We had a Social email loop when I worked for a company with 33k employees. Someone sent out a newsletter to the company ALL mailbox, which had some tips for winterizing, and asked mostly rhetorically "What are your tips for preparing for winter?"
A handful people replied to the entire company w/o realizing it - stuff like "Well I'm in California, I don't have to worry about it. Ha!".
I think it would have ended there. But some grumpy programmer in NYC of course decided to reply "People. Stop replying-all!" One would think being a programmer he'd be smart enough to reply to just the people who had unintentionally spammed the whole company. But no. He spammed the whole company.
And after that it was on. Dozens of emails a minute. Tons of replies like "Please take me off this list." Tons more grumpy people complaining. Big bosses pulling rank "Ok I am Vice President of muckety muck and we need to stop this replying all right now!" And the best: "Stop replying all to everyone to tell them to stop replying all!" - replied to all of course. O_o
It didn't help that a lot of people worked in labs and shared computers. So they'd log on and see a ton of emails w/o knowing what happened. By the end of the week it finally died down. Then the next Monday people came back from vacation, saw 500+ emails, and of course asked to be taken off the list. This went on for weeks before it finally trickled to a halt.
Why anyone was allowed to spam the entire company, or the address couldn't be blocked, I have no idea. I was tempted to use it to fish for a tennis partner. And then apologize and claim ignorance of course.
This exact same thing happened at DuPont about 5 years ago. I believe there were roughly 80k employees at the time. There was essentially no real work email for most of the day until I believe IT figured out how to add a whitelist for @company emails.
My theory was, when they switched from LotusNotes to Outlook, they never ported over years of worth of experience encoded in user permissions. At least that fits well with the warning people always give about re-writing legacy software....
> I think it would have ended there. But some grumpy programmer in NYC of course decided to reply "People. Stop replying-all!" One would think being a programmer he'd be smart enough to reply to just the people who had unintentionally spammed the whole company. But no. He spammed the whole company.
It's probably because he felt that he was in a position of expertise and authority that he tried to pre-empt the problem by telling everyone not to reply to the list. One last message to all, then the problem would be definitively solved, or so the logic would go.
If he had such expertise he should have sent his reply with all the recipients on bcc. Then even if a few people do reply they only go to him and things fizzle quite quickly.
I don’t quite why so few people break reply storms in this way. Bcc isn’t _that_ mysterious.
The reason is that a bcc'd message doesn't stop people from replying to earlier messages in the thread, whether or not they are using a threading email client. Threaded email reading interfaces probably make your strategy more effective, but they don't eliminate the possibility that people will respond to earlier messages, defeating your "firebreak" message (the more addressees, the more likely it is).
I meant to say To, my mistake there. That doesn’t negate my point, almost all mailing lists include a List-ID and/or other similar fields. That’s included even when the list was bcc’d and is what you should be filtering on, not the To: field. Gmail even uses it automatically when you click on a message from a mailing list and click “filter messages like this”.
What a hilarious story. Talking about email ethics. I remember myself doing a similar mistake, new at work. This old timer came barging into my cubicle and commanding me to “stop emailing all!”.
Ok well it might be a company I know, similar thing happened at an old workplace, but the funny thing was the company I was at had been sold off about a month and a half before, but we were all still receiving email from the old company!
Another story about inappropriate emails, luckily I wasn't the perpetrator here.
It was the late 90's. Email systems were generally wide open for exploitation. (It was the golden age of Spam)
I myself had figured out that it was trivial to send a message and make it look like it came from anyone. Simple:
telnet <server> 25
HELO
MAIL FROM: <whatever you want>
RCPT TO: <recipient>
DATA <body contents>
QUIT
I used this a few times to mess with friends, send them messages from God, etc. Good times.
Thing is, I wasn't the only one who'd figured this out, and the university had an "All Users" list with only 3 or 4 people whitelisted to send it messages.
Someone else knew about the forged FROM scheme, and speculated that the "All Users" list didn't do any fancy verification of the "From" address.
This speculation was correct. And the University President was one of those 3 or 4 people whose email address was whitelisted.
The problem for this student was that they thought to themselves, "No, it couldn't be that easy..." And proceeded to send a test message.
