×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers' Typosquatting Stole 20 GB of E-Mail

Soulskill posted more than 2 years ago | from the of-tips-and-icebergs dept.

Security 204

NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

204 comments

People are dumb, so... (0)

Anonymous Coward | more than 2 years ago | (#37353178)

Back in the early days of the web, a friend of mine registered a domain that was a legitimate spelling of a big company; just not the one that company was actually using. He set up a mail server on it and in a day received over 100 e-mails. Was really weird. Why were so many people sending e-mail to the wrong domain? They just assumed it would be right?

Re:People are dumb, so... (1)

tomhudson (43916) | more than 2 years ago | (#37353414)

1. Enable catch-all email accounts on all domains you own
2. ...
3. PROFIT!

20 gigs sounds like a lot, but since these were corporations, you can expect that a lot of them were huge Microsoft Word attachments with one-liners like "Peter: Remember to complete your TPS report by Friday." and equally vacuous Powerpoint slide decks. And people trying to email DVDs. And pr0n - lots of pr0n, if it was government employees.

Re:People are dumb, so... (1)

interval1066 (668936) | more than 2 years ago | (#37354532)

People aren't dumb, just busy. I do recognize the need for people to do their own due diligence to some extent but comments like yours, no offense, paint people as a bunch of sheep lamely pushing at buttons. The true picture is that these are by and large very busy people conducting business with a multitude of contacts and business correspondence that they have to perform every day, and not all of them, in fact very few of them, are really very IT savvy. IT isn't their business. And its usually not a matter of simply pushing buttons; many times its copying, pasting, attaching forms, scanning, and typing new contact names into contact books. With millions of people conducting transactions on the web every day some domains are going to get munged. Yeah, they need to make sure they are addressing their business correctly, but simply painting them as "dumb" is dismissive and disingenuous.

Re:People are dumb, so... (1)

Drencrom (689725) | more than 2 years ago | (#37354744)

They do the same with SSH. The other day I mispelled homelinux.org (that's a dyndns domain) and ended up in some server asking my password. They listen to SSH for all domains *.mispelled-homelinux.org (I don't remember the exact name) and harvest logins and passowrds. Luckily I only allow public keys in my home router so I could notice.

Good test. (2)

140Mandak262Jamuna (970587) | more than 2 years ago | (#37353184)

Every damn email they suctioned up has stern boilerplate warning: "This email is intended for XYZ only. If you are not XYZ and you got this email, and if you don't delete it and forget what you have read immediately we are going to pretend we could come after you like gangbusters". Let us see if that stupid boilerplate text has any legal standing.

Anyway, of the 20 Gig they collected, I am sure 19.9 Gig was this boilerplate text.

Re:Good test. (3, Informative)

bmo (77928) | more than 2 years ago | (#37353308)

>Let us see if that stupid boilerplate text has any legal standing

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

--
BMO

Re:Good test. (2, Informative)

duguk (589689) | more than 2 years ago | (#37353384)

>Let us see if that stupid boilerplate text has any legal standing

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

-- BMO

Not true, at least in the UK:

Interfering with mail - Postal Services Act 2000 Section 84
Triable Summarily (Magistrates court)
6 Months and or a fine (Max)

A person commits an offence if they without reasonable excuse intentionally delay or open a postal packet in the course of transmission by post or intentionally opens a mail bag.

A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

If you work for the Post service you could commit other offences under Section 83 triable either way (Magistrates or Crown court) and get a sentence of 2 years and or a fine.

Re:Good test. (2, Interesting)

Anonymous Coward | more than 2 years ago | (#37353426)

"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

Re:Good test. (1)

duguk (589689) | more than 2 years ago | (#37353944)

"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

Either way, as confirmed in the Regulation of Investigatory Powers Act 2000 [opsi.gov.uk]:

It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

Re:Good test. (1)

trum4n (982031) | more than 2 years ago | (#37354164)

You have to "open" email, just to see who it's sent too.OOPS. TOO LATE.

Re:Good test. (1)

duguk (589689) | more than 2 years ago | (#37354330)

You have to "open" email, just to see who it's sent too.OOPS. TOO LATE.

