A Reply All to a daily news roundup that had been e-mailed by the U.S. Department of Homeland Security to some 7,500 people, including thousands of security professionals, flooded government and business mail servers with over 2 million messages Wednesday.
The gaffe also revealed all subscribers' e-mail addresses, and in some cases other personal information, to other recipients of the DHS bulletin. Some of that information, including telephone numbers and titles of military personnel and government workers, may have been classified.
According to the New York Times, the unintended spam run began when a recipient of the "DHS Daily Open Source Infrastructure Report" hit the Reply All button to transmit an e-mail address change request.
By the end of the day, more than 2 million messages had been generated as recipients also using Reply or Reply All first complained about the spam surge, then added to the flood by mailing offhand comments, humorous remarks or demands that people stop sending messages. (See Computerworld blog post and related comments.)
The mail bouncing back and forth painted a less-than-professional picture, said Marcus Sachs, the director of the SANS Institute's Internet Storm Center (ISC). "It revealed a nice cross-section of who subscribes to DHS daily publications and consider themselves part of the defensive security community," Sachs said in a post to the ISC blog early Thursday. "Most definitely do not have the Jack Bauer (character from the series 24) mentality of total seriousness and no-joking attitude."
One list subscriber captured the non-Bauer attitude in a message that went out to all 7,500: "This has gone from an amazing pain in the neck, to fifth grade. But that was my favorite grade."
Another from the Office of the Assistant Secretary of Defense was even more flippant. "As a representative of the Department of Defense, I am ordering all to cease and desist with the emails. I'm a Sagittarius and it's overcast here in D.C.! :-)"
Sachs said that some ISC snooping found the DHS was not using a mail list manager, or e-mai list, such as the open-source Mailman or the free Majordomo, but instead was transmitting the daily report from an e-mail address on a Lotus Domino Release 7.0.2FP1 server hosted by a government contractor. "Quite likely an e-mail administrator either clicked a box last night, rebuilt the system, migrated it to a new server or did something that un-set a setting designed to prevent this type of event," Sachs suggested.
On Thursday, a DHS spokeswoman confirmed the snafu, which was only untangled when the government contractor that maintains the list, Computer Science Corp. (CSC) of El Segundo, Calif., was ordered to shut it down. According to several subscribers, the spam stopped late Wednesday, approximately nine hours after it started. The spokeswoman, who said that the bulletin originates from the DHS' National Infrastructure Coordinating Center, declined to explain the cause of the problem, but her description of changes made to prevent future occurrences gave a good hint.
"From now on, the mail list addresses will be placed in the Bcc: field rather than the To: field," she said. Several subscribers had speculated that the address list must have been moved to the To: field to create the spam storm.
The episode had a serious side, however, as numerous subscribers pointed out: Because all replies were sent to all subscribers, e-mail addresses and other potentially confidential information -- details in the sender's default e-mail signature, for example -- were disclosed.
"When I tried replying to one of the messages this afternoon, it bounced off an e-mail relay at the firm that handles this listserve for DHS, which then sent me a full list of the e-mail addresses my message did not reach," said a fraud investigator identified only as Flip on his blog. "Roughly 7,000 in all -- presumably every e-mail address on the DHS Daily Report distribution list."
Another subscriber commenting on a message forum reported receiving the same list of addresses, many of which were from domains marking their owners as military personnel or government employees. "This is e-mail 101, and I'm incredibly disappointed in CSC for failing so badly," added a second subscriber on the same forum.
The disclosure problem came into focus when recipients received this message: "Subject: Is this being a joke? why are so many messages today? Amir Ferdosi Sazeman-e Sana'et-e Defa' Qom Iran" In a follow-up message, Ferdosi identified himself as a researcher with Iran's Ministry of Defense.
A reply minutes later put it plainly. "For those of you that have responded to this e-mail from an official computer with your snazzy little signature at the bottom, especially those that have every piece of contact information listed, including those of you that have disclosed sensitive phone numbers and classified e-mail addresses, have knowingly provided this information to people all over the world some of which I am sure are deemed 'undesirables'," said someone identified as Marshall Odom. "Those of you that are in the military or provide services through any official office you should know better than to advertise who you are and who you work for."
As if that wasn't bad enough, the ISC's Sachs made an obvious point. "All it takes now is some wise-acre (or a BadGuy) to send a zero-day PDF or Word attachment to the names now available and nail a few dozen gullible security professionals," he said.
Hackers, phishers and other cybercriminals seek out the kind of information that was disclosed by the DHS list, since it makes their socially-engineered messages and targeted attacks that much more convincing.
People can subscribe to the "DHS Daily Open Source Infrastructure Report" here; the DHS also posts PDF versions of each day's bulletin for manual downloading.
See also: "DHS gets spammed with its own reports" in Computerworld reporter Patrick Thibodeau's blog.