The Man Who Owns DoNotReply.com Knows All The Secrets Of The World

If your company is in the habit of using a “donotreply.com” address in the “From” field of its emails, you might want to forward your IT department this entry from the Washington Post’s “Security Fix” blog—when customers don’t pay attention and reply to a “donotreply.com” email address, it goes to Chet Faliszek, a programmer in Seattle who registered the domain seven years ago.

With the exception of extreme cases… Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It’s just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.

It probably seems obvious that if the email address includes “donotreply,” that means you shouldn’t hit “reply.” Of course, in the real world customers don’t pay attention, or figure it’s an empty threat and someone will read it. Faliszek said he’s received sensitive information from Capital One customers, reports on security vulnerabilities for a New Jersey bank that’s now part of PNC, and reports on supplies and locations for troops in Iraq from a former subsidiary of Halliburton.

When the emails are trivial, he deletes them; when they’re big topics like the ones just listed, he’ll blog about them in order to embarrass the company responsible for such a dumb and lazy policy.

“I’ve had people yell at me, saying these e-mails are marked private and that I shouldn’t read them,” Faliszek said. “They get all frantic like I’ve done something to them, particularly when you talk to the non-technical people at these companies.”

Instead, he blogs about the most interesting ones. Companies embarrassed by having their e-mails posted online can get him to pull the entries from his blog for a small payment. The normal fee to be removed from the site is proof of a donation to an animal protective league or humane society. So far, Faliszek says his blog has raised roughly $5,000 for local dog pounds.

“They Told You Not To Reply” [Washington Post] (Thanks to Alexa!)
(Photo: Getty)

Comments

Edit Your Comment

  1. C2D says:

    If only I had thought about that first…

    Oh well, I hope he’s honest about it and doesn’t use it for personal gain.

  2. Redwraithvienna says:

    isnt the normal donotreply email “Donotreply@companyname.xx”

  3. Seems more of extortion than just charity raising for some dogs. Needless to say, this is an interesting read, but one can only wonder how many secrets this man really knows and if he truly gets rid of the trivial things. I’d bet he makes more on the side and refuses to discuss or acknowledge it because that’s tax-free money for him when no one knows…

  4. Buran says:

    Use example.com/net/org instead — they’re the three domains withheld from the registry pool for, well, documentation and the like. I use user@example.com when forced to give an email address that isn’t actually required.

  5. Trojan69 says:

    This is the flip side of the “Your call may be recorded” garbage. How awesome would it be if we routinely and legally recorded our CSR calls and posted the transcripts, or the audio, on the web?

    Would it not be the biggest score evah if we were able to contact these rotten companies, who profess that “your call is important to us?,” and tell them that we will publish the contents of their lousy CSR unless they coughed up some quid? Maybe they would actually take care of the problem about which we contacted them in the first place?!

    A guy can dream, can’t he?

  6. Bladefist says:

    @超外人: didn’t know I could use asian fonts in my username. sweeeeeeet. 한국어를 사랑해!

  7. Let me get this straight… this guy comes into possession of confidential information (by virtue of accidental disclosure), posts it on the internet, and then agrees to remove it for a small fee.

    This sounds like that time I took pictures of that politician/celebrity with the hooker/little boy and promised not to show them to anyone if he paid me ten million dollars.

  8. Bladefist says:

    @Trojan69: call me an idiot, but cant we record the calls legally? Don’t see why not, especially if we said, “oh btw we’re recording this, so don’t screw it up”

  9. BStu says:

    @Redwraithvienna: Well, obviously it SHOULD be, but as this story indicates, it obviously is not. That simply remedy, though, would solve this problem entirely. Hopefully, some of the upset companies will take note of that.

  10. sean77 says:

    These companies should definitely know better. Too many idiots in charge.

  11. m4ximusprim3 says:

    I’m pretty amazed by the brazen-ness of his donate to remove policy. I can’t comment on the legality of it, but it does seem fairly extortionary.

  12. GTB says:

    I should point out that this is the same Chet that was a main writer for oldmanmurry.com (sadly not what it once was) and is still part of portalofevil.com. He also, with another guy from OMM, wrote the dialog for the game “Portal.”