No, at least in theory, you don't. SMTP [ietf.org] literally has an "envelope"; it should be all the server looks at to relay/deliver messages.

Re:Good test. (1)

_0xd0ad (1974778) | more than 2 years ago | (#37354708)

No, not really. If you're a BCC'd recipient you wouldn't even be able to tell from the headers. All you'd see is a delivered-to header and obviously that has to be you since you received it. It's the RCPT TO field that determines who actually receives the e-mail, not the To, Cc, or Bcc headers (the Bcc header is stripped out anyway).

Re:Good test. (2)

Medievalist (16032) | more than 2 years ago | (#37354396)

that is addressed to someone else.

It was addressed to me; I own the address that received it, it is mine. According to the laws you've quoted, anyway, which strictly forbid opening mail addressed to other people. Only I may legally open it; it is mine.

I get a dozen emails a month on my gmail account that are intended for a person with a name very similar to mine.

These emails are all addressed to me, although that's not who they should have been sent to. The person sending intentionally sent it to me - they typed my address and pressed 'send' - so under the laws you've quoted nobody else may open it, only me.

I try and try to get these people (who are mostly British real estate salesmen) to stop sending me these emails which sometimes contain confidential information relating to their clients. The tossers apologize and promise never to do it again (and occasionally do stop for a week or two, then start up again). It appears that many British land brokers are not just poor typists, but also idiots.

Re:Good test. (1)

0racle (667029) | more than 2 years ago | (#37354614)

Example:

Me: bob@aple.com
Not Me: bob@apple.com

Amy means to send to bob@apple.com but can't be bothered to be careful and sends to bob@aple.com.

Can I read it?
Of course. It is addressed to me so "offence to open, destroy, hide or delay any post that is addressed to someone else" doesn't apply. It was addressed to me and therefore delivered to me so "someone knows or reasonably suspects the post has been incorrectly delivered" so this too doesn't apply. Also, I did not delay delivery since it was addressed to me and probably delivered in a prompt manner.

Now, you are going to point out this part - "someone knows or reasonably suspects the post has been incorrectly delivered" and say that since I don't know Amy I should reasonably suspect her messages are not for me. I do get mail from people I don't know, it is rare but it does happen. I do not have any reason to assume any e-mail was not intended for me until I have opened the message and seen it's contents. This is not a physical package, e-mail out of the blue is not that uncommon.

And just to throw water on the whole thing, I doubt that you could get laws governing physical mail to cover e-mail.

Re:Good test. (1)

jeffmeden (135043) | more than 2 years ago | (#37353474)

It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just read this now you owe me twenty quid".

Re:Good test. (1)

duguk (589689) | more than 2 years ago | (#37353928)

It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just read this now you owe me twenty quid".

While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

If this was applied to mail, not only would it be that they 'know or suspect to have been delivered incorrectly', they are certainly acting with intent. It would be hard to claim they didn't "know or suspect" these mails were not meant for them!

Sure, the boilerplate is meaningless; but to take the postal analogy further - this would be like me deliberately opening a company with a similar name in a similar road to another; with the sole reason of opening their post. It would take a serious stretch of the imagination to say this has been delivered 'correctly', and pretty obvious that it should be unlawful.

This is sure to have happened in the past, I'm sure someone somewhere has mismatched names with addresses on a mail merge. So if I received a bank statement, with your name but my address on it - would you say it was legal for me to open it?

In any case, as confirmed in the Regulation of Investigatory Powers Act 2000 [opsi.gov.uk]:

It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

Re:Good test. (0)

Anonymous Coward | more than 2 years ago | (#37354256)

So...what you're saying is that I could not open or throw away mail that is addressed to someone that does not live in my house, yet has my address on it?
Pretty soon, I'm going to be crushed under the weight of all the mail addresses to "homeowner" or "recipient"!

Or, am i expected to find out where this person is, and do the Post's job for them? (fat chance).

Re:Good test. (1)

duguk (589689) | more than 2 years ago | (#37354496)

So...what you're saying is that I could not open or throw away mail that is addressed to someone that does not live in my house, yet has my address on it? Pretty soon, I'm going to be crushed under the weight of all the mail addresses to "homeowner" or "recipient"!

Or, am i expected to find out where this person is, and do the Post's job for them? (fat chance).

