Last Updated: 2007-10-03 20:26:37 UTC
by Marcus Sachs (Version: 3)
The US Department of Homeland Security sends out a daily Open Source Intelligence Report to a subscription list of hundreds, perhaps thousands of recipients. This morning a reader replied to the list address with a request for a change and his note got re-sent to all of the list subscribers. In the next hour or so, dozens of readers have replied, creating a mini-DDoS of sorts to the subscriber's inboxes. This points out an important point - if you maintain a broadcast mailing list make sure that the address will not reflect email from sources other than the owner of the list. Otherwise, you will become a training example for SANS.
While this is not a Cyber Security Awareness tip, it comes mighty close.
(DHS has been notified.)
As of 1920UTC, about six hours into this event, over 275 emails were sent. Nearly one-half were either pleas to stop sending more replies or people demanding to be unsubscribed (in spite of the fact that unsubscribe instructions are at the bottom of the DHS daily reports.) Many of the posts were humorous, some offered jobs, at least one was a "vote for me" political advertisement, and many more offered their names and contact information in case somebody was looking to connect with their sector or region. While 275 is not even close to the millions of emails that get sent on a typical commercial spam run, it is a large number for a "flash crowd" or whatever this may eventually be called. It also revealed a nice cross-section of who subscribes to DHS daily publications and consider themselves part of the defensive security community. Most definitely do not have the Jack Bauer (character from the series "24") mentality of total seriousness and no-joking attitude.
We did a bit of investigating and this does not look like a typical Mailman or MajorDomo listserve administered by DHS. Instead, it appears to be an email address on a Lotus Domino Release 7.0.2FP1 server hosted by a government contractor that reflects email to a list of thousands of subscribers. It's not clear why a single email got reflected today and not in the many previous months this service has been available. Quite likely an email administrator either clicked a box last night, rebuilt the system, migrated it to a new server, or did something that un-set a setting designed to prevent this type of event. Regardless, the situation is still not fixed. As this diary is being written another email just came through. Sigh....
The pain continues...in the past few minutes the CSC server has started spewing "attachment blocking notifications" in response to the emails sent in that had MIME formatted content. So now we brace for another round of spew.
A reader sent us an interesting idea - all it takes now is some wise-acre (or a BadGuy™) to send a zero-day PDF or Word attachment to the nearly 300 names now available and nail a few dozen gullible security professionals.
Marcus H. Sachs
Director, SANS Internet Storm Center