    The man is a legend, as far as internet legends go, and something like this is the very LEAST that can be expected of him.

  13. Wayfaerer says:

    @Bladefist-안녕: Depends on the state, but in Indiana as long as one party knows a recording is happening then it’s legal. You wouldn’t have to tell the person on the other line that it’s being recorded.

  14. sean77 says:

    @m4ximusprim3: in his FAQ he says the donation is merely a request. He’ll remove emails even without the donation.

    A few years ago we had a spammer exploit a “Letter to the Editor” feature of our site and use it to send out spam. This got us on the spamhaus blacklist. They required a $50 donation in order to get us off the list.

  15. maverickuw says:

    @m4ximusprim3: I think it comes from the fact that since they sent the emails to him, and the company hasn’t done anything to prevent this, he has no obligation short of a lawsuit to remove such information as he’s been made a party to it.

    Now, in return for a small donation (which the company can boast about), the dirty laundry disappears. It’s a win-win for all, especially since he’s not getting any personal gain from it.

  16. cde says:

    @m4ximusprim3:
    @Dr. Chim Richolds:

    The difference is that the act is already done (Info posted). In blackmail/extortion, it is do this or I do that, not do this and I’ll undo that.

  17. Hoss says:

    How would anyone have time to comb through millions of email a week? The concept is tremendous — capitalize on stupidity; just wondering how he has that much free time

  18. humphrmi says:

    Whether it’s legal or not to publish the data on blogs, someday some big company with deep pockets is going to come along and smack him. Mind you, I support this guy – some idiot puts a valid reply-to address that’s not his own, he should expect someone at that reply-to address to read replies to his mail. But the whole posting it on a blog thing kinda makes me cringe, like watching a auto crash about to happen.

  19. Crymson_77 says:

    Honestly, he could probably get away with charging a direct fee to the idiots for “processing”. If they aren’t smart enough to keep this from happening, they should have to pay someone for it. The companies in question are putting people’s security at risk…from our personal info to US soldiers’ lives…

  20. Buran says:

    @humphrmi: Sue him for what exactly?

  21. dodonnell says:

    @超外人: How is it extortion? He registered the domain *eight years ago.* All the companies that use “donotreply.com” in their e-mails are trespassing on his chattel–using his property without his permission. If they are too lazy to set up a black hole e-mail address at their own domain, I have no sympathy for any of them. I can just imagine the heavy-handed approach some of those lazy companies take, too, to try to beat him up with bluster over their lack of due diligence. While blogging about the messages seems like he’s just inviting the Death Star to target his Alderaan, he does say:

    “You actually don’t have to do anything but contact me and I will take it down. The donation is more of a suggestion. Anyone who has contacted me can tell you this is true, I am changing the wording to reflect that.”

    Corporations helping needy animals to cover their laziness and stupidity seems like a reasonable exchange to me.

  22. dblanchard says:

    @Hossofcourse: He’s a programmer, and a pretty darned good one. I’m sure he’s got a crawler that only puts the juiciest ones in his inbox, or at the very least a good set of filters set up.

    D

  23. marsneedsrabbits says:

    @超外人:

    How it is extortion when they are using his domain? No one forces them to do that; they do it out of their own stupidity or lack of interest in customer privacy.

    He pays for his domain; other companies have no right to use his domain for their own purposes.

  24. TechnoDestructo says:

    It’s definitely good to know that this domain is in the hands of a guy with some scruples. This story could be a whole lot worse.

  25. MsFeasance says:

    When I was in college majoring in journalism, I was told that so long as one party knows that a two-party call is being recorded, then it’s a-ok, and you don’t even have to give them a disclaimer, at least within my state. It’s considered bad form, and likely to piss people off, but nonetheless legal.

    It’s important to note that warrantless wiretapping is still illegal under this doctrine, because the government is NOT a party to every phone call ever made.

  26. cde says:

    @marsneedsrabbits: Hell, they are even making him incur a cost. They are using up his bandwidth, storage space, and hell, maybe even using up his allotment of email filters.

