A Department of Homeland Security mailing list that provides unclassified daily news reports on critical infrastructure information experienced a meltdown today when the list apparently got misconfigured and began routing any reply that someone sent to another person on the list to every subscriber on the list. The list was further configured to reveal the e-mail address of the senders so that the names and contact details of hundreds of list members -- including government workers in critical infrastructure positions -- were exposed. The mishap also revealed an interesting tidbit -- at least one member of the list works in some capacity with Iran's Ministry of Defense.
The problem began early this morning when a subscriber to the DHS Daily Open Source Infrastructure Report mail list sent an e-mail to the list address saying he was switching jobs and asking to have the daily report sent to his new e-mail address. Another list member replied to his message telling him that he'd inadvertently sent his request to the wrong address. That reply, however, also went to everyone on the DHS mail list, as did every other reply from people on the list telling the first two posters that their messages had spammed the entire list. Subsequent e-mails pleading with members to "stop hitting the reply-to-all button" also were spammed to the entire list. By midday, hundreds of such e-mails were clogging the list.
At one point someone suggested lightly that the mailing mix-up was a great way for list members to network and get to know one another, which then resulted in a free-for-all internet party as members spammed the list with still more e-mail, jokingly exchanging astrological signs and romantic details ("I like long walks on the beach and a nice chardonnay with my roasted duck," wrote one member), networking for jobs and, in the case of at least one list member, campaigning for political office.
The list is run by a government contractor Computer Sciences Corporation. List subscribers include government workers involved in security and counterterrorism efforts, employees of government contractors and security companies, as well as journalists and researchers. None of the information exchanged on the list is classified and can all be obtained from other sources. But many of the messages included signatures at the bottom of the e-mail disclosing the sender's government title and contact details, which could potentially be of use to someone wanting to social engineer the government worker to obtain information or spoof the worker's e-mail address and pose as him.
The problem with the list continued for at least six hours before someone finally fixed it -- but not before more than 500 messages had been spammed to list members. [The NY Times reports that the total number of e-mail messages generated from the server and clogging the 7,500-member list reached 2.2 million during the mishap.] One State Department worker complained that the mishap cost her agency money since she was working overseas and being billed for every message that arrived to her handheld device.
By Kim Zetter