They Told You Not To Reply

They Told You Not To Reply

When businesses want to communicate with their customers via e-mail, many send messages with a bogus return address, e.g. " snipped-for-privacy@donotreply.com." The practice is meant to communicate to recipients that any replies will go unread.

But when those messages are sent to an inactive e-mail address or the recipient ignores the instruction and replies anyway, the missives don't just disappear into the digital ether.

Instead, they land in Chet Faliszek's e-mail box.

As owner of

the Seattle-based programmer receives millions of wayward e-mails each week, including a great many missives destined for executives at Fortune 500 companies or bank customers, even sensitive messages sent by government personnel and contractors.

The majority of the e-mails naturally are from spammers, who also are quite fond of using Faliszek's domain name in the "From" field of their junk e-mails. Some of the non-spam bounce-backs are fairly harmless, like the ones he gets every so often from desperate, hungry people who bought a CharBroil brand grill but can't get the thing to work properly.

"Instead of letting people just hit reply to these support mails, they make the customer click on a link," Faliszek said. "It's sad, too, because I'll get these e-mails from people and they're like 'Oh, man, I really wanted to grill, but it's not working.' Sometimes they'll even send pictures of their grill, too."

But many of the misdirected e-mails amount to serious security and privacy violations. In February, Faliszek began receiving e-mails sent by Yardville National Bank in New Jersey (now part of PNC). Included in the message were PDF documents detailing every computer the bank owned that was not currently patched against the latest security vulnerabilities. Faliszek has so far amassed more than 200 reports about the bank detailing computers, full branch reports and graphs showing the top 10 most vulnerable systems.

In a blog post cleverly titled "What's in Your Return Address Field," Faliszek posted another bank screw up last month after he began receiving replies from Capital One customers inquiring about various details of their accounts. He says Capital One appears to have used donotreply.com as the return address for automated payment transfers and debits set up by customers.

...