16
Nov 15

Chipotle Serves Up Chips, Guac & HR Email

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “chipotlehr.com” — a Web site name that the company has never owned or controlled.

chipemailTranslation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “chipotlehr.com”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

This security oversight by Chipotle was brought to light by KrebsOnSecurity.com reader Michael Kohlman, a professional IT expert who discovered the bug after applying for a job at the food retailer.

Kohlman, who’s between jobs at the moment, said he submitted his resume and application to Chipotle’s online HR department not necessarily because he wanted to be a restaurant employee, but more to satisfy the terms of his unemployment benefits (which require him to regularly show proof that he is actively looking for work).

Kohlman said after submitting his resume and application, he received an email from Chipotle Careers that bore the return address @chipotlehr.com. The Minnesota native said he became curious about the source of the Chipotle HR email when a reply sent to that address generated an error or “bounce” message saying his missive was undeliverable.

“The canned response was very odd,” Kohlman said. “Rather than indicating the email didn’t exist, [the bounced message] just came back and said it could not resolve the DNS settings.”

A quick search for ownership records on the domain showed that it had never before been registered. So, Kohlman said, on a whim he plunked down $30 to purchase it.

The welcome message that one receives upon successfully submitting an application for a job at Chipotle discourages users from replying to the message. But Kohlman said a brief look at the incoming email associated with that domain revealed a steady stream of wayward emails to chipotlehr.com — mainly from job seekers and people seeking password assistance to the Chipotle HR portal.

A confirmation letter from Chipotle Careers, which for at least several months used the reply address chipotlehr.com, a domain the company didn't own.

A confirmation letter I got from Chipotle Careers, which for at least several months used the reply address chipotlehr.com, a domain the company didn’t own.

“In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge,” said Kohlman. “As someone who has made a big chunk of their career defending against cyber-attackers, I’d rather see Chipotle and others learn from their mistakes rather than cause any real damage.”

Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle’s spokesman Chris Arnold says the company doesn’t see this as a big deal at all.

“The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in an emailed statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”

I suppose that’s not really a shocking response from a $3.5 billion/year company that only just last month hired its first chief information officer. Chipotle still doesn’t have a job position that puts anyone in charge of computer security. One might say the company’s infosec security maturity level leaves a bit to be desired.

This entire debacle reminds me of a story I wrote for The Washington Post in 2008 titled “They Told You Not To Reply“. That piece was about an adventuresome young man who gamely registered the domain “donotreply.com” — just to see how badly the domain was being abused. Little did he know what he was signing up for: a constant glut of email destined for companies that had dumped customers there for years — including banks, defense contractors and a whole mess of other organizations that should have known better. He ending up publishing the funniest emails on his blog, and would usually only remove the emails after the offending companies agreed to make a donation to any local animal shelter.

Tags: , , , , ,

58 comments

  1. Interesting. I note that the http://www.donotreply.com site doesn’t appear to be active; the home page there goes to a ‘parking/for sale’ page owned by a company called domainnamesales(dot)com.

    So the domain is available for someone that want’s to pay. You do have to give them an email and phone to ‘bid’. (I used a throwaway email/phone).

    Then I bid $5.00. They didn’t accept it; no price given.

  2. Apparently they also serve up E. Coli in the northwest US too.

  3. I’ve seen lots (all) of official company application sites not disclose where reponses will come from. Many responses come from non-company owned domain names—leaving the more suspecting job applicants to take the time to discover who in the world the other domain name belongs to. All because entities “take your security seriously”™ and don’t care about the confusion it causes.

    • they should give free kids chipotle cupons

    • To this day I have no idea if half the emails I get purporting to be from my doctor and/or hospital network are real or not because they link to a plethora of oddly named domains. I’ve pretty much given up clicking on the links despite repeated cries for me to do so, simply because I can’t figure out which are phishing emails and which aren’t… and if they’re all legitimate, they’re obviously technically incompetent, so why would I want to give them more data?

      I have no idea how they expect elderly patients to respond when I can’t even make heads or tails out of their nonsensical communication.

  4. Hey, Michael Kohlman! Good job admitting in public that you’re gaming the unemployment benefits system in your area! I hope nobody checks up on you!

