I was looking over some software tests today and they had different testing addresses such as test.com or firstname.lastname@example.org. This got me to thinking, isn’t there a standard site or address that we should use for testing? It didn’t take me long to find my answer; example.com. More on that in a bit.
A couple of thoughts that came up while thinking about this; where is my information going while testing with made up sites and what kind of data am I sending? From a security standpoint, using unknown sites for testing may reveal flaws, sensitive data or PII to parties that may not have the best intentions in mind. Let me throw a hypothetical out there. Suppose I am a party that sees an opportunity to purchase the domain name tester.com. My reason for purchasing such a domain is not for legitimate reasons but rather as a honey pot. With that honey pot, I harvest the information by pulling in emails that come to that domain. Once that information is in hand, they could sell it on the dark web. Thankfully, my honor is paramount to me so I will not do such a thing.
Real Life Examples
A quick search on whois found the following: test.com has a private registration in the United States. We don’t know who owns this site. The question here is what are their intentions for the data they gather? Registration for somewhere.com is private in Panama. Nowhere.com redirects to a media outlet in Germany that looks like a simple front site. The last update for this site? 2012. I’m not saying that this one is, but its suspicious in the very least. A web advertising agency owns the site Test-site.com. There is a potential that the owner of email@example.com may add emails gleaned from tests to spam lists. How would your clients feel about a sudden influx of spam?
A less evil, but realistic concern using random sites is that some of these sites could be real and legit. Take, for example a company named Pinacle Associates; I have no idea if such a company exists and please don’t bombard them with emails. Tes Thompson is an SVP for Public Relations for this company. For emails, this company decided on the naming scheme of first name last initial. In this case, Tes’s email would be firstname.lastname@example.org; again, I don’t know if this exists, so please be kind and don’t spam it. Imagine the amount of mail she must get if a test team decided to use her email address for testing?
The Solution: Example Domains
So what is the solution then? Set aside for the very purposes of testing and documentation are Example.com, example.net, example.org and example.edu. The Internet Corporation for Assigned Names and Numbers or ICANN owns and manages these domains. These are the folks that give out and manage domain names.
So the moral of the story here is that you should always use one of the example domains. Using a domain such as example.com when testing software will help prevent inadvertently leaking PII data. Your company or client values their data and wants it kept secure.