It was that easy, and their test message sent successfully. The contents were... explosive. First, it cancelled all classes for the day (of course). Had it stopped there, this story might have ended as just an ultimately harmless prank. But it went further.
The message went on to describe how the president, with this free time from classes, would make herself available to provide, um, carnal knowledge of a very uncomfortable place at a particular time & location.
It didn't take long. IP addresses were statically assigned. It was easy to locate the offending computer, which in this case was in a computer lab.
So, cross reference login times against that IP address, right? Nope, not necessary: The computer was the one reserved only for the lab assistant on duty. Expulsion was rapid. In an interview with the student newspaper, the student decried, "I didn't think it would work!"
I used to help run the website for Rogue Wave Software, who had the domain name "roguewave.com", and also bought the domain name "rwav.com" after the company went public as RWAV.
"rwav.com" had previously been owned by a small ISP, and their most famous hosted site was for "Vicky the Bodybuilder". We knew this because we'd see hits for her page all the time.
I emailed top few sites that were linking to the old Vicky address, letting them know the site had moved, and nobody changed their addresses.
So then I got Vicky's real email, and used the above telnet email spoof to send an email "from" Vicky to each of the linking sites, gushing about how happy I (Vicky) was that they linked to her, and just to let them know I (Vicky) would be really happy if they'd update their links.
Reminds me of the time I was working at the Air Force Academy hospital in the basement warehouse in the mid 2000s. There were a few computers, and I wanted to mess with one of my coworkers (a senior airman) who was sitting at the desk in front of me.
There's a Windows command "net send" where you can make a pop up dialogue appear on a user's computer with a custom message. The problem was, I didn't know his exact username, so I did "net send * 'What's up dog??'". The dialogue popped up on his computer, he looked confused, and I was giddy. So I went further and sent a few more, including "You suck at computers" and "Your computer has been infected with a virus, sucka". It wasn't until a few minutes later when some visibly distressed IT personnel rushed into the warehouse and started interrogating people and checking the computers one by one that I realized something was terribly, terribly wrong. Apparently the dialogues were popping up on every single computer in the entire hospital, including the commander's (a full colonel).
I'm sure there would have been more disciplinary action had I not been a high school civilian intern. Everyone started calling me "Neo" from then on, but in a derogatory way.
Ah, “net send”. I remember it fondly. For a brief period almost 20 years ago I worked for a medium sized desktop software company. They had draconian restrictions on what we could do on the work computers. The only approved form of electronic communication was email, nothing instant. Many folks hated email, so the only real way to get an answer from a colleague was to get up and walk over. Being that I hated being interrupted by others walking up, I tried to be responsive to emails, but folks in the org were so used to others not looking, they just always defaulted to walking up. I then realized that while everything was very locked down, for some reason net send wasn’t. First in a small group of folks I told, but soon most of the office knew and was using it, tech folks and otherwise. Then someone had to go and see what else the net command could do. Said malicious person started rebooting other people’s machines. Needless to say, this got IT security involved (IT was in the Corp office, so hadn’t learned about our usage till then somehow). This lead to an investigation and ultimately it came to be known I started the usage. IT tried to blame the malicious loss of work due to the reboots on me, but thankfully my boss argued correctly I had nothing to do with that, they needed to find the real perp. IT’s solution was to put in a very crappy IM system (can’t remember what it was), lock down net command, and not bother finding the malicious person. Their “ultimate spite” though was to block me from using the new IM system (actually it sucked so bad it wasn’t really a loss) as “I was shown to misuse resources”. Needless to say, I didn’t stay much longer and jumped ship for a better job.
I did exactly the same with the loop and net send when I was 13-14 years old. The school was connected to the city's network somehow so the IT department was not very happy. They figured out it was me but were nice enough to just say "if you ever want to test something like that again, just check with us first" and I got an internship with them the following year. I'm very grateful for their gentle and pedagogical approach.
I liked to use the samba smbclient tool to pipe output of the fortune program to the network...offensive ones only of course...at random times to random netbios stations
Never really got in trouble for it. It was a simpler time. I can only imagine what would happen these days!
