I thought this is basic knowledge of everyone technically engaged in Internet stuff. But apparently, this isn't the case, despite its well-known and very readable documentation! [1] It says:
1) There are exactly 3 domains the IANA keeps free for that purpose:
example.com
example.net
example.org
2) In addition, all domains under the following 3 top level domains can be used freely for that purpose:
*.test
*.example
*.invalid
3) The domains under the following top level domain have some special meaning (should point to loopback IPs only):
*.localhost
Everything else is either registered, or might be registered by somebody in the future. Don't (mis)use those names unless you own them!
*.local is a great example of why not to use a domain that just 'sounds good' as an internal dns suffix, as it is used by bonjour/avahi[1]
I had to rename an entire corporate network once because the previous folks thought .local "looked good". It cause constant issues with clients that had bonjour or avahi running.
Where does email sent to wildcard@example.com go? If I accidentally sent sensitive information to wildcard@example.com would some evil person (potentially at the IANA) be able to retrieve it someday?
I looked, but I can't figure out the right Google juice - example.com is, for obvious reasons, a pretty common search result on the web! USENET would be better, but Google Groups seems to not index words with periods in the middle; "example.com" returns only "example com" results.
It was common advice back in the day to use "example.invalid" and NOT kill some poor guy's server at example.com; I don't think .invalid was explicitly reserved before then, but it was known not to be a ccTLD or gTLD.
the guy who owns test.com emailed me once because I wrote a paper on IIS vulnerabilities and had 'test.com' as example URL's. turns out a lot of people reading my paper would copy+paste the example exploits and own the test.com server (which just happen to be running IIS).
that server.com server was hilarious. it ended up becoming a mini-BBS with people posting funny messages, file names etc. to it. When I went to check it out to see what was going on, I ran a dir on the c drive, and there were almost 500 funny folder and file names there, with 'X WAS HERE' etc.
someone then put out a URL on IRC which would fire up a reverse shell. and that server.com server ended up running gaming servers, porn ftp sites, warez, the works. the guy emailed me around 2-3 months later asking for help to patch the box because it kept getting owned.
fun fact: I wrote a scanner in C back then that would check for these vulnerabilities. The scanner had two 0day vulnerabilities that weren't in this paper. one night at a friends house we were playing around with NXFR transfers from DNS servers (this is back when you could do them and before people figured out to lock this down). we started downloading lists of all the domain names from various TLD's. for eg we had .net, .org, .com etc. then we started downloading various countries, for eg. .at, .co,
we were talking to each other about what to do with them, and he said 'lets run one of these through your scanner'. so I made a quick change that would check the Server banner returned, and if it was IIS, it would then try these different exploits and run a command. we couldn't work out which command we wanted to run, so I had the idea of just creating a file called 'heh.txt' in C. I set it all up and ran it against all the Austrian domains. within a few seconds it was obvious that it was working too well - because it was churning through 5-10 hosts per second and a lot of them were 'SUCCESS'. I left it running, no idea when it finished, but when I picked it back up again the next day around 40% or servers (may have been more) were running IIS and of those, around 98% had our 'heh' command run successfully.
tl;dr hacked ~40% of all servers in austria. if you ever found a file called 'heh.txt' in the root of your C drive, that was me.
This page is a memorial to Foo at Bar.com
Back in the earliest of early days, I (The Foo at bar.com) got a few emails a week, mostly from sysadmin type people who were invoking The Foo in an effort to debug some kind of system or other.
Of course I, being a gregarious sort, answered the messages. Mostly along the lines of "hello? Foo here. What can I do for you?Ó or "who you? I Foo.Ó
I met a lot of really interesting people in 1994 and 1995 that way.
But soon I had to return to obscurity, as my email volume grew overwhelming.
Y'see people building web sites started putting little "give us your email address and we'll let you see the goodies" challenges in their web sites, and lots of folks entered foo@bar.com.
Soon, I was getting thousands, then tens of thousands of emails a day, mostly from people who didn't care whether I replied or not. Alas, I was overwhelmed and had to return to my solitary life.
For a while, I MX'd email addressed to me to 127.0.0.1 but that made some people cranky (although I still take some quiet pleasure at the thought of what that address did to spammers).
I MX'd the mail over to a friend's spam-detection server for about 4 hours one time, but the volume crashed his server and he asked for relief.
So now I'm content to tell you this small story.
Onward,
The Foo
That is so true... Most developers who get an account with Mailgun (http://mailgun.net) get so excited about the live email log or for some other reason... they love to fire up emails to @test.com. We have thousands of emails in our queue destined for test.com at any given moment.
Guys, please stop: what makes you think test.com can't be a real destination? :-) Actually, they don't have a mail server for that domain, but still...
Acme Labs has much the same problem. Jef's (2005) article about handling his mail is still a good read (though a bit dated now) http://acme.com/mail_filtering/
See it boggles my mind how a site cannot survive a front page HN appearance. TideArt has been on the front page a number of times, sometimes even second top link, and I happen to know this brings around 10,000 more hits. Using my own custom CMS, built on SQLite, I handle that kind of traffic easily on a shared host.
HN will never bring you more than a few hits per second at the most..
It's not identical, just looks like the same orange with a single white letter in the middle, only noticed when clicking between the two just how similar they were.