If you're the homeowner or recipient, then you are the addressee... no need to be facetious.
If it has someone elses name on it, no you cannot legally open it, at least by the law of the UK.
If you set up a similarly named address, for the sole purpose of intercepting mail, then I would expect that yes, you're still breaking the law.

Re:Good test. (2)

_0xd0ad (1974778) | more than 2 years ago | (#37354570)

You're supposed to mark it "no longer at this address - return to sender", black out the barcode at the bottom with a marker, and put it in the outgoing mail.

Re:Good test. (0)

Anonymous Coward | more than 2 years ago | (#37354610)

OK, let's play.

It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

So you aren't allowed to mess with someone else's mail. Except the addressee on these was found by the mail system. The mere act of sending mail to an addressee implies intent, thus the mail reached the intended recipient.

An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

So if something is delivered incorrectly, then, again, you're not allowed to mess with it, even if the address is correct but out of date. With email, this isn't an issue. Email protocols specify that addresses are unique and a message only gets delivered to an EXACT MATCH. Thus it is impossible for email to be "incorrectly delivered" in the sense this law is speaking of. Thus, this doesn't apply.

It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

Only a MITM (such as a relay) could do this with email. Since that's not what's going on here, this doesn't apply.

tl;dr - Email doesn't follow most of the postal rules because of the relative infallibility of machines, thus most postal privacy laws don't apply.

Re:Good test. (1)

nabsltd (1313397) | more than 2 years ago | (#37354626)

While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

I do not think that word [reference.com] means what you think it means.

By definition, if something is addressed to you and you get it, then you are the "recipient". It does not matter what the thing is that you received, or why you received it. And, even the UK law you quote agrees with this definition, and gives only examples of when the mail is "addressed to someone else". This law is the US is similar. For example, the Post Office even made ads about how receiving something by mail that you did not request doesn't make you obligated to pay for it, because scammers were sending unrequested items via the mail and enclosing bills, then suing for non-payment.

Re:Good test. (0)

Anonymous Coward | more than 2 years ago | (#37354364)

In the UK they can also take fat kids away from their fat parents. If that happened in the US, I'm not sure what we'd do with all the displaced fat people.

Re:Good test. (1)

Chris Mattern (191822) | more than 2 years ago | (#37354394)

A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.

Re:Good test. (1)

duguk (589689) | more than 2 years ago | (#37354548)

A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.

As others have pointed out, delivered!=addressed.

i.e. just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)

Re:Good test. (1)

shentino (1139071) | more than 2 years ago | (#37354406)

You don't need it for real mail because tampering with an envelope addressed to someone else is a federal offense.

Re:Good test. (3, Interesting)

gstoddart (321705) | more than 2 years ago | (#37354702)

It doesn't. It didn't work for real mail so why should it work for email?

You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.

Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.

At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.

I don't think you can make the claim that you just happened to be receiving these emails.

Re:Good test. (3, Informative)

tomhudson (43916) | more than 2 years ago | (#37353322)

The boilerplate has no legal force. First, it's like someone sending you unsolicited snail mail - anyone who sends you, say, an unsolicited book by snailmail can't then send you a demand to pay for it - it's already yours.

Additionally, boilerplate "contracts", even ones you agree to, are governed by different laws than regular contracts (search for "contract of adhesion" or "standard form contract").

Re:Good test. (1)

JSBiff (87824) | more than 2 years ago | (#37354538)

With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).

If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them. I suppose the courts could look at a mis-sent item as never actually having ownership transferred, if there's a lack of clear indication that ownership *has* been transferred (e.g. when you buy a book from Amazon, you have a receipt which clearly shows you purchased the item, and that ownership would transfer to you; if someone sends you something by mistake, there's no such basis for anyone to believe that the sender intended to transfer ownership).

Re:Good test. (1)

Hooya (518216) | more than 2 years ago | (#37353560)

I always thought that was bullshit. How do i *Know* if the email was intended for me? because it's got my email address, that's how.

Now, how can someone demand that i "promptly delete" the email? i have server logs, backups, and a whole array of things (required - as i understand it - as part of SOX) that would have to be scrubbed. Who's paying? The sender wants me to foot the bill to do all that when i had NO say in whether or not I got the email? How about if I sent the sender an email everyday - unintentionally - and ask that they scrub all of it off their servers? Would they do it? Just because I said so?

