Many emails happily reach their final and intended destination. But there are some emails which arrive where they are not intended to. There are two recent stories which suggest not only how people should be careful what the "TO:" field in their email says, but also use some common sense.
The first story is about the "donotreply.com" domain, whose owner admitted that he receives millions of unintended emails each week, many with substantially sensitive information. Many senders of bulk email do not want to have each recipient to be able to hit ‘Reply’ and send a return message. As a result, they just type something that is intended to remind the recipient not to email back, for example, "email@example.com." However, there are people who send emails back, and according to the owner of the donotreply.com domain, there are some very sensitive wayward emails. For example, a bank sent to a donotreply.com email address a PDF with a list of all computers within the bank which are not properly patched with up-to-date security settings.
The second story is about a website promoting Mildenhall, a small town in Suffolk, UK, which owned the domain www.mildenhall.com. However, Mildenhall also hosted a U.S. Air Force base with 2,500 servicemen and women. As a result, the mildenhall.com started receiving hundreds of emails, intended for the US Air Force personnel at Mildenhall. Among the emails received, future flight paths for Air Force One. The domain’s owner tried to warn the US base, but the emails kept coming. Finally, the domain owner decided to shut down the site as to avoid confusion and leak of potentially sensitive information.
These two stories highlight some of the biggest problems with email as a communication tool, especially for sensitive and unencrypted information. First is the trend of domain owners turning on their "catch all" email setting whereby all email directed to a particular domain, even if the email address does not exist, is captured and treated as "received" as opposed to being returned as "undeliverable." The second is the casual approach towards email. There are plenty of stories about major litigation blunders, competitive information disclosures, or simply embarassing personal stories which have been sent to the wrong party and subsequently leaked to the world. Email users, especially users dealing with sensitive information, should create a habit, if not a procedure, of checking every outgoing email for accuracy of the recipient, at the least. Finally, the use of email for transmission of sensitive information without encryption is troubling. What is the appropriate treshold level for encrypting email - that depends on the organization and the documents being transmitted, but the senders of the list of vulnerable PCs on the network or of the flight path of Air Force One should have known better to use encryption.