(Ergo, from joelrees@freemailprovider.com to something like joelreesinjapan@freemailprovider.com or joelrees57738@freemailprovider.com.)
Here's why:
[Various indicative e-mail headers]
From: C**** D**** <C****.D****@somecompany.com>
To: "joelrees@freemailprovider.com" <joelrees@freemailprovider.com>, Joel Rees <Joel.Rees@somecompany.com>
Subject: 6th floor move ...
Date: [recent, elided]
[More indicative headers]
Hi Joel
Next week is our last week in our current positions. We need to start our =
clearing out and packing. Will you be back in the office before Friday, or=
shall I pack for you?
C****
---------------------------------------------------------------------------=
------------
The information in this email is intended only for the named recipient and =
may be privileged or confidential. If you are not the intended recipient pl=
ease notify us immediately and do not copy, distribute or take action based=
on this email. [More disclaimers, instructions, and assertions of relative
low priority, and questionable wisdom and utility.]
[Body repeated in HTML]
After receiving this message in my e-mail box, I consider myself to have a few options:
- (1) I could ignore this message based on the possibility that it might actually be phishbait. (But I have received other mail, and the probability is appearing low.)
- (2) I could be quiet and see what happens next. (But that really is not very nice, considering the other mail I have already received and tried to ignore.)
- (3) I could set the source address of the mail as a bounce address and otherwise remain silent. (Some might say this is my best option. If not for the other mail, I might consider it.)
- (4) I could send a laconic reply something as follows:
Hi, C****,
Thank you for the offer to help with the move.
Unfortunately, I doubt I shall be in the office any time soon.
Moreover, I suspect it would be not be easy or meaningful for you to attempt to pack for me.
By the way, thank you for your previous e-mail giving me certain information about the internal systems. I shall proceed to test the company's information systems security forthwith.
Joel Some Other Rees
This option, of course, is not a reasonable option for several reasons, not the least of which is that they might take my joke about testing their systems seriously.
(Sorry. This is not a novel. The risk involved in such work is great enough to overcome any motivation I might see for it, not to mention the not insignificant labor and sheer drudgery involved. Go find your entertainment elsewhere.)
So, here's a fifth option: remove most of the identifying information and blog about it, add the sender and recipient to my contacts in a certain SNS service, and put it in that service's feed.
That way, they have a chance to take action without my getting further involved. Also, everybody who reads this knows that I have publically declared my intent not to use the information I have, and the public nature of the declaration gives weight to the declaration itself.
But I then have to hope that no one else attempts to test their systems security before they take action.
I have chosen to take yet another option that can be extrapolated from the above.
And I am seriously considering changing the freemail address now. This sort of thing has happened before, although the details have not been quite as problematic.
I am also considering whether I can afford a proper vanity domain, such as joelreesinjapan.com.
In the original definition of the network technology that underlies the Internet, such domain names were not considered vanity. They were considered de rigueur -- required for every computer that would act as a user's interface to the network.
You can see some of the reasons from the above.
[JMR201908100903:
Or maybe it's not as obvious as I think.
Consider the odds of having to change your credit card number under the following accidental leak scenarios. You've sent it in an accidentally mis-addressed message to
- a random post office box number in New York City;
- a random post office box number in Wink, Texas;
- a random mail drop in some big company like Microsoft;
- a random mail drop in your own company.
Hmm. This is the post-snail-mail age. Maybe I should use a real example instead of an analogy.
Say you've accidentally sent the credit card number to
johnjones@hotmail.comvs. accidentally sending it to
johnjones@tanakahardware.comYou'll note that this company does have their own internal e-mail addresses. The problem is that they added a freemail address to their contacts lists without first testing it. And it wasn't the address they thought it was.
So they send me information I shouldn't get.
I don't want the information.
]
Somehow, during the "wild west days" of the extreme exploitation of the nascent Internet, such "minor requirements" got swept under the rug in favor of immediate profit.
(In more than one of my fantasy alternate realities, the countries burdened with the load of cleaning up the information systems, economic, social, and political impact of the exploitation of the early Internet combine to levy serious fines and other punishment on those who have profited in the extreme from the exploitation.
If only.)
Meanwhile, check the addresses that receive internal company mail before you use them.
It's safer that way.