I was about 17 years old and IRC was very hot at the time in school. We had a, for the time, very fast 512Kbps internet connection, and I had gotten used to be able to "ping people out from IRC", no idea why I would do that, but hey I was 17. I was experimenting with ever bigger packets, until I hit something very close to 2^16 but not just.
Until the friendly admin just suddenly stood behind me, tapped my shoulder and said: "If you step away from the computer, let me look at what you did here, there will be no repercussions for doing shit you were not supposed to on a school computer".
Turns out I managed to send a "ping of death" and the network gear in our own school had just died. Internet was so unreliable back then that I just assumed things were a bit slow....
I like this approach. Kids are going to test their limits, try things out of a natural curiosity of "what if..." without always understanding the consequences. The whole "just because you can doesn't mean you should". Dealing with it as a teachable moment seems the best way to go for minor infractions lime this.
The sysop came out and had a chat with me, then gave me operator access to a testbed so I could learn, then made me an unofficial (I was quite young) lab assistant.
I use telnet ip.add.re.ss 25 pretty much daily as you descibe (but EHLO these days). Sometimes you come across systems that don't have "swaks" or "exim -bhc" to hand.
A couple of days ago I used it to quickly prove to myself that SPF really is bloody useless against spam. Set "MAIL FROM:" to nothing which implies that the mail server itself is transmitting and is perfectly valid: that is how bounce messages are sent. What will happen is that the receiving SMTP daemon will not have an email address to test for SPF (it will only test envelope from which is what comes after the MAIL FROM: command) With no email address to test it tests the mail server itself and the spammer has set up SPF for their own email server's domain and hence pass the test. They will set the FROM: header to whatever they like in the DATA phase and that is what your MUA (Outlook probably sigh) will display. So the end result is your end user gets an email that appears to come from someone they know and it will pass SPF tests. DKIM and DMARC/ARC will help mitigate (DMARC adds a bit of excitement to mailing lists) as will a proper spam scanner like rspamd or spam assassin or some decent ACLs in Exim int al but SPF on its own is absolutely rubbish.
> In an interview with the student newspaper, the student decried, "I didn't think it would work!"
This reminds me of an interview with RMS[1]
Our way of dealing with kids coming in over Arpanet was to socialize them. We all participated in that. For example, there was a command you could type to tell the system to shut down in five minutes. The kids sometimes did that, and when they did we just cancelled the shutdown. They were amazed. They would read about this command and think, surely it’s not going to work, and would type it—and get an immediate notification: ‘The system is shutting down in five minutes because of . . . ’
We grow up with a lot of rules, and many people learn that the rules have no real force this way. You can literally do anything. The real question can become, would anyone want to be friends with someone who would do anything? We are social animals, so this idea should be important.
Looking around the Internet, it seems like most people never "get it" though...
Not a loop from hell, but let's not stop the procrastination loop: The 500 miles sendmail story still fascinates me, to this day: http://web.mit.edu/jemorris/humor/500-miles
I thought of this story a few weeks ago when I was using VS Code on an old machine and couldn't get the linter to work on longer files. Very similar problem and solution.
At work, we had a mail loop once; a girl from accounting had ordered toner for our printers last thing before she went on vacation and enabled an auto reply on her mailbox.
Five minutes after she left the office, the order confirmation arrived, sent from noreply@random.office.supplies.whatever. Her mailbox sent an auto-reply. Our mail server sent her an error message, telling her that her reply had not been delivered. To which her mailbox happily replied with the same auto-reply mail...
When I walked into the office on Monday, her mailbox had accumulated around 50,000 of those mails. Fun times.
In the early days of "exchange" ... the email client. I discovered auto replies.
Very first thing I thought of was "What if two clients have auto replies set?"
So naturally I set one up, my cube neighbor set one up. I sent an email to my cube neighbor ... and fairly quickly email was down company wide for a good afternoon.
IIRC rules such as out of office (I'm not sure "rules" really existed). Were client side only... the server didn't have the option (or at least it wasn't automatic) to evaluate bad rules / out of office.
I once (accidentally) setup a mail group with itself as a member.
Everything was fine until the first message came in, and a few minutes later I hear "Uh, why do I have 5,000 new emails?" "Woah, I have 9,000", "Oh, mine is at 15,000 now!".