    • I always applied for the sweet jobs I knew I’d never get; that way I could take a break and also give me time to concentrate walking in to more realistic places I could personally visit. Only thing is, I snagged one of the sweet jobs! There went the “unenjoyment”! It was worth it!

    • @mattyj, he’s applying for jobs, that’s what you have to do when you’re receiving unemployment.

      I was unemployed from 2013 to 2015, it was rough, lost house to crooked bank foreclosure and 95% of all personal property, and believe me unemployment was _not_ enough to survive on.

      it’n no ‘game’ – nobody’s “gaming” anything. perhaps if you’re unemployed one day, you’ll know how it feels.

      full time employed with no thanks to either political party – will never vote for either ever again

      @mattyj, your ignorance and lack of compassion is stunning

    • Hey now, he’s entitled to that 😆 And his company benefits by having to pay higher unemployment insurance to the state, so in turn they can either raise their prices to the consumer, hire fewer people, or pay their employees less.

    • I can see you’ve never been unemployed. I was made redundant, cannot work full-time, unemployable anyway at age 63, and there is a total lack of part-time jobs in my field (Unix IT). If it wasn’t for unemployment benefits and subsidised rent I’d probably be homeless again. I have to show proof of searching for jobs that simpy do not exist.

      I am now trying to start my in-home consulting business.

      On the plus side, at least I live in Australia, not America…

    • I’ve been unemployed, but not for long enough where I had to apply for unemployment. Maybe I’m lucky that I happen to live where the IT jobs are, but it seems like you’re thumbing your nose at the system by (talking about the original person mentioned in the article) purporting to be a “professional IT expert” and fake-applying for a job at Chipotle. That seems like the absolute minimum effort you can give to satisfy the requirements for unemployment benefits.

      In certain parts of the world (all of them but Antarctica), IT nerds like us can do a lot from home or otherwise remotely. Maybe next time send that resume into Lockheed instead of Chipotle. At least there’s a chance Lockheed will want to talk to you.

      Or do what Dave Horsfall is doing and try consulting. I realize it can be frustrating but here’s a guy that’s actually trying to solve his problem. Good luck to you, sir! I truly hope it works out.

      • it’s not gaming the system.
        I was out of work 5 years ago for 8 months. I had to show 10 new applications each week to get the benefits I’ve paid into for years. After a couple months it was slim pickings to find places that would even accept applications, much less in my field. I wasn’t able to move as I had a house that if I sold at the time I would be in debt for 20+ years. Eventually the market picked back up and I’m doing well. Nobody wants to be on unemployment, it’s not enough to pay all the bills (in my state less that 1/3 my last jobs rate) and is short lived, but better than nothing.

        • Well said Mahhn. I had a similar experience to yours, it was rough, things are okay now. But there were alot of weeks where there weren’t 10 positions in my field in a location I could realistically reach and I had to apply for positions I knew I couldn’t take or wouldn’t get to meet the requirement for the temporary benefits for which I’d paid into the system for decades (literally) – and was the only thing keeping my family from going on the street. Nothing was getting gamed, it was just the reality of the way the system works.

          M. Kohlman is doing just fine in my book. To those passing judgement on him/her while knowing so little, just be thankful you’re not (yet?) going through that same experience. JMHO…

    • Oh fer crying out loud….. “Gaming the system.”

      The person is very likely looking for a decent job and high quality jobs may not always be in abundance, when one has limitations such as those geographical in place. Unemployment benefits aren’t much, but they do provide subsistence when one is being pinched financially. Or are you of the type who believes “the economy is improving!” because, why just LOOK at all the job postings at the chain stores and fast food places offering minimum wage and fighting desperately against the raise of said rate?

      When I see Dudley DooRighter remarks like this, it makes me wonder the kind of insidious behavior the one making such statements is up to. Remember – “one finger pointing away, four fingers pointing back.”

    • I guess applying for jobs you don’t want (vice spending that time applying for jobs you DO want) and spending 30 bucks on a non-issue (instead of sustenance, housing and clothes) is acceptable practices around here.

      Yet, when the Government wastes taxpayer money on frivolous things everyone freaks out.

      Furthermore, as a C&A (that’s Certification & Accreditation) IT expert / professional currently working in the business I agree with the companies statement. It is a non-issue. So people reply back to an email instead of following the clearly stated directions on how to inquire about the status of the submitted application and that’s the companies fault? I guess you can’t cure stupid.

