Really: Do Not Reply

[katherine]

Source: Technology Update from American Banker

Some companies that send marketing e-mail messages to which they do not want a reply might be surprised what happens when people do try to write back.

One common method for deterring replies is to list a reply address at the domain donotreply.com. However, that is a real domain, which was bought in 2000 by Chet Faliszek, a Seattle programmer who reads many of the e-mails that are inadvertently sent to him.

And according to Brian Krebs' March 21 "Security Fix" column in The Washington Post, "many of the misdirected e-mails amount to serious security and privacy violations."

For example, Yardville National Bank, now a part of PNC Financial Services Group Inc., sent Mr. Faliszek documents in February that he claims detailed the security vulnerabilities of the New Jersey bank's computer systems.

Mr. Faliszek also gets a lot of correspondence from customers of Capital One Financial Corp., requesting details about their accounts.

Mr. Faliszek said those are extreme examples of security violations arriving in his donotreply in box.

Though in the past Mr. Faliszek has directly notified companies when he receives e-mail intended for them, he said he has recently stopped doing so because some have threatened him with legal action.

"They get all frantic like I've done something to them, particularly when you talk to the nontechnical people at these companies," Mr. Faliszek told Mr. Krebs.

Now he posts updates on his blog about the misdirected mail he receives at donotreply.com and will remove any message details from his Web site upon request, though he does ask that companies make a donation to charity.

Fred Solomon, a PNC spokesman, told American Banker that no customer information was exposed, and the data sent to donotreply.com could not have been used to exploit Yardville's systems. It also said those systems have since been taken offline. The incident "does not change PNC's current view of its risk profile," he said.

Pam Girardo, a Capital One spokeswoman, said in an e-mail that "our standard practice is to use a Capital One e-mail return address, with reply-backs also directed to a Capital One address. The situation referenced in the Washington Post article was isolated to a small part of our business that was managed by an external supplier, and was immediately corrected to conform with our standard operating procedures."

 

[replic8te]

Thats cool. thanks for the article.