I don't remember what it got up to before we managed to get into the now-very-slow mail server to fix it, but it was in the hundreds of thousands. Luckily it was only internal mailboxes.
I've got a client with an automated ticketing system that loves to get into mail loops with our automated ticketing system. They keep confirming that they've received a reply or update to the previous ticket and a single inquiry can rattle back and forth dozens of times.
Yep, had the same thing happen after I implemented an automated mailing process at work. Luckily the ticketing system we hit was slower and I caught it around 6k emails the next day.
If said Jira server is backed my MySQL in the default “UTF8” mode that isn’t actually UTF8. Tell your Jira admins to switch to Postgres or Jira Cloud and all will be well. The same thing happens to Wordpress installs all the time, sadly.
Back when I was working at an SMS related company I managed to accidentally infinite loop sending myself text messages. The aggregator and AT&T had no issues, but my iPhone became completely unresponsive to touch as I saw the notification badge quickly ramp up from 1 to tens of thousands. If I remember correctly I had to wait a few hours for the messages to be delivered and processed by the phone and then wiped my device.
>So those 15,000,000 email messages collectively consumed 195,000,000,000 bytes of bandwidth. Yes, 195 gigabytes of bandwidth bouncing around between the email servers.
I once made a mistake, but it wasn't a just a loop, it was recursive. I was working in an old version of FOCUS, a reporting language, mixed with DCL. (This was a VMS environment)
The details are fuzzy now, but IIRC I misplaced a single "GOTO" line of code. The result was doubly recursive: Each person on the list got the message once for every person on the list, with the content of previous recipients concatenated to the message.
So: person 1 got the message once. Then person 1 & 2 got the message again, only person 2's content was appended to person 1. The person 1, 2 & 3 got the message, with 3 appended to 2, and 2 & 3 appended to 1, and so on.
I was very lucky that it was an old VMS environment with low disk quotas, so my "sent" folder ballooned before the full list could run. I think I got through about 130 recipients, which came out to about 8000 messages.
Not the same kind of loop, but a few years ago I had to quickly fix email sending in some PHP service. Being rusty in PHP, I at least managed to write a for loop iterating over the list and send mails. Or so I thought. I had forgot "$" in front of the "i" in the for-header, making it never terminate, since of course that's still valid php.
Luckily it was only my private email in the test-list. But I still got so many thousands of mails my Gmail account was blocked for days. Also lucky this didn't affect the delivery of our future mail (not blacklisted).
There was a time when overnight I received 200 copies of an email in my inbox. The emails were sent manually, typos, delays and all. Very industrious individual.
I was discussing this with a colleague of mine the next day and it transpired that they'd recently taken delivery of two DEC Alpha workstations. They were both sitting on his desk, being configured for actual work.
We set up a system using .forward files where DEC Alpha 1 would forward an email to DEC Alpha 2. On DEC Alpha 2 we set up the same in reverse.
We sent an email to DEC Alpha 1 and CC'd in our individual.
We let it run for 5 seconds.
In that time the two workstations, doing nothing other than sending email, managed a combined 25k of messages.
We never did hear from that person again.
These days when I think back about that, it was probably one of the early DOS attacks. We were a little shocked how well it worked.
An e-mail request is sent to a marketing e-mail service. For a specific e-mail notification, we do not receive a confirmation from the marketing e-mail service that the e-mail reached the recipient. So our service re-sends the e-mail.
This goes on for several days. It turned out a filter did not let the notification reach our end. By the time we figured it out, someone received thousands of the same marketing e-mail.
You can still do stuff like that today. My friend broke Yahoo and gmail. Unfortunately, we didn't document the procedure very well, so the following, from my personal notes on the incident, (with handles changed to protect my friend) is all I got:
How name_surname broke yahoo mail (and also gmail)
==================================================
- 21/03/17
> She doesn't quite remember what she did exactly but:
a) She went into nickname@yahoo.com and added another yahoo mail box-
name_surname@yahoo.com.
b) This didn't seem to work (?) so she went into name_surname@yahoo.com
and added nickname@yahoo.com as a mailbox.
c) Then she went into gmail and added nickname@yahoo.com to it
d) And finally she imported mail and contacts from both yahoo accounts
into gmail.