I would love to send the senders of those fucking boilerplates something to the effect of - "since apparently you want me to observe a contract that i didn't agree to - which i did by scrubbing all the traces of your email - now it's your turn: the bill is $10,000, pay up, the invoice is in the mail".

Re:Good test. (1)

QuantumRiff (120817) | more than 2 years ago | (#37353698)

At least 1.3GB must have been the pretty little green text (sometimes with a graphic of a tree) to "think of the environment before printing this email...

Re:Good test. (1)

onepoint (301486) | more than 2 years ago | (#37353770)

100 megs of useable data is what we are talking about.
what that might cover is legal issues, user names and passwords and the like ...

so the ability to profit is present, and just like spam, you only need a few to make it worth while

Re:Good test. (1)

Bob the Super Hamste (1152367) | more than 2 years ago | (#37354170)

We had some "security" training here at work about just that topic a couple of months ago. Basically what I gathered is that it is similar to the BS in EULAs that they put in there just in case case law or an actual law is written that makes it enforceable. But in general those notices carry no weight.

Ummm...OK (0)

Anonymous Coward | more than 2 years ago | (#37353190)

Ummm...OK

Behind the Keyboard (0)

Anonymous Coward | more than 2 years ago | (#37353210)

(posting AC because I'm at work...)

Proof that the biggest security vulnerability remains behind the keyboard.

NO TYPING! (1, Funny)

ColdWetDog (752185) | more than 2 years ago | (#37353232)

The attacker relies on the fact that users will always mistype a certain percentage of e-mails they send.

Who is doing this? Who types email addresses and doesn't use a contacts list or similar?

I suppose this is Window's fault but typing is so 20th Century....

Re:NO TYPING! (0)

Anonymous Coward | more than 2 years ago | (#37353274)

How the hell is this Windows' fault?
For the sake of humanity, don't reproduce.

Re:NO TYPING! (1)

jeffmeden (135043) | more than 2 years ago | (#37353518)

Any sufficiently advanced operating system would have known who you meant to email and automatically routed the message regardless of your inability to type "landolakes.com" without making a mistake. Duh.

Re:NO TYPING! (1)

Nethemas the Great (909900) | more than 2 years ago | (#37354004)

Actually it might be Window's fault for your preconceptions however it isn't for the email. Properly interpreting a noisy communication of an email address would be the responsibility of the email client application not the OS, for the OS has no business dealing with such high level issues.

Re:NO TYPING! (0)

Anonymous Coward | more than 2 years ago | (#37353952)

Don't worry, it's never gonna happen, he's a Linux user,.

Re:NO TYPING! (1)

ArrowBay (2326316) | more than 2 years ago | (#37353512)

True, contact lists and autocomplete should eliminate this... in theory.

In practice, there are legitimate holes in the system. Maybe you fatfinger the address when sending from your smartphone, where you can't access your contact list. Or maybe a colleague or client mistypes the address in an e-mail to multiple people, and then you simply "reply all" not realizing that address was wrong -- which sends the mail to the wrong address, but also gets your e-mail software to assume that's a valid address to add to your contact list.

It also has nothing to do with Windows, unless Microsoft is more omnipowerful than I thought...

Re:NO TYPING! (1)

Nethemas the Great (909900) | more than 2 years ago | (#37354068)

There's also the good fun of these contact lists being created on the spot by means of "first entry". If you entered it in wrong the first time there will be a contact entry made with the wrong address. Any future emails will have a far greater chance of auto-correcting to the incorrect address and all it takes is a person not paying attention to send it off as such.

Re:NO TYPING! (0)

Anonymous Coward | more than 2 years ago | (#37353532)

I dislike Windows as well but Outlook does auto-complete email addresses so you can't place the blame there. Additionally companies usually have global contact lists so I'm not sure why people are manually typing these email addresses, especially since these corporate users are undoubtedly using Outlook.