  27. socritic says:

    If you’re calling a company and you hear “this call may be recorded for quality and training purposes” where does it say which side is recording? doesn’t it say that you can record the call for quality purposes? as in the quality of service you are receiving? does anyone if this has been challenged legally?

  28. cde says:

    @socritic: Essentially, they are saying THEY are recording for non-court related issues. Legally, they are notifying you that they are recording to satisfy the need to know for 2 and 2+ party states. What you do with a legally recorded conversation is limited to legal uses. Posting it, using it in court, etc.

  29. Jacquilynne says:

    It’s not just businesses who are dumb. Based on the registration info I see on my site, whoever owns nospamplease.com and noneofyourbusiness.com must have access to about 900 usernames on every website known to man. Whoever owns asdf.com also owns quite a few more Chowhound accounts than they likely know what to do with.

  30. mgomega says:

    @ trojan69 and bladefist:

    The term you’re looking for is “Single-party Consent”. Check your state’s legal code to see if they allow for it in recording conversations. If they do, only one party involved in the conversation needs to be aware of it being recorded. I’m no lawyer, but I think you can probably get away with recording all your conversations anyway, provided you do so only for your own personal use (You can’t actually use the conversation itself against anyone, but it can help your memory in dealing with them later). But if you’re going to do that…man, you’re paranoid!

  31. TPK says:

    “companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails”

    Classic!

  32. azntg says:

    Hmm, example.com seems like a better domain to use than donotreply.com ;-)

  33. Kajj says:

    If you go to his website he explains that the donation is entirely optional. No one is extorting anyone.

  34. deedrit says:

    Shazbot!

  35. dantsea says:

    @humphrmi: I hope the company that does that Googles Streisand Effect first!

  36. b612markt says:

    He can charge as much as he wants to remove the emails, he chooses to be a ‘good guy’ and direct the people to donate. I guarantee you most other domain owners wouldn’t be so kind.

    IT IS NOT EXTORTION

  37. Khabi says:

    While he may be donating to charity, he’s still an ass. I can understand no wanting to bounce the emails (traffic, spam, ect), but why not just silently send them into oblivion? Its not hard, it may break RFCs but I’m sure they’ll make an exception.

    Even better donate the domain to the IETF, and let the modify the current RFC to drop any email to the domain. Someone respectable (as far as the net goes, they’re pretty much godly) gets the domain, your data stays safe.

  38. MaelstromRider says:

    This is one of the things I really wish I’d thought of first.

  39. apex says:

    @Dr. Chim Richolds: If you actually read the blog, he redacts all the sensitive information.

  40. Hoss says:

    I got a new hobby — every time I see a donotreply, I’ll write and ask Chet how he’s doing. Got a new buddy too

  41. nursetim says:

    @dodonnell:
    I am adding that phrase for my personal use. Genius.

  42. ChuckECheese says:

    @超外人: Dog fundraising requires extortion. It is well known that dogs are very poor negotiators.

  43. spinachdip says:

    @Khabi: Why do you hate dogs?

  44. SuperJdynamite says:

    @marsneedsrabbits: “How it is extortion when they are using his domain?”

    It really doesn’t matter how the domain owner acquired the information — threatening to reveal information that would cause harm to reputation (i’m bloggin’ your embarrassing story) or person (i’m bloggin’ ur troop movements) unless money or services are provided is extortion.

  45. StevenJD says:

    @SuperJdynamite:

    Go ahead and reveal troop movements. One day an injured vet will grab his handy 9mm and use on your ass.

  46. Helmut Spargle says:

    @SuperJdynamite: Thank you, counselor. Could we please have a short memo outlining the elements of extortion? You can limit it to whatever state you’re admitted in.

  47. @apex:

    Oops. Guess I should have followed the link. Oh well… as long as the confidential information is deleted, I’m not too upset… still seems a bit rougeish to me, but it could be a whole lot worse.

