SHARKWATER

Tuesday, March 25, 2008

No, Really: DO NOT REPLY

I found this post in the Washington Post's Security Fix blog. I'm not sure whether it's more humorous or more disturbing, but it does point out some of the major issues in social engineering involved with computers and e-mail.

The issue is that a lot of companies send out mail from bogus e-mail addresses because they don't want people to respond to the e-mails. They often use something@donotreply.com as the "return address," hoping that a) people will see that and realize they shouldn't reply, and b) if people do reply, the message will simply vanish somewhere or bounce.

Except...there is a donotreply.com, and the guy who owns it gets all those messages:
As owner of www.donotreply.com, the Seattle-based programmer receives millions of wayward e-mails each week, including a great many missives destined for executives at Fortune 500 companies or bank customers, even sensitive messages sent by government personnel and contractors.
The social engineering part of the matter is this: good security practice tells one not to click on links in e-mail messages. But that's exactly what these lazy companies are trying to get people to do. So not only are they being weaselly and trying to send one-way messages and make it hard for people to respond, but they're also encouraging what is essentially dangerous computer behavior, because if you want to reply you have to click a link in a message.

What's with these companies, anyway? Is it so hard for them to get that if they send me an e-mail message, if I want to respond I will click "Reply"?

This is vaguely reminiscent of a company I told off yesterday. They have been calling for several weeks now, trying to get me to sign up for a service I don't want. I have tried telling them I don't want their service, I don't want to talk to them. I have tried rudely hanging up on them. Finally, yesterday as they started their spiel, I said "Stop." Had to say it about five times before she actually stopped. "Don't call anymore." She made some reply that indicated she didn't understand. I explained that I didn't want their service, and I didn't want them to call me ever again.

We'll see how well that works out.

2 comments:

Anonymous said...

The law, at least in California, is that if you tell a company once not to call you and they do it again you can report it and the company will face sanctions. So keep track of who's calling, who you've told not to call again, and turn 'em in.

To whom? Ooh. Good question. I'm so helpful.

Houston Dunleavy said...

It is a ittle scary to think that someone at "donotreply.com" can get your email that you think is going to bank, insurance company etc. One hopes that so many end up there means that, like Santa Claus, he won't have time to read them all!

At least we know he exists!

We have a "do not call" register here in Australia which prohibit telemarketers, unless thay are from a charty, from ringing you up and spoiling your dinner. It seems to work pretty well, though I'm waiting for some mutinatinoal corporation to register themelves a charity shop-front so they can "encourage" us to support them by pruchasing form their "sponsor" rather than making a donation.

Oh dear, I hope none of them has read this!