Dynadot

Using Catch-All Email - Beware

Spaceship Spaceship
Watch

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
12,401
There is a significant contingent of domainers who use variations on the theme of "catch-all" email inboxes to find sales leads. I believe there may be one or two businesses premised on providing free or low-cost email services for that specific purpose, which have been discussed here in the past.

There are a couple of risks to doing that. What I have generally advised is that it is hard to hold a domain registrant liable for what they don't know and don't have. If, unknown to the registrant, there is some other similar domain name which is being used by another party for communications, then the registrant will not be accumulating mis-directed email containing potentially sensitive information if the name is not configured to receive email. If, on the other hand, the registrant receives mis-directed sensitive communications containing, say, financial information, health data, or trade secrets, then there are legitimate concerns about why the registrant is accumulating those communications and what the registrant is doing with the information.

In the worst case scenario, the collection of mis-directed email is intentional, as in:

https://www.adrforum.com/DomainDecisions/125751.htm

"As to Respondent’s purpose in doing so, shortly after having registered the <wfubmc.com> domain, actual confusion occurred and Respondent complied with Complainant’s request to forward misdirected email to Complainant. When Respondent was asked in May 2002 what his proposal would be for Complainant to acquire the <wfubmc/com/net/org> domains, he said he could provide forwarding services for $20/year/user, or for a flat fee of $5,000 annually per domain. He then stated: “In light of the opportunity costs, lost productivity, security risks and privacy risks that are continuously being incurred by the Institution with the status quo, I believe this to be a bargain. Of course an offer for complete acquisition would be considered”."

Where a domain is parked or otherwise lightly used for HTTP queries, the existence of an MX DNS record (as opposed to simply having no MX record) might indicate simply that the registrant uses the domain name primarily for email and does not particularly care about a web presence as, for example, is the case for johnberryhill.com. There are numerous UDRP cases in which a respondent's use of a domain name primarily for email has been found legitimate. e.g. <https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2020-1577>

But where the domain name is similar to a distinctive mark, and there is no substantial use of the domain name for a website, then the existence of an MX record may suggest that the respondent may be collecting mis-directed email addresses or even sending confusing email addresses:

https://www.adrforum.com/domaindecisions/1888544.htm

"First, Complainant contends that the <o‑iglass.com> domain name has been registered and used in bad faith because the original Respondent was probably preparing to use the disputed domain name in furtherance of an email phishing scheme and for other improper purposes. [...] Complainant argues that an “@o‑iglass.com” email address associated with the disputed domain name is potentially being used to impersonate Complainant and to send phishing e-mails to Internet users, presumably designed to solicit information under false pretenses."

That same point appears to have been made sua sponte in:

https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2020-2754

"Furthermore, the MX records associated with the disputed domain name are openly available for view by the public and by the Panel. The Panel considers configuration of an email server on the disputed domain name as additional evidence corroborating Complainant’s assertions. More specifically, the disputed domain name contains in its entirety Complainant’s DEWBERRY trademark, and the record is devoid of any evidence to suggest that Respondent has any legitimate interest in sending emails from the disputed domain name. Respondent’s proactive configuration of an email server supports Complainant’s assertion that the disputed domain name creates a risk that Respondent would be engaged in a phishing scheme by using an email address impliedly associated with Complainant."

It is also true that some entities in the parking business cooperate with anti-spam organizations to provide anti-spammers with a feed of inbound email to parked domains, to assist in training automated spam identification and blocking systems.

However, the tendency of paranoid reasoning to track "I don't know what is going on, so it is probably something bad", and its application in UDRP jurisprudence as "here's a new hammer to beat anything that looks like a nail" mitigates against setting up passive email service for domains which are not going to be used for email purposes. I believe the open-ended "why is there an MX record for this domain" observation is an up and comer tool for finding bad faith use.
 
Last edited:
31
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Thanks. And wonderful.. another way to put the onus of protection against stupidity upon the owner rather than the user.
 
2
•••
Thank you. Learned something new.
 
4
•••
I've said this many times that it is a dangerous strategy to discuss "email leakage" with end users over a domain you are selling and also it's extremely unethical.

Setting up email catchalls for no other reason that to gauge, monitor, collect, read, forward is wrong (even though it may be interesting and easy). Just because you have a physical mailbox outside your house doesn't mean that you have the right to open and read every piece of mail that is put in there. If it is addressed to someone else you shouldn't read it. You should put return to sender on the front and put it back in a mailbox.

I once had someone send me a check, but they were off by a number in the address, the person actually deposited the check in their own account after signing the back with their own name and the bank clerk not checking it properly. Obviously this isn't ok, but when I spoke to the person how deposited my check, they said they they didn't realized and deposited it with a bunch of other checks.... No it isn't ok. It is a crime. It isn't cool to open people's mail and emails that are not intended for you and it's wrong that folks use catchalls for this purpose.

Also I think that there is an added ethical issue when folks stretch how much leakage of sensitive data is actually happening, to promote the value or a domain or "why a non-dotcom owner is making a mistake by not owning the dotcom version of their domain" - I believe this issue is hyped beyond reality by some to promote self interests.
 
10
•••
Pigeons.

The mail will always get through, except perhaps when they are having a coo.
 
1
•••
0
•••
Some parking companies set up a MX record if you use their nameservers, for unknown purposes - I asked on two different occasions and they didn't answer. I asked to remove these records for my domains and they reluctantly did it. But setting them up in the first place is asking for trouble. Even if it's just a sinkhole / ddos mitigation (I don't know, I'm not an expert), they should at least be transparent about it, for domain owners' sake.
 
4
•••
Some parking companies set up a MX record if you use their nameservers, for unknown purposes

I can't speak for all of them, but some of them provide the resulting data to outfits such as SpamHaus to train spam blockers.
 
5
•••
And, here's another one:

https://www.wipo.int/amc/en/domains/search/text.jsp?case=DCO2020-0094

In August 2020, the Respondent contacted the Complainant via LinkedIn, stating in relevant part as follows:

“I own <Magna.co> domain name and I am reaching out to few companies to explore a possible sale of the domain name.

When I setup the email address for magna.co to contact potential end users, I started receiving business emails concerning your company (check attachment).

Would you be interested in owning this domain name to protect your business information and brand?”

The Complainant rejected this initial offer to buy the disputed domain name. The Respondent then sent another LinkedIn message as follows:

“Thank you for your reply. I thought its better that your company owns this domain name. In the last three weeks I got 350+ emails concerning your company.

Imagine your competitors American Axle & Manufacturing, Lear Corporation, Visteon, Faurecia, Linamar, Aptiv or Gentex owning the domain name and what information they can extract from the emails to gain advantage on your company. It can be a minor leak with serious consequences.

Once the domain is sold to an end user its very difficult and expensive to own. If you are reconsidering this matter, Visit magna.co and submit your offer.”


...

The Panel also finds it more likely than not that the Respondent set up a "catch-all" email address for the disputed domain name in hopes that emails intended for the Complainant would be misdirected to the Respondent and therefore to gain inappropriate leverage over the Complainant, and moreover improperly obtaining sensitive information intended for the Complainant.
 
6
•••
Just because you have a physical mailbox outside your house doesn't mean that you have the right to open and read every piece of mail that is put in there.

That's brilliant.
 
1
•••
Back