  48. Hoss says:

    Anyone thinking extortion needs to consider he’s not preying on innocent emailers — in fact he’s taking extra steps not to reveal personal information. He’s outing extremely stupid major businesses. If he purchased a house on “One Acme Way” and Acme Corp sends out notices that say send all complaints to One Acme Way knowing that they don’t have an mailbox there — is it extortion to agree not to publish the fact that this company was this stupid in exchange for a small donation to the dog pound? Seems to be a small consulting fee about how to conduct business

  49. marsneedsrabbits says:

    @Khabi:

    Because he pays for his bandwidth. Everyone does. His webhosting isn’t free. His time isn’t free.

    Why does he owe “nice” to people who are stealing from him?

    He doesn’t.

  50. marsneedsrabbits says:

    @SuperJdynamite:

    He isn’t threatening to reveal information. He is revealing information.

    But not individual account information or anything that would compromise any one individual, unless that individual is a webmaster of one of the companies that is stealing from him.

    What he is doing: exposing companies that could not care less about their customer’s sensitive data.

    And how is that bad, exactly?

    Why should these companies get a break because they and 1). Stealing from him, and 2). can’t or won’t manage their customer’s data or their own data properly.

    I appreciate whistle blowers.

  51. marsneedsrabbits says:

    He isn’t threatening to expose the cheating idiots.

    He is exposing the cheating idiots and asking for a donation for his time and trouble to take it down.

    His website also clearly says he charges for the use of his domain/email. The terms are at the bottom.

  52. Trojan69 says:

    For those who replied to my first post – I inserted the term because I don not want anyone to get the idea that I supported doing anything that may be construed to be illegal. CYA.

    If I were to do what I proposed, my script would be something on the order of, “Are you aware that this conversation may be recorded and used for any purpose?”
    If they give assent, I can do whatever I like so long as I don’t edit to change the plain meaning of their words.

    Why do I feel like Ensign Pulver?

  53. Charred says:

    This is pretty cool. I wish I’d thought of it.

  54. Greasy Thumb Guzik says:

    @Trojan69:
    You don’t have to get their assent.
    You can ignore their protests or if you’re a bit afraid of being sued, just add this: “Your continued participation in this phone call is your consent to be recorded”.
    You have given them the option of hanging up, if they continue to harass you with phone calls & you record them, tough shit for them, you’re protected even under two party requirements!

  55. macdave2 says:

    The company’s that are using his domain for there donotreply address are also in violation of the Can Spam act in which you cannot use false addresses in your email headers.

  56. cde says:

    @SuperJdynamite: Removal of that information for money is not extortion.

  57. Ailu says:

    How dumb is this? I’ve been in web development for several years, and I can tell you I’ve never known anyone in the industry that would be so stupid as to use the domain name DoNotReply.com. Everyone knows that the proper syntax for a “DO NOT REPLY” is DoNotReply@YOUR_WEBSITE_NAME.COM. It’s unbelievable that a huge company like Capitol One would would be guilty of such stupidity.

    What, are the colleges churning out idiots these days? Unreal.

  58. felixgolden says:

    I have a .com address I’ve owned for over 10 years. I’ve had to deal with the .edu owner setting up the default reply address for all their users with the .com, which meant that every September, I would get bombarded with email. This went on for 3 years. Then they sent me a mug.

    A secretary at the .net holder routinely sent confidential correspondence to other people in her company incorrectly addressed to .com. Besides replying back to her, I tracked her down and called her on numerous occasions to correct her mistake, actually trying to help her cover her ass. She would scream at me about how her company paid for the name and then hang up. She did not understand the difference. I finally contacted the president of the company. The emails stopped very suddenly.

  59. jeblis says:

    Post em on Wikileaks.

  60. D-Bo says:

    @Dr. Chim Richolds: Only if the mayor went to your house to meet the hooker.

  61. ReezyAscending says:

    Ailu:

    To answer your question; yes.

  62. TheSpatulaOfLove says:

    Too bad he’s not making his donations to the EFF – seems more appropriate, as they might be the ones that save his butt when some shark comes along and makes it a Supreme Court case.

  63. mike says:

    I blame the companies. They should have an e-mail address dedicated to “donotreply”. I have a devnull address just for that purpose.

  64. LionelEHutz says:

    I wish I had thought of this.

