual domain name?
Nope. You just have to think a little bit. That’s why everyone’s in trouble.