> The result: in nickname@yahoo.com you can see the name_surname@yahoo.com
mailbox which contains a nickname@yahoo.com mailbox, which contains an
name_surname@yahoo.com mailbox, but also nickname@yahoo.com contains a
mailbox called nickname@yahoo.com and name_surname@yahoo.com contains a
mailbox called name_surname@yahoo.com. And in gmail, all the email
imported from nickname@yahoo.com and name_surname@yahoo.com have a very
long listing of all the mailboxes in which they exist, which is the two
yahoo mailboxes repeated several times. That's _many_ times.
> Of course, when she tried to delete the mailboxes, whereas she only had
5 messages it looked like there were 35. They were all duplicates,
obviously.
It’s hard to read on mobile due to your formatting, but based on knowledge I have of both (and lack of details in your story), I think the most your friend can claim is “broke my ymail/gmail”, not broke either service.
Somebody managed to find a low level PDL that referenced nearly everyone in the company globally. Just the reply-all "I'm not sure this as anything to do with me, please take me off your DL" mails forced the servers to be taken down and nearly five hours of global mail handling was wiped clean... it was about seven hours before accounts started acting normally again. Sorta amusing from the random employee view.
This sort of thing was surprisingly common at my old job. Someone would find a list that seemed relevant, ask a question on it, and not realize the list had as a sublist something like basically all of software engineering. Then people would reply-all to that asking to be taken off the list that they didn’t need to be on…
A few years back I had mail to an address forwarding to a team at a different company. It was used to cc them on tickets, basically so they could make changes on their side when certain requests came in. At some point they decided to forward these directly into their own ticket system. Each email from our ticket system would forward and land in their own ticket system that would strip off the identifiers from our ticket system and create a new ticket which would reply to our ticket system, creating a new ticket on our side and so on. Unfortunately that queue on our side wasn’t in use by humans so no one saw the exponential mail storm building. Many mail servers have relay loop detection based on IDs in the headers but reply loops are a different beast. Once we realized what was going on it was simple enough to black hole the various addresses involved but it was pretty cool to watch our ticket and mail systems DOSing each other in real time.
Holy crap, the series surrounding the 'recorder' one is the most gripping and well written tales of combined technical and political achievement I've ever read on the internet. True hacker porn. Start here:
I knew immediately .forward files were involved, before I even read it. I had done something similar and brought down my college's email system back in the 80's.
When I set up an autoresponder in my .sieve file, I specify ":days n", where "n" is the minimum number of days between allowing an autoresponse to be sent to the same address.
This isn't fool proof though. It would fail if the other side of the loop didn't have a similar defense, and also sent each email response from a different address.
#127039 +(13215)- [X]
<wolf> 1. Save every Free Credit Card Offer you get, Put it in pile A
<wolf> 2. Save every Free Coupon You get, put that in pile B
<wolf> 3. Now open the credit card mail from pile A and find the Business
Reply Mail Envelope.
<wolf> 4. Take the coupons from pile B and stuff them in the envelope you hold
in your hand.
<wolf> 5. Drop the stuffed to the brim envelopes in your mail and walk away
whistling.
<wolf> I have now received two phone calls from the credit card companies
telling me that they received a stuffed envelope with coupons rather
then my application. They informed me that it they are not pleased that
they footed the bill for the crap I sent them. I reply with "It says
Business Reply Mail" I'm suggesting coupons to you to ensure that your
business is more successful. They promptly hang up on me.
<wolf> Now, I did this for about a month before it got boring, so I got an
added idea! I added exactly 33 cents worth of pennies to the envelope
so they paid EXTRA due to the weight. I got a call informing me about
the money, I said it was a mistake and I demanded my change back. After
yelling at the clerk and then to the supervisor they agreed to my
demands and cut me a check for the money. I hold in my hand at this
very moment a check from GTE Visa for exactly 33 cents.
Years ago you could simply tape the prepaid business envelope to a 2”x4” block of wood, a brick, or anything else heavy and the mailman would take it. Too much fun...
Yeah, postage on reply envelopes used to be unlimited in the US. In grad school, there were lots of lead bricks around. So we did that once or twice, for laughs. But you know, the lead was actually worth something. But not as much as the postage.
In January 2017, NetApp had a reply-all storm. One would think that sysadms would know better than to participate, but one would not be wholly correct.