  65. bonzombiekitty says:

    @Dr. Chim Richolds: No, his page says he’ll remove it if you just ask (and his actual posts don’t seem to show anything particularly confidential), the donation is only a suggestion not a requirement.

  66. nightshadowon says:

    Darn someone already registered nowhere.com and somewhere.com. Wonder how much spam they get because I use those for trash emails.

  67. RandomHookup says:

    @Hossofcourse: Perhaps, but you can’t legally open mail not addressed to you, so unless they send it “Occupant” or the like, you won’t have access to the information contained within. You could publicize that they are dumb, but can’t use the contents. One could perhaps argue that on emails, but IANAL.

  68. cerbie says:

    @Dr. Chim Richolds: no, no, it doesn’t sound like that at all. It sounds a lot like the politician handing you those photos as he walks by you in the street, and then later asking how you got them.

    He’s doing nothing morally or legally wrong. The companies using his domain name are doing both.

  69. Morgan says:

    @超外人: @Dr. Chim Richolds: If he were contacting the companies and demanding money to not make a post, you’d be right. He’s making the post and allowing them to donate to charity (not pay him) so that he’ll perform the service of taking it down. It’s not extortion in the same way that it isn’t extortion when the grocery store demands money before you can have food. (Demanding money to not do something=extortion/blackmail; demanding money to do something=the basis of our economy). As far as I can tell the real purpose of the payment is making sure the company actually pays enough attention to change their donotreply email address; he’s not profiting from it.

  70. Tonguetied says:

    @Jacquilynne: noneofyourbusiness.com looks like a generic squatter. nospamplease.com advertises that it’s for sale…

  71. I didn’t say it was outright extortion, I said it seems to be of it especially out of the “charity” thing. I don’t believe many of the charity claims that some politicians or corporate people create for their own benefit. And again, we don’t know if he isn’t profiting from it. He may also be obtaining other data and secretly making deals with it. Just because someone states they do something this way, doesn’t mean they are entirely honest about it. Temptation exists.
    Either way, he has a very interesting perk, and who knows what else he could do with such knowledge by knowing all these “secrets.”
    People with power tend to abuse it, and wouldn’t be a surprise to know if he does as well, discreetly.

    @Bladefist-안녕:
    Yes, asian fonts are win. Too bad I can’t read Korean.

  72. BStu says:

    @RandomHookup: I don’t think emails are equal to physical mail in this circumstance. If I got mail for John Q Fakename at my address, it isn’t addressed to me. If I owned fakename.com, however, anything mailed to @fakename.com would be addressed to me. The domain name isn’t equal to the street address. I’d suggest that the whole email is equal to that street address.

    What’s more, the intended recipients did INTEND for mail to be sent to that address. It wasn’t sent in error, it just wasn’t expected to be received. The intent was to send a message to john@fakename.com. They just didn’t expect me to get that mail, but it doesn’t mean they didn’t intend for it to be sent to me.

  73. CumaeanSibyl says:

    @超外人: He actually says on his site that the donation isn’t required — he’ll just take it down if you contact him.

  74. RandomHookup says:

    @BStu: I am not arguing that emails = physical mail. The poster I replied to was. I’m sure there are lawyers who might disagree, but that’s what lawyers do.

  75. brianary says:

    It’s important to know what you’re doing when you write, configure, and maintain this stuff.

    Learn RFC 2606, people!

  76. Angryrider says:

    @超外人: Yours says “Super Foreigner” right?

    Ha! I wonder actually how many people actually reply to do not replys… Probably the same people who get phished every once in a while.

  77. FrankTheTranq says:

    @Trojan69: Umm… I DO record CSR calls if I’m calling about a serious problem or dealing with a company I know to have a seriously bad CSR reputation. Just be sure to announce (like their robot voices do) that you are also recording the call. Digital recording’s a marvelous thing!

  78. Osi says:

    In Alaska, we can record all phone conversations legally. As only one of the parties on the line must be aware and agree to the recording. The other parties do not need to know :)

    So yes, it is legal (in some states) to record phone calls. And there are some sites online that hosts such recorded calls :)