Architecture, Application Security

Homeland Security newsletter error leads to flood of unwanted emails

October 4, 2007
An error in the distribution process of one of the U.S. Department of Homeland Security's (DHS) newsletters led to a flood of unwanted email messages for recipients this week.

The deluge of unwanted messages – called “a mini-DDoS of sorts to subscribers' inboxes” by SANS Internet Storm Center Director Marcus Sachs – resulted after one recipient replied to the newsletter's sender.

Sachs told SCMagazineUS.com today that an administrator likely changed the newsletter's settings the day before the issue occurred.

“Something changed the night before. This mailing list has been in place for quite a while, and I am sure that there have been others in the past who have hit reply and it didn't bounce to everyone,” he said. “A configuration change must have happened along the way somewhere that caused this to happen.”

Amy Kudwa, DHS spokeswoman, told SCMagazineUS.com today that the newsletter's third-party vendor has fixed the issue.

Sachs, also executive director for government affairs and national security policy at Verizon, noted on the SANS Internet Storm Center diary on Wednesday that, at that point, 275 emails had been sent replying to the original message.

The former official at DHS's National Cyber Security Division also noted that many of the replies bounced among recipients were humorous, saying, “most definitely do not have the Jack Bauer [character from the series 24] mentality of total seriousness and no-joking attitude.”

However, he also noted on the diary that if a malicious user was on the mailing list, he or she could have sent a malicious file to hundreds of security users.

“A reader sent us an interesting idea – all it takes now is some wise-acre to send a zero-day PDF or Word attachment to the nearly 300 names now available and nail a few dozen gullible security professionals,” he said.

The DHS newsletter, which collects previously published media reports on securing critical infrastructure, does not distribute sensitive information, according to Sachs.

prestitial ad