Re:NO TYPING! (1)

SleazyRidr (1563649) | more than 2 years ago | (#37353860)

When you're working with someone from a different company, they won't be in your company's address book, so you have to type it in at least once to get it into your personal address book. If your company manages it well, that'll go into the corporate address book, but you'll still need to add people from other companies from time to time.

Re:NO TYPING! (1)

phallstrom (69697) | more than 2 years ago | (#37353624)

You have to type it in the first time -- unless they sent you an email. So.... type it in wrong. Send off an email. Oops. Now it's in your mail app's magical "previous recipients" list. Update your official contact list. Send them another email. But your mail app decides to use the previous recipient entry since it's "more recent" (or whatever) than your official contact entry. Unless you click on the person's name to verify the updated address you'll never know and another misdirected email is sent.

In my experience a much bigger problem is folks who deal with a lot of third party contacts... John Smith at CompanyA and John Smyth at CompanyB. The user starts typing "John" and lets it auto complete. Maybe they even see the first "Sm" and assume it's good. And off the email goes to the wrong people. When I worked in IT I'd get frantic calls from people asking if I could stop an email from going out because they'd realize it just after sending it...

Re:NO TYPING! (0)

Anonymous Coward | more than 2 years ago | (#37354158)

It't not just third parties. Payroll recently hired someone that shares my first and last name and since I show up in the company address book first, I've been getting a number of rather sensitive emails that should probably be going to payroll and no one else. The problem is how do you know that "John Smith" is the John Smith you are looking for when you start typing the name in the auto-complete box.

Re:NO TYPING! (0)

Anonymous Coward | more than 2 years ago | (#37353736)

Windows has fucking nothing to do with it, retard.

Re:NO TYPING! (1)

Reverand Dave (1959652) | more than 2 years ago | (#37354176)

Totally 20th century. Personally, I only use eye movements and slight neck twitches for e-mail inputs. In fact, this post is composed solely of copied and pasted letters and characters.

So what is this an argument for? (1)

JoshuaZ (1134087) | more than 2 years ago | (#37353236)

One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does). Another more technical response to this is for people to use public key encryption when they are sending sensitive stuff. There's still some danger that they will at some point look up the public key but this will at least reduce problems. And there are obvious ways of distributing a lot of these keys in a secure fashion. For example, when you go to a bank to open a new account they could hand you a physical USB with their public key on it. Similarly, if one is an employee of a company they could physically do the same thing. One has enough real world interactions with people in the sort of circumstances described by the researchers that the thorny problems of key distribution are much simpler. However, I doubt almost anyone will implement this sort of thing since it is a change from the status quo which involves new technology to prevent what they may see as minor risks.

Re:So what is this an argument for? (1)

SuricouRaven (1897204) | more than 2 years ago | (#37353336)

The whole point of a public key is that it's public. The bank doesn't need to give you the key on a USB stick - they can just put it on their website. If someone actually tries to impersonate a bank website, then you can let loose the lawyers of war.

Re:So what is this an argument for? (0)

Anonymous Coward | more than 2 years ago | (#37353680)

No, but getting a bank to sign *your* key might be a great idea since they presumably will have verified your identity already. Might be a more trustworthy system than a key-signing party...

Re:So what is this an argument for? (1)

jeffmeden (135043) | more than 2 years ago | (#37353592)

One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does).

Don't forget the very real problem of someone's self-configured email client putting the wrong return address on everything. Although they "should" catch it quite quickly as they see a distinct lack of responses to any emails they sent out, it might not be enough for some people. More strict send rules for all values in the email header could probably eliminate 99% of this traffic from ever happening. Just set the server up to read the recipient, check for similar domains, and weight the domains by "legitimacy" (should be easy in most cases) and if there is a domain with a higher legitimacy than the one used rating the email is queued and the sender gets a note saying that they need to check the recipient and if they really meant to use that address they can click a link to send it on, and if not click a different link and it will be sent to the right domain.

Its not perfect, but the right algorithm could catch a whole lot of this with minimal effort. Come to think of it, I smell a patent...

Re:So what is this an argument for? (1)

JoshuaZ (1134087) | more than 2 years ago | (#37353692)

That's a really good idea. And it shouldn't be that hard to implement. You could possibly have the software update for new companies. I like your idea a lot.