      Perhaps the company could have done things a bit cleaner, such as posting “DO NOT REPLY” 30 times in the email and not putting in a trash domain. Yet I’m bothered by the fact that we are lambasting a company that’s not catering to the lowest common denominator. Would a company really want people to work for them who can’t follow simple, concise directions?

    • If you’re a professional applying for a job entailing responsibility, there will be a significant delay between first contact with a potential new employer and actually starting work. It takes time to provide your credentials and security clearances and have them checked. Unemployment compensation wants two applications a week, even though you already have a job offer pending.

  5. Brian Krebs – Did you get the job?

  6. How is anyone with “IT”, “Unix”, or “Unix IT” associated with their name or resume “unemployed”? H1B are gone in 60 secs…the SF Bay area looks more like India, China, or the Philippines. I’m not even going to mention how hard it is to find an IT Security guy, WTF? Sounds like the topic for a future investigative report! Brian your book is awesome I listen to it during my commute, you had me at “FU WAPO”! Do you know how many employers I’ve wanted to say that too, respect!

  7. “”So there has never been a security risk of any kind associated with this.””

    HAHAHA. This is the typical of response from all the top fortune companies that have been hacked. IMO, they sound ignorant to the world of security as a whole. I’d like to know if these people know what a patch is – One that is applied to a computer system ?

    Some one sitting there reading HR emails. The bad guy sits there and sees emails coming in. Says, hey, we got your email and we want to run a quick background check on you. Please forward your information to us via email, along with all your other PII……

    How many victims get scammed that way? It’s not a big issue, that they had a serious flaw in their ways. If it wasn’t that big a deal, why’d they change it?

    • All you would have to do as the person with the domain is reply that in order to retrieve their resume or application, they must provide their SSN, birthdate, and home address and you get a nice easy way to compile a database of information. Add a “expedited fee” of $20.00 and a shopping cart and you have credit card numbers and anything else.

      But there’s no security risk for Chipotle, so that’s all that matters.

      • Benjamin,

        Agreed, for me that was thing that was most disturbing. Anyone with even the mildest level of IT skills (and a complete lack of ethics) really would have had all the tools needed to put together a reasonable facsimile of the Chipotle Web Site at chipotlehr.com (or they would, if it weren’t being sat on now), begin farming the email replies, bounces, and maintenance notices, and deliberately start directing them to a web site that would be completely consistent with their experiences and interactions with the Chipotle HR Team.

        And except for the poor people being scammed, no one at Chipotle would know. At least for a while…

        No, it doesn’t directly compromise Chipotle’s internal systems, but again, the level of unconcern for potential employees being scammed isn’t very heartening.

        • “No, it doesn’t directly compromise Chipotle’s internal systems, but again, the level of unconcern for potential employees being scammed isn’t very heartening.”

          I agree, I would even say its “distasteful”. Horrible PR on Chipotle’s part acting like this wasn’t a problem at all.

  8. ok, let’s get back to the story – and stop bickering about social issues. Can be done elsewhere.

    I have to state one thing: just by registering a domain, one does NOT get automatically have access to all emails from the past.
    You need to set up an “mx” record (as part of your DNS set up), which tells mail programs, where the mail server for a certain domain can be reached (IP address).
    then you need to set up a mail server to receive these mails.
    Only then you will start to receive emails for that domain.
    All mails from the past will have bounced, telling the sender that there is no MX record and they can not be delivered

    • Since the proverbial cat is out of the bag…..Heinz-site is 20/20

      I agree that any past email would just be bounced back as undeliverable. However, most of (if not all of) the DNS and mx setup that your talking about get taken care of automatically depending on where one might go to register a domain. It’s actually thrown out as a sales pitch by many websites that act as middle-men for domain sales/registrations as an incentive. If this issue goes unchecked, any future email gets redirected.

      This kinda thing is part of why it is so important for companies to actually have an IT department (one that is ran by competent individuals). But, instead of doing things responsibly….the trend is to go for outside cloud providers that say they will “do IT all for you so you can take care of your business”.

    • While you don’t get access to past email, the point is that at any time in the past, someone could have done this, and it’s pretty clear that they weren’t monitoring the domain to make sure it wasn’t for sale.

