DHS Spews Forth Spam In IT Snafu

The Department of Homeland Security (DHS) said the glitch that turned an e-mail list into an out-of-control social networking experience Wednesday has been fixed.

The New York Times reported Thursday that a North Carolina businessman was responding to a daily anti-terrorism bulletin Wednesday when he accidentally set off a confluence of events that the newspaper said eventually flooded government, corporate, and personal e-mail boxes with 2.2 million messages.

The DHS, which sends out the bulletin, had misconfigured it so the businessman's reply message was swept out to the 7,500 security professionals and organizations on the list, according to Laura Keehner, a spokeswoman for the agency. Once others on the list saw what was happening, a virtual free-for-all started, with people like Army sergeants and business executives jumping into the fray to take advantage of the instant link-up.

"The issue is that the reply generated messages to the 7,500 addresses on the server list, which was followed by the spam," said Keehner in an interview with InformationWeek. "It was bad judgment for people to keep replying. It was a mix of federal, state, local, and industry leaders."

Keehner said they sent out an e-mail message asking people to stop e-mailing each other immediately. The New York Times reported that Department of Defense did the same thing. The requests met a lot of deaf ears, but the DHS notified the contractor who is in charge of the e-mail list and had it shut down.

But Wednesday night or Thursday morning, a new list was generated and this time all the addresses were bcc'ed, or hidden, according to Keehner.

"I don't know why it wasn't that way in the first place," she added. "It was just human error. I don't know. It has since been changed... No government secrets were leaked. No personal information was given out."

She did concede, however, that the e-mail addresses were disclosed for all of the people, who are mainly security professionals, on that list.

Marcus Sachs, director of the SANS Internet Storm Center, wrote in a blog that this was a good lesson for anyone maintaining a broadcast mailing list.

"It's not clear why a single e-mail got reflected today and not in the many previous months this service has been available," he wrote. "Quite likely, an e-mail administrator either clicked a box last night, rebuilt the system, migrated it to a new server, or did something that un-set a setting designed to prevent this type of event... Many of the posts were humorous, some offered jobs, at least one was a "vote for me" political advertisement, and many more offered their names and contact information in case somebody was looking to connect with their sector or region. Most definitely do not have the Jack Bauer (character from the series "24") mentality of total seriousness and no-joking attitude."