Re:So what is this an argument for? (1)

XanC (644172) | more than 2 years ago | (#37353872)

Don't be so sure... One of our customers has her reply-to address set to an address pointing to a mailbox she never checks. She tells you her email address is X, and she does get mail addressed to X. But her emails come "from" (and "reply-to") Y. Y happily accepts mail, so there's no bounce or anything, it's just that it's a totally unused box at a no-longer-used domain.

She doesn't seem to think this is a problem...

Re:So what is this an argument for? (1)

Chris Mattern (191822) | more than 2 years ago | (#37354430)

One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important.

Another obvious lesson is that once you've sent mail to wrong address, autocomplete will helpfully fill in that wrong address next time.

Re:So what is this an argument for? (1)

jackbird (721605) | more than 2 years ago | (#37354758)

AOL's webmail autocompletes EVERYTHING YOU'VE EVER TYPED that matches, including truncated and nonresolving email addresses. You have to manually dig into options and delete the duplicate/false 'contacts.'

This is not new (1)

arunce (1934350) | more than 2 years ago | (#37353238)

Even I receive once and again this kind of emails, legitimate emails and almost all from the same people, once they make one mistake, more will follow. Sometimes I warn, sometimes I don't. I'm not their employee.

Re:This is not new (0)

Anonymous Coward | more than 2 years ago | (#37353348)

"Thank you for the information I can now use to sell on the black market"

Common problem... (1)

drosboro (1046516) | more than 2 years ago | (#37353252)

I get the same situation. I've got a ".ca" with my last name, and a Canadian lawyer with the same last name has the ".com". I get a bunch of their email on my "catch-all", which is awkward, given the confidential nature of things you may discuss via email with your lawyer.

Re:Common problem... (0)

Anonymous Coward | more than 2 years ago | (#37353380)

Confidential things? Over email? Is this 1983?

Re:Common problem... (1)

Fnord666 (889225) | more than 2 years ago | (#37353804)

Confidential things? Over email? Is this 1983?

Doesn't matter. There will always be failures in any manual process. About once a week I get multi-page faxes to my home phone number, destined for law firms in my home town, that contain confidential information. In those cases I contact the firm and forward the information to them in whatever manner they ask, then destroy my copy. Funny thing is that in most cases, the real fax number isn't even close.

Re:Common problem... (0)

Anonymous Coward | more than 2 years ago | (#37354336)

Perhaps you've heard of this thing called PGP, which more or less every mailer supports. It's been around since the early 90s.

There's nothing unsuitable about email for confidential information. Email can be used incompetently, but so can anything.

Re:Common problem... (1)

Abstrackt (609015) | more than 2 years ago | (#37353738)

To date, I've only met one lawyer who encrypted legal communications. You think it would be more commonplace than it is for exactly the reason you described.

Re:Common problem... (1)

psydeshow (154300) | more than 2 years ago | (#37353990)

Anyone who can come up with a way to sign and encrypt email that makes sense to lawyers (my lawyer still uses AOL!) will make a helluva lot of money.

They should have been doing it ten years ago. It should be illegal to send attoney-client privileged emails in plaintext. But guess who makes the laws?

Re:Common problem... (1)

WorBlux (1751716) | more than 2 years ago | (#37354400)

You can use imap to pull mail in from yahoo to his computer, and use any sane mail client with will encrypt outgoing mail (PGP extensions). Instruct clients to do the same or use hushmail (which does PGP automatically)

Re:Common problem... (1)

Culture20 (968837) | more than 2 years ago | (#37353910)

If you *think* you're conversing with your lawyer, but it's really someone else, is it still privileged info?

Re:Common problem... (1)

WorBlux (1751716) | more than 2 years ago | (#37354362)

Yes, it it's addressed to the lawyer, but thats not to say how it might be used out of court.

Re:Common problem... (1)

Bob the Super Hamste (1152367) | more than 2 years ago | (#37354294)

Have you ever tried contacting the lawyer suggesting that he use encryption. As you are in Canada and the lawyer is in the US you wouldn't be subject to the US laws. I have actually had a similar problem but where people try to send me thing but it goes to a different person in the company. Apparently there is another person with the same first and last name as mine in the company but they are over in England. If I ever get a chance to go over to England I may have to look him up. Every once in a great while I get some of his e-mail because someone selected the wrong one of us from the world wide address book.

