I just found something, via the Something Awful forums, that scares the bejesus out of me. I’ll let the poster there, Darth Mirth, explain it:
Ever get an e-mail from a business, perhaps your bank, whose reply address is [something]@donotreply.com? It is their way of telling you, well, not to reply directly to the e-mail. But what if some people don’t pay attention, and hit “reply” anyway? Or better yet, what if the original e-mail is bounced back as undeliverable — bounced back to donotreply.com?
Of course, donotreply.com is not the internet’s equivalent of the Dead Letter Office. It is, in fact, a valid domain… owned by a guy named Chet.
Turns out, Chet gets lots of e-mail. Some of it has very private information it it. Some of it even threatens national security. He posts some of these e-mails (with harmful information redacted) at his blog site, www.donotreply.com.
All I can say is that if I did business with any of these companies, I’d be a little worried, and that I’m very, very glad that this Chet guy is ethical enough to redact anything critically important.
OK, so we know that Halliburton pays $2.93 for a “unit” of Soy Sauce (bottle? packet? 55-gallon drum? Who knows.), but think of the massive, gaping security and privacy hole here.
You send someone their personal information, an account number, login info, whatever, with a fake email header that sends their reply to email@example.com, because you don’t want anything coming to you, where you have to deal with it.
But when it bounces, or the recipient doesn’t read the message, and tries to reply, now Chet Faliszek has their info, and he can do a lot of terrible things with it, and the only reason he doesn’t is that you got lucky and he’s a good guy. You’ve just put your customer’s personal info in the hands of some random guy on the internet. Good job.
Idiots, deal with your own fucking emails. Don’t have your fake Reply-To header be a domain you don’t own, because seriously, what the hell?
Fortunately, at least according to GMail’s search, there’s no one I have ever received mail from that pulls this crap, but if I were you, I’d search your inbox and find out if you have. Seriously, look at this shit.
I AM ANGRY ON THE INTERNET