DHS E-Mail Gone Mad

At 0819 this morning, a gentleman emailed to the Department of Homeland Security (DHS) a note that said he was changing jobs, and would like to receive the DHS daily reports at his new email address. The DHS daily report provides an open source news summary of articles involving the US infrastructure that might be of interest to the security community.

This gentleman mistakenly sent his request to the Distribution List email header, which was also configured incorrectly. Instead of this gentleman's request being bounced, his email went out to all the DHS daily report distribution list recipients. Chaos (and spam) soon began.

People who received this gentleman's email soon emailed back him saying that he had made a mistake - unfortunately, some used the "Reply All" button. This started another round of email broadcasts.

Some people who got the ensuing and rapidly rising number of emails thought it was hilarious, and decided to tell everyone else they thought it was hilarious. Others thought it was ironic that the DHS distribution list was set up incorrectly as a two-way rather than a one-way list, and had to tell everyone about that.

Still others thought the error provided an opportunity to social network ("I don't think everyone realizes that yet, but what a nice way for all of us to get to know one another! :-)"), so some started asking if anyone knew of job openings ("I looking for an FSO job...Any offers?"). Others used it as a marketing tool, and let everyone know what they were up to, including a person running for Congress from Texas. Others got annoyed, and told everyone to shut up, which got others to tell them to lighten up, and point out that they were now part of the problem.

On and on it has gone. I pity the poor folks who get their email on a Blackberry, or worse, someone overseas who owns an Apple iPhone . Their phone bills will be through the roof.

The DHS pleaded with everyone to cease and desist, even threatening to remove people who kept sending emails from their distribution list, kind of like Santa Claus's list of whose naughty and nice. The threat was not taken seriously, and to be honest, it isn't much of a threat since you can just go to the DHS website and download the information anyway. Another DHS person promised (with fingers crossed) that the issue with the list would be solved by tomorrow. He also tried the patriotic professional angle, asking that "As practitioners of national security best practices, lets set an example and not clog the communications channel with further white noise."

It is now 1300 and the flood of emails has grown in the past half hour with requests to unsubscribe requests. At 1306 the first real spam using the distribution list has arrived. More is sure to follow.

No one looks really good here - the DHS or its contractor who didn't do a test of their list configuration, nor for many of the security professionals who I doubt would have tolerated it if it happened in their organizations, or would tell their boss to "lighten up" if it did.

I'll update this entry later and let you know what it anything else has happened.


It is now 1600, and the emails have slowed to a trickle.

Update 1:

It is now about 1730, and there has been the occasional burst of commentary email followed by the inevitable automatic bounce messages. There has been one email from Iran with the subject line, "Is this being a joke?" and asking "why are so many messages today?"

Another person responded not long ago about the fact that this email from Iran showed how "open source" open source means, and that it is likely that people in less than friendly places have now received highly sensitive personal information regarding government and military security personal: "For those of you that have responded to this email from an official computer with your snazzy little signature at the bottom, especially those that have every piece of contact information listed, including those of you that have disclosed sensitive phone numbers and classified email addresses have knowingly provided this information to people all over the world some of which I am sure are deemed "undesirables'. ....But those of you that are in the military or provide services through any official office you should know better than to advertise who you are and who you work for." Good advice.

Update 2:

It is now 0500 Thursday morning. That last email seems to have done the trick, and sober everyone up. Thank you Marshall, wherever you are.

Alas, now that the server distribution list has been compromised, and any further emails under the name of DHS and using this list is likely to contain malware in the future, I have decided to remove my name from it. Maybe DHS should start over again, and require people to re-sign up.

It is interesting to note that today's DHS daily report (the one I received at 2057 last night dated 3 October) did not mention this problem. Not unexpected, but very sad nevertheless.

For those curious about what else was in some of the emails floating around, go here and here and here. The New York Times has a story here along with more email traffic here.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City