At a company I worked for in the Netherlands soon after the turn of the century, many of the Asian sales reps had massive Pirated DVD archives that they would offer to customers as an incentive, and then would send out those images by e-mail — across a slow E-1 leased line back to corporate HQ in Eindhoven, and then back out to their customers in Asia.
Clogged the leased lines for days when they did that. That’s when I was called in to fix the email servers and implement message size limits across the board.
A handful people replied to the entire company w/o realizing it - stuff like "Well I'm in California, I don't have to worry about it. Ha!".
I think it would have ended there. But some grumpy programmer in NYC of course decided to reply "People. Stop replying-all!" One would think being a programmer he'd be smart enough to reply to just the people who had unintentionally spammed the whole company. But no. He spammed the whole company.
And after that it was on. Dozens of emails a minute. Tons of replies like "Please take me off this list." Tons more grumpy people complaining. Big bosses pulling rank "Ok I am Vice President of muckety muck and we need to stop this replying all right now!" And the best: "Stop replying all to everyone to tell them to stop replying all!" - replied to all of course. O_o
It didn't help that a lot of people worked in labs and shared computers. So they'd log on and see a ton of emails w/o knowing what happened. By the end of the week it finally died down. Then the next Monday people came back from vacation, saw 500+ emails, and of course asked to be taken off the list. This went on for weeks before it finally trickled to a halt.
Why anyone was allowed to spam the entire company, or the address couldn't be blocked, I have no idea. I was tempted to use it to fish for a tennis partner. And then apologize and claim ignorance of course.
My theory was, when they switched from LotusNotes to Outlook, they never ported over years of worth of experience encoded in user permissions. At least that fits well with the warning people always give about re-writing legacy software....
It's probably because he felt that he was in a position of expertise and authority that he tried to pre-empt the problem by telling everyone not to reply to the list. One last message to all, then the problem would be definitively solved, or so the logic would go.
I don’t quite why so few people break reply storms in this way. Bcc isn’t _that_ mysterious.
In a recent experience, I Replied to All (in BCC) to explain how BCC works and all the replies to my email stayed off the list.
https://www.theregister.co.uk/2017/01/31/nhs_reply_all_email...
It was the late 90's. Email systems were generally wide open for exploitation. (It was the golden age of Spam)
I myself had figured out that it was trivial to send a message and make it look like it came from anyone. Simple:
I used this a few times to mess with friends, send them messages from God, etc. Good times.Thing is, I wasn't the only one who'd figured this out, and the university had an "All Users" list with only 3 or 4 people whitelisted to send it messages.
Someone else knew about the forged FROM scheme, and speculated that the "All Users" list didn't do any fancy verification of the "From" address.
This speculation was correct. And the University President was one of those 3 or 4 people whose email address was whitelisted.
The problem for this student was that they thought to themselves, "No, it couldn't be that easy..." And proceeded to send a test message.
It was that easy, and their test message sent successfully. The contents were... explosive. First, it cancelled all classes for the day (of course). Had it stopped there, this story might have ended as just an ultimately harmless prank. But it went further.
The message went on to describe how the president, with this free time from classes, would make herself available to provide, um, carnal knowledge of a very uncomfortable place at a particular time & location.
It didn't take long. IP addresses were statically assigned. It was easy to locate the offending computer, which in this case was in a computer lab.
So, cross reference login times against that IP address, right? Nope, not necessary: The computer was the one reserved only for the lab assistant on duty. Expulsion was rapid. In an interview with the student newspaper, the student decried, "I didn't think it would work!"
"rwav.com" had previously been owned by a small ISP, and their most famous hosted site was for "Vicky the Bodybuilder". We knew this because we'd see hits for her page all the time.
I emailed top few sites that were linking to the old Vicky address, letting them know the site had moved, and nobody changed their addresses.
So then I got Vicky's real email, and used the above telnet email spoof to send an email "from" Vicky to each of the linking sites, gushing about how happy I (Vicky) was that they linked to her, and just to let them know I (Vicky) would be really happy if they'd update their links.
It worked.