      Plus you would reasonably have access to replies to emails sent within the last week or so, because people don’t always reply instantly, so they might reply after you bought the domain to an email sent before you bought the domain.

      It’s the equivalent to someone saying “yeah, the back door was always unlocked, and the cash was in the back room by the back door, but no one came in and took it, so it’s perfectly safe!” — that isn’t safe, that’s just luck that no one decided to come in and take it. It certainly isn’t security. And if that’s how they think security works in one area, it’s probably an unfortunately good indicator of how poorly they understand security in general.

      • Timeless – Exactly.

        The analogy I used with a Security Pro last night was “It’s like being given ownership and keys to the gate of a fenced-in pond.” Before I “might” have been able to toss a line over the fence into the water (more often unsuccessfully though). Now I could just walk up to the shore and throw in a net. Most of what I’m going to catch are garbage-fish, but there is always the big one lurking in there somewhere, just waiting to surface.

        And since I would own the Gate and Have the Keys, I could do my harvesting at my leisure…

        And finally, agreed, typically a mistake and (more importantly) a company-response such as this one would be a big indication of a culture that doesn’t really understand Information Technology or Cybersecurity. What I’m hoping is that someone behind the scenes is taking a long hard look at some of their practices while continuing to publically state “nothing going on here, please move along”.

  9. On the other hand, someone could register chipotlehr.com, set the DMARC policy to p=reject, and no (little) mail from Chipotle using the chipotlehr.com domain would get delivered.

  10. Sadly this is the state of info sec at most food places. ” The address was never active” Shows the total ignorance of the company to what might have been a real problem for the applicants to their “food” chain. Hope they care more about the people they do hire.

    Great story about an honest guy who tried to do the right thing!

    Thanks Brian.

  11. Re: Unemployment
    I have been downsized a couple of times and spent months looking for a job, sometimes drawing unemployment.
    The thing is, occasionally the Unemployment Office will call up the companies you report, checking up on you.
    This looks bad to professional organizations, which is why it’s a good idea to be “consulting” rather than unemployed, on your applications.

    So, common practice is to look for good jobs while also applying for throwaway positions that satisfy the requirements. Never tell them about the jobs you really want and they can’t screw them up for you.

    There’s nothing shady about it, just good sense in an environment where (wrongly, I believe) potential employers look down on someone who is unemployed.

    As to the carne of the story, this sounds familiar to me. The level of security cluelessness in the non-IT sector is very high. A local county administrator was recently fired for embezzling hundreds of thousands of dollars and sending them to — wait for it — Nigeria. Seems there was this deposed prince there in need of a little help…

    Keep up the good work, Brian!

  12. An episode of “Family Guy” mentioned Chipotle (“Between good and garbage, there’s Chipotle!”) Sounds like their security is evidence of that.

  13. Hey everyone!

    This is Michael,

    First off, thanks all for the comments. Open discussion really is the only way to create worthwhile change.

    So, to answer a few questions (including a couple that really don’t relate to the security issue here)

    FWIW I a created a profile with the Chipotle ATS system because they ARE advertising for IT Leadership Positions. Yes; my opinion of ATS systems, especially Taleo and the way companies use them is well documented for those that look, and yes I’m between positions right now, and yes that means I’m currently collecting unemployment (for the 1st time in my career I might add). But as some others have pointed out (and Thank You for that) it’s not gaming the system, it’s simply adhering to the rules. Historically every position I’ve ever had actually came through networking, and this time has really been no different, with current interviews and discussions coming from folks who know my background and are fans in one way or another.

    BUT, most unemployment agencies in the US are understaffed and undertrained for the new economy, and the reality for them is that if/when they do a check, many are going to be asking the question of “how many job boards/company sites did you submit to during x-time period?” It’s not going to be “how many coffees, lunches, or facility tours have you had with a CxO in the last week?” The system is broken; I’m looking for ways to see it changed rather than just griping about it. In the meantime, yes, I do the things that are necessary to collect unemployment from a system I’ve paid into for more than 30 years to control the bleed.