A related topic that drives me nuts after years of operations is the fairly widespread use of '.int' to represent private DNS on an internal network. '.int' is a rarely used TLD for international organizations created by treaty. It is so rare that many browsers do not recognize it as such and will ship you off to a search for 'www.nato.int', for example. Nonetheless, it drives me batty whenever I see 'dns1.int'.
I truly feel sorry for the poor guy that owns asdf@asdf.com. I must have registered for over a hundred different accounts on various Interweb forums using his email address...
If you really need to receive a test email, you can always use @mailinator.com (just make sure it's not sensitive info). Mailinator is a disposable, publicly viewable email address mostly useful for one-time account registrations, especially in cases where you fear they might spam you.
In recent years, I started using the + notation at gmail -- anything you put after the + and before the @ is ignored by gmail, BUT you still receive it -- the handy part is you can filter it out (e.g. myname+hackernews@gmail.com will go to myname@gmail.com, and I create a filter to archive everything that comes to myname+hackernews@gmail.com)
The "+" trick is great, except for sites that use hair-brained email "validation" scripts which reject the address. Sadly enough, these are often the ones that I most want to use the "+" for (its a great way to also keep track of who hands out your email address to spammers).
I used to work for a company that hosted customer.com. Microsoft, on more than one occasion, sent thousands and thousands of emails to customer@customer.com.
One developer probably entered customer@customer.com in a database, and then another guy probably accidentally triggered the "email everybody in the database" script. I can see how that would happen. I've obviously never personally done anything like that but I know a guy who tripped the "Send sales report to CFO" using test data once when I was an intern.
yeah, but it looks like he set it up waaaaaaaaaaaay back (like before the eternal September) solely in order to get a rise out of emailing people back. Then the internet blew up and broke his email.
I have a domain which is much the same, though I don't get nearly the volume bar.com does. And, I now feel guilty for having used foo@bar.com a few times in the past. Mea culpa!
I can only imagine the volume this guy gets - I have user24@gmail.com and I get about an email a week signing me up for something or other. It's very annoying.
So if anyone's reading this: Please stop using random gmail accounts and use foo@bar.com instead. Thanks!
* just kidding, test@example.com would be the one to go for ;)
To you and everyone using things != .+@example.com: why? Example.(com|net|org) were specifically created for this purpose and for the purpose of tutorials. I work in client-facing support, and it's very easy to troubleshoot software that /other people/ write when the client says something along the lines of "It says 'connection to example.com:25 failed'" -- I instantly know what the problem is. If you're using things other than example.(com|net|org) for this, you're possibly making the job of a support tech you'll never meet harder.
If your excuse is "I didn't know about example.com!"...well, that's a lame non-excuse. Do the rest of the IT world a favor and fix your tutorials and software -- mail server administrators like me already have enough headaches from the gazillions of spam techniques in use today.
Ignorance is a legitimate excuse. I'm getting sick of people spreading this moronic misunderstanding that ignorance is not an excuse. Just recently the police in NYC failed to follow a judge's order out of ignorance. I wonder what excuse they used.
As for why people don't use example.com, if you're signing up for a site that annoyingly makes you put in a password it will check for non-real email addresses so example.com is out.
We get a lot of crap email address signups at http://feefighters.com
We do a little bit of filtering to check that the email address is legit, but let you get by anyway (with an additional click) if it isn't... we have a 1-click unsubscribe but this is making me rethink whether we should let fake email addresses through at all.
We recently got this email from Fake.com
Hello
We own the domain fake.com, and from time to time some moron out there in the world-wide-waste-of-time uses our name to try and sign up for something...
Not just that, there’s also a whole slew of dozy IT people who test links by doing the same thing without doing a whois check first!
Whichever it is, could you please delete this account?
I've never been a fan of foo and bar as example names. Particularly in code examples, I can never keep them straight because the names are meaningless.
Anyway, we already have example.com for this purpose.
To be fair, their meaningless is their value. Using "real world" names may distract from the logic being discussed or unreasonably suggest that the logic may fit only a particular scenario.
it's not a fallback, it's the default behavior. originally when you would send mail to a user at a host, the MTA would just connect to that host on port 25. the original SMTP RFC (821) pre-dates any DNS RFCs, so originally there wasn't even a concept of MX records and you just e-mailed someone at the server they had an account on.
after DNS was in place, MX records came along in order to route mail destined for a host to a different server, or just supply a list of backup servers. now since most people just use email addresses containing only a domain, MX records are pretty much common place (since the A record of many domains resolves to the web server). now MTAs check for MX records before trying to connect directly to the host.
to demonstrate:
jcs@thalamus:~> host -t mx test.jcs.org
test.jcs.org has no MX record
jcs@thalamus:~> host test.jcs.org
test.jcs.org has address 10.10.10.10
jcs@thalamus:~> echo test | mail test@test.jcs.org
and shortly after, in postfix's mail log:
Nov 21 22:59:18 thalamus postfix/smtp[23742]: connect to test.jcs.org[10.10.10.10]:25: Operation timed out
1) There are exactly 3 domains the IANA keeps free for that purpose:
2) In addition, all domains under the following 3 top level domains can be used freely for that purpose: 3) The domains under the following top level domain have some special meaning (should point to loopback IPs only): Everything else is either registered, or might be registered by somebody in the future. Don't (mis)use those names unless you own them!Unfortunately, this kind of criticism is not always welcome on HN. (for example, http://news.ycombinator.com/item?id=3129459 was scored -1)
[1] RFC 2606, http://tools.ietf.org/html/rfc2606