There's a Windows command "net send" where you can make a pop up dialogue appear on a user's computer with a custom message. The problem was, I didn't know his exact username, so I did "net send * 'What's up dog??'". The dialogue popped up on his computer, he looked confused, and I was giddy. So I went further and sent a few more, including "You suck at computers" and "Your computer has been infected with a virus, sucka". It wasn't until a few minutes later when some visibly distressed IT personnel rushed into the warehouse and started interrogating people and checking the computers one by one that I realized something was terribly, terribly wrong. Apparently the dialogues were popping up on every single computer in the entire hospital, including the commander's (a full colonel).
I'm sure there would have been more disciplinary action had I not been a high school civilian intern. Everyone started calling me "Neo" from then on, but in a derogatory way.
Never really got in trouble for it. It was a simpler time. I can only imagine what would happen these days!
Until the friendly admin just suddenly stood behind me, tapped my shoulder and said: "If you step away from the computer, let me look at what you did here, there will be no repercussions for doing shit you were not supposed to on a school computer".
Turns out I managed to send a "ping of death" and the network gear in our own school had just died. Internet was so unreliable back then that I just assumed things were a bit slow....
The sysop came out and had a chat with me, then gave me operator access to a testbed so I could learn, then made me an unofficial (I was quite young) lab assistant.
It was a different world back then.
A couple of days ago I used it to quickly prove to myself that SPF really is bloody useless against spam. Set "MAIL FROM:" to nothing which implies that the mail server itself is transmitting and is perfectly valid: that is how bounce messages are sent. What will happen is that the receiving SMTP daemon will not have an email address to test for SPF (it will only test envelope from which is what comes after the MAIL FROM: command) With no email address to test it tests the mail server itself and the spammer has set up SPF for their own email server's domain and hence pass the test. They will set the FROM: header to whatever they like in the DATA phase and that is what your MUA (Outlook probably sigh) will display. So the end result is your end user gets an email that appears to come from someone they know and it will pass SPF tests. DKIM and DMARC/ARC will help mitigate (DMARC adds a bit of excitement to mailing lists) as will a proper spam scanner like rspamd or spam assassin or some decent ACLs in Exim int al but SPF on its own is absolutely rubbish.
Like the back of a volkswagen?
> In an interview with the student newspaper, the student decried, "I didn't think it would work!"
This reminds me of an interview with RMS[1]
Our way of dealing with kids coming in over Arpanet was to socialize them. We all participated in that. For example, there was a command you could type to tell the system to shut down in five minutes. The kids sometimes did that, and when they did we just cancelled the shutdown. They were amazed. They would read about this command and think, surely it’s not going to work, and would type it—and get an immediate notification: ‘The system is shutting down in five minutes because of . . . ’
We grow up with a lot of rules, and many people learn that the rules have no real force this way. You can literally do anything. The real question can become, would anyone want to be friends with someone who would do anything? We are social animals, so this idea should be important.
Looking around the Internet, it seems like most people never "get it" though...
[1]: https://newleftreview.org/II/113/richard-stallman-talking-to...
What? Like the back of a Volkswagen? (Obligatory Mallrats reference)
there is even a faq: http://www.ibiblio.org/harris/500milemail-faq.html
Five minutes after she left the office, the order confirmation arrived, sent from noreply@random.office.supplies.whatever. Her mailbox sent an auto-reply. Our mail server sent her an error message, telling her that her reply had not been delivered. To which her mailbox happily replied with the same auto-reply mail...
When I walked into the office on Monday, her mailbox had accumulated around 50,000 of those mails. Fun times.
Very first thing I thought of was "What if two clients have auto replies set?"
So naturally I set one up, my cube neighbor set one up. I sent an email to my cube neighbor ... and fairly quickly email was down company wide for a good afternoon.
But when programmers make RFC ignorant software, then all bets are off. Don't be that guy.
Everything was fine until the first message came in, and a few minutes later I hear "Uh, why do I have 5,000 new emails?" "Woah, I have 9,000", "Oh, mine is at 15,000 now!".
I don't remember what it got up to before we managed to get into the now-very-slow mail server to fix it, but it was in the hundreds of thousands. Luckily it was only internal mailboxes.
EDIT: My favorite is more "the town barber who shaves all men in town who do not shave themselves".
