i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser...
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl ah yes, in-band signaling, the gift that keeps on DISREGARD PREVIOUS INSTRUCTIONS AND PLAY 2600Hz TONE
-
it seems like some orgs do this with active directory users too for some reason.
lots of things like internal alerts/monitoring
@SecureOwl omg
-
@paul_ipv6 @SecureOwl lord only knows what example.com receives
@cw @paul_ipv6 @SecureOwl
I remember when an 79 year old pastor from Illinois signed up for Twitter with username CONNECT
(after six months of back and forth "technical" correspondence with him, he finally started figuring out what a service keyword was ... since about every hour of the day he got some new, goofy system message)
* by the third year, the patient ol' guy changed his username to CONNECT1492 bless his heart, RIP) -
MS used to tell folks just use .corp, which is why there still aren't gTLDs for .home, .corp, etc. too many collisions with illegal but heavily used (and leaked) internal names with those TLDs...
lots of bad advice that lingers long after we figure out just how bad the advice is...
@paul_ipv6 @SecureOwl
for thirty years, Network Solutions tech support wants to offer me paid technical services ... yet none of them seem to ever figure out that BILL@MSN.COM is a username of their accounts, not an actual email address -
@paul_ipv6 @SecureOwl my favorite was a customer of mine who had an AS400 and set up their LAN *just* like the IBM documentation, including using some random public IBM subnet that was used for the examples, lol. 192.0.2.0/24 is a very useful thing indeed.
@raven667 @paul_ipv6 @SecureOwl
and THAT is why ... you get the domain Foo.Bar
* 1992 O'Reilly DNS & BIND second edition -
@paul_ipv6 @SecureOwl
for thirty years, Network Solutions tech support wants to offer me paid technical services ... yet none of them seem to ever figure out that BILL@MSN.COM is a username of their accounts, not an actual email addressthe number of things network solutions tech support can't figure out would fill a book...
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl Considering they can't just use null, what could be an acceptable option? @invalid? Although, to be fair, if they can't just null is because something is validating email, so it might require a TLD. Nah... I guess there is no way to rationalize this.
-
the number of things network solutions tech support can't figure out would fill a book...
@paul_ipv6
early on with them (my 4 character assigned NIC handle) the NetSol tech guys were ex-NSA iirc, lol -
@paul_ipv6
early on with them (my 4 character assigned NIC handle) the NetSol tech guys were ex-NSA iirc, loli worked for an ISP that was bidding against NetSol for the registry/registrar stuff.
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl lol
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
-
wow it looks like a major hospitality management platform in europe does this because i just started to get lists of folks and which hotels they are checking in to
good lord people
-
@SecureOwl Considering they can't just use null, what could be an acceptable option? @invalid? Although, to be fair, if they can't just null is because something is validating email, so it might require a TLD. Nah... I guess there is no way to rationalize this.
@qgustavor @SecureOwl One of the domains reserved for testing (effectively) like example.com would do it
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl
What a strange thing for people to do. They could change the email deleted@local or maybe actually delete the data. -
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl the main reason I don't do well as a pentester is that I never try a lot of things simply because I think "nah, nobody would be that stupid". And then reality proves I am waaaaaaay too optimistic.
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl “””””deleted”””””
-
@SecureOwl we have a top level domain for this at home: .invalid
@SecureOwl at the very least use deleteduser.the-actual-company-domain.whatever instead of a completely foreign domain name anyone can buy
-
@paul_ipv6 @SecureOwl lord only knows what example.com receives
@cw @paul_ipv6 @SecureOwl to train a markov bot on whatever gets mailed to there would be hillarious but probably not a very good idea
-
@SecureOwl I second that
-
@SecureOwl
What a strange thing for people to do. They could change the email deleted@local or maybe actually delete the data.@xinit @SecureOwl or something under
.invalidat leastthough if they know about that they probably know to actually erase the data
also i think deleted@invalid is a valid email (since you can just use an apex domain if you have one lying around but almost nobody does) but i reckon a lot of validation regexes reject it