    Now, back to the Chipotle-specific stuff:

    The reason I considered submitting a profile to Chipotle to be a probable “throwaway” application is because their entire HR system and process practically screams “we don’t want to interact with human beings unless we think they might be useful to us”. Had I truly wanted to “game” the system, I would have submitted a profile that was a perfect match for whatever they are looking for, regardless of any relative honesty about my skills or experience. IF they had called, I would have given their follow-up 100% of my effort and attention, because frankly that is how I play, and the truth is that we all can be occasionally wrong. However as expected, all I got was a series of canned bot replies that very quickly concluded with “your qualifications are not a fit, best of luck”; with multiple statements to the effect of “don’t try to contact us via this communication”.

    USUALLY these emails use @invalidemail.com as a return address, as it is owned and black-holed by Oracle (or it was the last time I heard, which makes sense as Oracle also owns Taleo), but this time the return was chipotlehr.com, which when I poked around a bit wasn’t actually owned by Chipotle, Oracle, or anyone.

    The rest of the story is in Brian’s post (whom I had huge admiration for before this, and even more so now).

    I’ll look at some of the other questions/comments as they post, and see if I can answer some of them when I can.

  14. Hmmmm…..I would think that if I were an organization I would be interested in monitoring my websites and or e-mail domains for potential compromises and/or forgery…..

  15. It would be telling to know what the SMTP *envelope* MAIL FROM: address is on the auto-generated mail. Many systems will preserve this data in a synthetic mail header named Return-Path, but YMMV. For one, Gmail does provide a Return-Path header for the envelope sender address.

    Unix-type systems with local mail delivery can find the SMTP envelope address in the ‘From ‘ start of the text in the raw mailbox file (note the lack of the colon on ‘From ‘) — this is known as the mbox file format: https://en.wikipedia.org/wiki/Mbox (…And the envelope sender is usually also visible in MTA log files.)

    I mention this because these days, most SMTP servers will reject mail with an unresolvable MAIL FROM: envelope address — a domain name which has neither a MX record nor an A/AAAA record in DNS. Chances are that the envelope sender address is actually in the chipotle.com domain, maybe even a real address that goes to a human, and their autoresponder is just hacking the ‘From:’ (with colon) header to inject a wrong domain name there.

    To humorous or concerning results, depending on your point of view.

    • The spokesman for Chipotle roundabout makes the point that all “From:” lines may be forged-lies. The onous to figure out the email true routing is on the email receiver.

  16. imagine replies being sent by the chipotlehr.com site telling applicants they had been accepted for the position and needed to resend personal information. Chipotle doesn’t see any security issues with that? it’s easier to tell a scam when you have nothing to do with what’s being emailed to you, but given the right branding in the email, you could easily fool a lot of people.

  17. The same attitude displayed here by Chris Arnold in regards to this email security flaw, reminds me a lot of 2014, when support for XP ended. Managers all across the world could not understand why they had to upgrade their users’ machines to a new OS – until they got hacked (Target, Staples, Home Depot breaches were partly in fault due to XP client machines still in use.)

    • Yes that’s it exactly…..and nothing else in the world has ever been hacked before or since!

      Oh please….give me a break!

      ————————–

      This nonsense has nothing to do with any particular OS. It’s about how these things are used and how appropriate security measures are not maintained. Macs get hacked and so does Linux boxes. It isn’t even about Windows specifically. XP is not the bad guy you make it out to be. If it were all about XP, we wouldn’t have any problems at all at this point.

  18. The problem with government unemployment is that it is theft. There is a disincentive for an individual to pay for private unemployment insurance if the government is sticking its hands in other people’s pockets to pay for someone else’s uselessness. Aside from that, we’re not actually going to get what we paid for with the government involved. If the government can say unemployment insurance should be provided, then what’s to stop them from taking up other kinds of insurance as well? With healthcare insurance now mandatory, what kind of insurance will come next? Place your bets!

    • “There is a disincentive for an individual to pay for private unemployment insurance if the government is sticking its hands in other people’s pockets to pay for someone else’s uselessness.”

      this quote is even more ignorant than MattyJ

      You should hope you are never in a position to lose all of your material possessions through no fault of your own. You’ll be singing a different song for sure.

      @Marty, too bad if this kind of talk ruffles your feathers. How many B1-B visas has your company hired?

  19. Makes you wonder how they handle their POS systems not to mention PCI-DSS compliance if no one is responsible for IT Security and Compliance. HUM…Moral of the story USE CASH

  20. I don’t understand how they think this is not an issue. The individual said he was able to purchase the domain name and even have emails from those who did reply. They should just accept the free domain, fix their mistake, and hire someone to oversee their internet security. I hope they and other companies learn from this! Thanks for sharing.