Large firms to monitor domain registrations (1)

PolygamousRanchKid (1290638) | more than 2 years ago | (#37353294)

From TFA:

Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.

I guess a domain registration police department will become common in large firms now.

Re:Large firms to monitor domain registrations (1)

Monchanger (637670) | more than 2 years ago | (#37353676)

I guess a domain registration police department will become common in large firms now.

That's been a good idea since companies first started building a web presence. It's part of your brand and you want to make it's not tarnished. It should be one of the responsibilities of a corporate IT security department alongside encrypting laptops and intrusion detection.

Probably cheaper to outsource at least the detection part to a company who specializes in exactly that thing. I'd be surprised to hear no company provides such a service by now; especially registrars who deal with domain names 24x7 and certificate authorities who rely on domain name accuracy for security.

I own a domain name (1)

rk (6314) | more than 2 years ago | (#37353298)

That has a similarity in name to one of the US Navy's aircraft carriers. I used to get a fair amount of email for people on that ship. Nothing classified (I would've been really disappointed and shocked, but probably not surprised), but there was one sailor in particular who must've had quite a taste for porn because that address got so much porn spam it was amazing.

Re:I own a domain name (1)

chinton (151403) | more than 2 years ago | (#37353354)

You're right, there is only one sailor with a taste for porn... ;-)

Re:I own a domain name (0)

Anonymous Coward | more than 2 years ago | (#37353648)

Lonestar!

Stolen email? (4, Insightful)

bmo (77928) | more than 2 years ago | (#37353352)

No mail was stolen. It was delivered exactly where it was addresst.

It's the fault of the monkey behind the keyboard and nobody else.

--
BMO

Re:Stolen email? (1)

Trax3001BBS (2368736) | more than 2 years ago | (#37354144)

Your right. I was going to ask why these Researcher's weren't being charged,
but they did nothing wrong.

Re:Stolen email? (0)

Anonymous Coward | more than 2 years ago | (#37354564)

They may not have broken any laws, that remains to be seen. However, it's clear what they did was unethical and they did not act in good faith. They knowingly attempted to receive misaddressed e-mails. That's not ethical behavior.

Re:Stolen email? (1)

Jeng (926980) | more than 2 years ago | (#37354760)

They may not have broken any laws, that remains to be seen. However, it's clear what they did was unethical and they did not act in good faith. They knowingly attempted to receive misaddressed e-mails. That's not ethical behavior.

They were attempting to quantify how much a problem this is. Can you suggest other ways this could have been done that you think would have been more ethical?

This is why I turned off my catch-all (1)

Quila (201335) | more than 2 years ago | (#37353372)

My domain is a letter off from a big company's, and I used to get what looked like pretty sensitive email all the time. After a few attempts to tell employees to stop doing it, I just turned off the catch-all.

Re:This is why I turned off my catch-all (1)

Animats (122034) | more than 2 years ago | (#37353732)

Me too. I have a .com domain which is the same as a school domain in .co.uk. I used to get a fair amount of their mail, until I turned off the catch-all address.

(That was years ago. Today, if you have a catch-all address, you get to see the same spams come in for a long list of common names.)

+1 for security research (0)

Anonymous Coward | more than 2 years ago | (#37353410)

This type of research is priceless to IT, demonstrating the weaknessess of our systems is the best way to plan security strategies.. good work :)

This reminds me (1)

ThatsNotPudding (1045640) | more than 2 years ago | (#37353432)

must check if Slashdot.xxx is still available.

Hmm, on second thought, no one would ever go there.

Re:This reminds me (0)

Anonymous Coward | more than 2 years ago | (#37353536)

$200 to register a .XXX AND it's gonna be filtered everywhere.... fuck the XXX tld

Re:This reminds me (0)

Anonymous Coward | more than 2 years ago | (#37353626)

Cowboy Neal would, and he'd probably search for "taco". And now I will be forever cursed with that mental image.

Dear god, no. CAPTCHA = "swollen". Kill me already.

Self funding research (1)

RNLockwood (224353) | more than 2 years ago | (#37353434)

"The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

I wondered how they could pay for their research in this era of vastly reduced funding - it's self funding!

