Do Not Reply

The good news. When they send bounced email, they strip out any attached email or original message.

The bad news. They send email from - ###REMOVEDFORNATIONALFREAKINGSECURITY###@… donotreply.com

More bad news. They include email addresses and names that are no longer valid.

The worst news. They also send email to TSA - which does not strip out the internal message.

Since homeland security and the TSA actually deal with national freaking security, I am not going to post the information in the emails past to say they include a mix of user information, software information, software usage information, hardware identification and expiration of software.

Could the “terrorists” use it? Like any data you expose to the public which is better kept private, it could be used for social engineering. Just think if you could call a department and tell them how many users they have running on a certain piece of software running certain hardware? Fishing for more information is just a jump from there.

So why post this? Why post any of this? Because this is just another example of corporations and government agencies paying lip service to security and privacy. Look at the companies listed this week. These are just examples of security or privacy issues, just examples, I have hundreds of examples, hundreds of thousands of pieces of mail.

And I am at the bottom end of stupidity. I am just one small instance demonstrating this lack of attention to detail.

When you give any private information to anyone, remember, they are idiots. They are not going to protect your information. So before you click submit, ask yourself, do you want chet reading your personal information?

Yardville National Bank was a small bank. Surely the big financial companies behave better right?

Not really.

Merril Lynch decided this was a good address to send mail from - Registration_and_Licensing_Services@… yeah you guessed it, not ml.com but donotreply.com.

So what fun do we find in the ML mail?

Roger D______

SUN LIFE / MFS Termination of Appointment in __________ has been terminated effective immediately due to one of the following reasons:

-Lack of business with this carrier
-State Insurance license has been terminated
-Per your request

You will not be able to conduct any insurance business in NORTH DAKOTA for SUN LIFE / MFS until your appointment is reinstated.

Christopher ____ is pissed. He replied to the donotreply address with this angry little note from his blackberry.

Do not understand why terminated just got appointed. Please respond, I was told I needed to be appointed with them to hold Annuities that are in transfer. Please explain!

I was tempted to explain we found him incompetent and worse than our own security personnel, but then I remembered I don’t actually work at Merrill Lynch, I just read their emails.

When Dick _____ was told he needed to renew his insurance license, he let them have it in all caps!

I AM UDER THE ASSUMPTION THAT I HAVE A PERMANENT LICENSE (OVER 65) AND
NOT REQUIRED TO TAKE FURTHER CONTINUING EDUCATION HOURS. PLEASE CONFIRM.
THANK YOU.

I guess being over 65 he can’t read emails that are in the proper case.

Charles ______ got his notice for Missouri and his reply is going to leave Missourians questioning - but why us chuck?

I AM NOT RENEWING THIS STATE.

Since Merrill Lynch doesn’t even bother to tell people not to reply to the emails, and the emails are either telling people they have lost the right to sell insurance, or they are about to… I have plenty of private replies. None of which will ever get to anyone at Merrill Lynch to help them with their problem.

Your Neighborhood Bank.

What would you do if you wanted to hack a bank? Maybe install some keyloggers on some bank employees machine and capture data? But how could you ever find a list of computer’s that aren’t running the latest service patches or still have vulnerabilities?

For me, ynb.com’s computers would be easy… because they mail me colorful pdfs detailing the ip addresses of each machine that is not currently patched, and what vulnerabilities it is currently open for exploiting.

Now these aren’t public ips, but internal (from the ones I have read at least). But with over 200 reports detailing computers, full branch reports, graphs showing top 10 most vulnerable machines, etc… they had done plenty of legwork for me.

So why would a bank ever reveal all of its security dirty laundry?

Because someone didn’t want to get the reports from their security software bounces filling up their inbox, so instead… ynb.com sends their internal security reports FROM the very public donotreply.com domain… and then all it took was one bad address and I started receiving their very private reports.

I have refrained from posting any info from the reports because of the severity of this security leak.

This is one of the scarier ones. This is an identity theft nightmare. Seems when you make a certain kind of payment to your capital one account, the payment is sent from Capital One Payment . Can you see the problem here?

They don’t even bother to tell people not to respond to these emails, so I have customers sending complete emails like this one.

I have been waiting some time by now,
Can you e mail me the whole statement, the payments I did and closing the account because I think I lost
more money than interest, so I need to know where did I lost, you or Dr. ______.
Thanks

S____ F______

—–Original Message—–
From: Capital One Payment [mailto:donotreply@donotreply.com]
Sent: Friday, September 14, 2007 8:32 PM
To: F_____, S______
Subject: Payment Confirmation

9/14/2007
Dear S_____ F_____,

Thank you for your recent payment to Capital One. This email is to confirm your authorization on 9/14/2007 12:01:39 PM for an electronic debit of your checking account in the amount of ____.___.

This payment will be effective on 9/14/2007 or shortly thereafter. If your financial institution is unable to process the electronic debit, Capital One is authorized to submit a paper draft for this transaction amount. In the event the debit to your account is returned unpaid, an additional return item will be debited from your bank account.

If you have any questions, or if this confirmation does not accurately reflect your payment, please contact us immediately at 800-926-1000.

You know that problem with L____ P______? His Kevlar/Ballistic Helmet is Unit # L0893__ and his Ballistic Vest is Unit # L198__ Both are in the transit warehouse (at least as of 09/29/2007)

Paying $2.93 per unit for Sauce, Soy, Fermented, 12/20 BT seems a little expensive.

B____ K_____ has been using the Ford F-250 Pick Up lately.

Mohammed took a very dignified picture for his Sri Lanka Driver’s License

If you are looking for the Magnum 5kw lightset at Camp Taji… it is no longer in the tool room area, instead it has been moved to the front gate entrance.

J___ J___ I____’s pay seems decent, but $3,000 R&R pay? Come on, the airline ticket recovery for him is $3,218.86! Give the guy a break, cover his air fare at least.

M____ C____ ordered almost $5,000 worth of portable toilets. Better watch out for this guy, sounds like he is planning a rave.

Get it? I don’t think I need to go on. I have plenty more, and most of it more revealing. Accident reports, job requests, transfers, etc - almost all dealing with people currently stationed in Iraq. I hate Halliburton, I hate them… but the people working in these jobs still deserve our respect and privacy, so I won’t post anymore and have hopefully made these vague enough to not endanger anyone.

But this is ridiculous that a major defense contractor actually sends some of their bounced faxes (all of this info was inside of complete faxes) to a domain they do not own. That puts every single one of these people at risk.

Halliburton is not alone. Plenty of people have started slugging in donotreply.com to their fax systems to avoid dealing with bounces. Come on!

And sending me alert emails. Some 4000 emails…

This message has been automatically generated in response to the
creation of a trouble ticket regarding: “Alert: BORDER0.THG.am6.net-T1 0/3/1 · WAN1-NHWD0.THG 13HCGS630633PT status has changed to ‘Down’”, a summary of which appears below.

There is no need to reply to this message right now. Your ticket has been
assigned an ID of [bandcon #8222].

Please include the string:

[bandcon #8222]

in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.

FOR URGENT SERVICE AFFECTING ISSUES, PLEASE CALL BANDCON CUSTOMER SUPPORT IMMEDIATELY AT 1-888-852-2880

Thank you,
support@bandcon.com

Thanks guys! And BORDER0.THG.am6.net-T1 has really been going down a whole bunch lately. Trust me, I know.