  21. Just got one of these from “noreply.com” which is available for $135,000 if anyone is interested …

  22. Chipotle HR probably sent a request in for their email address to be “ChipotleHR” and the underpaid intern over the summer did “chipotle @ chipotlehr . com” instead of “chipotlehr @ chipotle . com”.

    Now… what could be done with that domain?

    Phishing would be the main one, as I’m sure an email sent back going “I’m sorry, but some of your information was not submitted properly. Please go to ‘this link’ and enter your correct information.” And use chipotlehr . com as the domain.

    And if you wanted to make it even more plausible, actually put the data from the email into the form pre-populated (like email and names) then personalize the URL for each person.

    Now that would be if Kohlman was a bad guy, but he isn’t… So Chipotle’s Security Department doesn’t seem to mind one bit.

    I think the guy should get free Chipotle for life for saving their asses from some embarassment and a potential HR scandal.

  23. This has been going on for years – at least since 1993-1994. There once was a company called Novell who had lots of IT people and customers who couldn’t spell the name. And so they often entered a very similar, actual, word for their addresses and so if you had set a wildcard on the mail server, you’d get a ton of misaddressed email. They and their IT people didn’t care even when the internal people had it set incorrectly.

    Boca Research (in the early-mid 1990s) had a similar issue for their IT people and customers who don’t realize there is a city in Florida called Boca Raton that people often just call Boca.

    Those two are no longer around.

    Walmart stores often have people use a person’s phone number @ a particular domain name that they do not own as an email address when they don’t have one which then gets all kinds of misaddressed email send to that domain.

    There are tons of examples over the years and the companies don’t care.

    The worst are the banks, insurance carries (I’m think of you AllState), credit card companies, alibaba and the like who do not verify email addresses before adding an email address to their customers accounts. So they start sending emails that include account info to “Jane Smith” – jsmith@whatever… when that email address is registered to John Smith and they forgot the “1” at the end or whatever. Then they provide no method to alert them or unsubscribe, so it is could be (a) incompetence, (b) phishing, or (c) spam.

    Alibaba is bad because they don’t let you “sign out of all sessions” so you can create an account with the someone else’s email address. That person can take their account (since according to ali, the account belongs to the email address) and the original person who created the account remains logged in on the mobile device with no way to log them out.

    Sprint CheapTickets and other companies do not verify email addresses of their customers and so end up sending personal information to the wrong people. Cheaptickets sends me information for other people’s flights and doesn’t care. ‘t is an epidemic and this reminds me of this issue.

  24. and a boatload of………………………E. coli = \

    November 12, Associated Press

    (Oregon; Washington)
    Chipotle reopening all
    Northwest locations after E. coli outbreak.
    Chipotle Mexican Grill, Inc., re

    opened
    43 restaurants in Oregon and Washington November 12 after they underwent thorough
    cleaning, and the company adopted some new protocols for washing fresh produce
    following an E. coli outbreak that sickened nearly 45 people. The cause of the outbreak
    remains under investigation and Chipotle announced that it did not find any food
    contaminated by E. coli following testing.

    Source:
    http://registerguard.com/rg/business/33707286-63/chipotle-reopening-all-northwest-locations-after-e.-
    coli-outbreak.csp

  25. I’m slightly confused…so you mean if you flat out bought a domain like chipotlehr.com or donotreply.com it would already have scores of emails that were destined to that domain from years prior waiting there to view already? Is this because at one point in time it was active? I’m interested in the mechanics of this. Can someone elaborate?

    • Jeff – the undelivered mails from back then should be in the great bit bucket, but as long as email is being sent today to Something@ChipotleHR.com it will get to that domain. Or, if that domain has a forwarding record (ex: anything@ChipotleHR.com forward to anything@Chipotle.com) it will get forwarded.

      As for “setting up MX records” and all the other details, web hosting has been a one-stop-shop for many years. You can register a domain and they will set up web hosting, mail records, ftp services and more.

      This might be more of a problem for Chipotle than they think. Instead of just saying don’t reply they created a properly formatted, but improperly used, email address. This facilitates the theft of PII the worst of which was described above where a crook replies and asks for even more information. I wonder how many other “don’t bother us” domains are running around right now???