Re:Self funding research (3, Interesting)

Riceballsan (816702) | more than 2 years ago | (#37353580)

Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail. Even your bottom of the line MMORPG sends a note to it's users saying a GM will never ask for or send your password via e-mail, but our fortune 500 companies can't match that level of security? Typical e-mail passes unencrypted past so many hands it isn't funny, the typical e-mail from home to work, passes unencrypted across a wifi network, that may or may not be compromised if it was even bothered to be secured, to your ISP where low wage monkeys may or may not have access, accross the cloud where it will pass through unknown number of nodes, to the entery mailservers at said company, that may or may not be managed by medium wage contractors that know they only have the job for a few months at best anyway, finally to the person who it is intended to go to. Yeah I see no reason to think twice before sending my SSN CC# and confidential data through an e-mail.

Re:Self funding research (0)

Anonymous Coward | more than 2 years ago | (#37353662)

I used to know a guy who ran a local ISP and his hobby was to read his customer's e-mail.

Re:Self funding research (0)

Anonymous Coward | more than 2 years ago | (#37354034)

Better question, why do email applications default to sending unencrypted e-mail in the first place? The default should be encryption turned on. If you want to fix the problem, you need to go to the source.

Re:Self funding research (1)

blueg3 (192743) | more than 2 years ago | (#37354392)

Better question, why do email applications default to sending unencrypted e-mail in the first place? The default should be encryption turned on.

You can't default to something that requires a preliminary exchange of information. While you can encrypt the SMTP exchanges, the e-mail itself can only be meaningfully encrypted if the recipient transmits his key to the sender beforehand (using a mechanism that prevents a man in the middle attack on the key exchange).

Both my wife and I regularly receive email... (1)

manonthemoon (537690) | more than 2 years ago | (#37353628)

intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.

We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email. Interesting conundrum.

This research result is not at all surprising- it is the same thing, just at a bigger scale and deliberate.

Re:Both my wife and I regularly receive email... (1)

Registered Coward v2 (447531) | more than 2 years ago | (#37353880)

intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.

We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email. Interesting conundrum.

This research result is not at all surprising- it is the same thing, just at a bigger scale and deliberate.

I have a similar problem from time to time with my gmail account. In addition to your comments, some people seem to think that first.last and firstlast at gmail are different email addresses, as a result I periodically get emails for people who screwed up signing up for an online account, and since the company gladly accepted any email address as unique as long as it didn't match an existing one, signed me up.

When it obviously an error I replay saying - pops wrong person. All but one generally reply with a thanks. There was though, one luser who insisted *he* had the right email address and went so far as to suggest, when I asked him to simply verify the address with the person (it was a small private school), I change *my* gmail account because he *knew* his emails were going through. So, off to junk went any emails from his domain, since I learned a long time ago that stupid was unfixable. I figured sooner or later the real recipient would miss something important and fix the problem. Eventually, the emails stopped coming, so i guess he figured it out.

steal is a little strong (1)

YesIAmAScript (886271) | more than 2 years ago | (#37354136)

They captured 20GB of email.

They didn't really steal it, people addressed the email to them, they just did it errantly.

A similiar situation, different media. (0)

Anonymous Coward | more than 2 years ago | (#37354422)

(back when)

I had two phone lines one strictly for the modem.
The modem line was a prefix away from the local mass transit's

I would use the line for long distance calls as it wasn't limited as my
other line was; anytime I hooked the modem line to a phone it would ring.

Answering it I would get a question, not if this was the right place but
the hours of a bus route.

I ended up never answering it and pity the poor soul who ended up with
the number when I gave it up.

Not surprising (1)

YrWrstNtmr (564987) | more than 2 years ago | (#37354488)

I have a very short (3 letter) AOL email address from days long gone by. I still check it every other week or so. I've been on a boy scout troop mailing list a few states away, a kindly grandmothers All Family contact list, and a few mislabeled business communications, most notably, someone buying a car in England.

I emailed one guy back who was writing to his military son. He got all kinds of pissed off, and accused me of 'intercepting his emails'. Sorry dude...YOU screwed up.
I always try to email them back to correct the problem, and usually they do.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...