I have no idea if JIRA supports configuring every aspect of setting up a MySQL connection.
>So those 15,000,000 email messages collectively consumed 195,000,000,000 bytes of bandwidth. Yes, 195 gigabytes of bandwidth bouncing around between the email servers.
Almost as good as breaking all internet e-mail for the whole world in August of 1996: https://www.theregister.co.uk/2018/04/16/who_me/
The details are fuzzy now, but IIRC I misplaced a single "GOTO" line of code. The result was doubly recursive: Each person on the list got the message once for every person on the list, with the content of previous recipients concatenated to the message.
So: person 1 got the message once. Then person 1 & 2 got the message again, only person 2's content was appended to person 1. The person 1, 2 & 3 got the message, with 3 appended to 2, and 2 & 3 appended to 1, and so on.
I was very lucky that it was an old VMS environment with low disk quotas, so my "sent" folder ballooned before the full list could run. I think I got through about 130 recipients, which came out to about 8000 messages.
Luckily it was only my private email in the test-list. But I still got so many thousands of mails my Gmail account was blocked for days. Also lucky this didn't affect the delivery of our future mail (not blacklisted).
I was discussing this with a colleague of mine the next day and it transpired that they'd recently taken delivery of two DEC Alpha workstations. They were both sitting on his desk, being configured for actual work.
We set up a system using .forward files where DEC Alpha 1 would forward an email to DEC Alpha 2. On DEC Alpha 2 we set up the same in reverse.
We sent an email to DEC Alpha 1 and CC'd in our individual.
We let it run for 5 seconds.
In that time the two workstations, doing nothing other than sending email, managed a combined 25k of messages.
We never did hear from that person again.
These days when I think back about that, it was probably one of the early DOS attacks. We were a little shocked how well it worked.
An e-mail request is sent to a marketing e-mail service. For a specific e-mail notification, we do not receive a confirmation from the marketing e-mail service that the e-mail reached the recipient. So our service re-sends the e-mail.
This goes on for several days. It turned out a filter did not let the notification reach our end. By the time we figured it out, someone received thousands of the same marketing e-mail.
Thank you for the link, and for the post on your site.
https://www.reddit.com/r/talesfromtechsupport/comments/qrqsa...
https://forums.somethingawful.com/showthread.php?s=&threadid...
This isn't fool proof though. It would fail if the other side of the loop didn't have a similar defense, and also sent each email response from a different address.
#127039 +(13215)- [X] <wolf> 1. Save every Free Credit Card Offer you get, Put it in pile A
<wolf> 2. Save every Free Coupon You get, put that in pile B
<wolf> 3. Now open the credit card mail from pile A and find the Business Reply Mail Envelope.
<wolf> 4. Take the coupons from pile B and stuff them in the envelope you hold in your hand.
<wolf> 5. Drop the stuffed to the brim envelopes in your mail and walk away whistling.
<wolf> I have now received two phone calls from the credit card companies telling me that they received a stuffed envelope with coupons rather then my application. They informed me that it they are not pleased that they footed the bill for the crap I sent them. I reply with "It says Business Reply Mail" I'm suggesting coupons to you to ensure that your business is more successful. They promptly hang up on me.
<wolf> Now, I did this for about a month before it got boring, so I got an added idea! I added exactly 33 cents worth of pennies to the envelope so they paid EXTRA due to the weight. I got a call informing me about the money, I said it was a mistake and I demanded my change back. After yelling at the clerk and then to the supervisor they agreed to my demands and cut me a check for the money. I hold in my hand at this very moment a check from GTE Visa for exactly 33 cents.
[edit]: formatting
That stopped working in maybe the 80s.
https://imgur.com/DwbRfDs
Embarassing, yes. Especially since it was ongoing for, um, months.
nullmailer really likes to send mail. But some MTA's don't like to accept mail larger than a certain size. Ugh.
I'm skeptical. Even assuming this is true, would the CIA divulge this info?
Subject: Fwd: mousedown 52 48
Then you could trigger interesting dialogs to the user:
Error: failed to receive a mouseup for 72 hours. Do you want to cancel clicking? Click one (Ok) (Cancel)
Clogged the leased lines for days when they did that. That’s when I was called in to fix the email servers and implement message size limits across the board.