HTMLGOODIES EXPRESS (tm)
August 28, 2000-- Newsletter #95
Application Security Testing: An Integral Part of DevOps
HTMLGOODIES EXPRESS (tm)
August 28, 2000--Newsletter #95
Please visit http://www.htmlgoodies.com
Greetings, Weekend Silicon Warriors,
Today is a pretty big day if all goes as planned at Earthweb Inc. The HTML Goodies redesign should be up and running. If it's not up today, it'll be up tomorrow. The redesign is XML driven and should help you find what you want quicker and easier. In addition, the site will generate not just content from HTML Goodies, but additional content from other Earthweb sites.
NOTE: If you're more comfortable with the older HTML Goodies navigation, there is a Master page you can get to right from the home page. That master page lists every tutorial and primer on the HTML Goodies site. You can jump right to what you want.
Enjoy it. It's really a solid piece of work. It should help you a great deal.
Now onto today's topic
Did you check out Sherry's Basket Kits?
My apologies for not having the regular news clipping here, but the past day has been rather unpleasant here at HTML Goodies Inc. I've had no time to delve into the news.
I've had some really, really bad days during my time writing HTML Goodies, but last Friday may go down as the worst yet. Some of you know exactly what I am talking about and some of you don't. I'll explain why in a minute.
The Goodies To Go newsletter is delivered to you via a system known as a listserve. In the realm of things Internet, it's a pretty rudimentary machine. Basically, a server is set up that will accept a list of email addresses. The owner of the server then uses that list of email addresses when he or she wants to send out a mass email. The real advantage is that the listserve sends out the mail without revealing the names on the list. In addition the listserve can accept commands through the subject line of an email and either add or remove names for the list. It was one of the first systems up and running back in the early 90s.
The Goodies to Go newsletter services all of its subscribers using five different listserve lists. The reason is because the list of subscribers is so large. The listserve server has to process the lists in five bites rather than all at once. This is why only some of you saw what happened last Friday and the rest didn't.
So, what happened?
Let me go back a couple of days. A short time before the Goodies To Go newsletter went out, the engineers at Earthweb Inc., those are the people who keep all the listserve and HTML Goodies servers running, took some time to alter the listserve server settings. For one reason or another a switch was left on that should not have been left on. Hey, stuff happens.
The switch was responsible for blocking people's ability to respond to the listserve system. You see if all systems were working properly, any email message sent back to the listserve would have simply bounced back to my mailbox.
That's what should have happened.
Jumping forward in timearound 1AM Eastern Time, last Friday, a user decided to send out a SPAM mail to the Goodies To Go list. He or she created a basic email that said, Check out: http://xxxxxxxx.com/xxxxxx/SharisBsktKits. I've blocked the major portion of the Web address.
Actually this happens all the time. Someone believes that replying to the list will get him or her a quick SPAM. The message should have simply bounced back to me. I delete it and all's well that ends well. You never see it.
Ah, but this time around that darn switch was thrown. The email went out to one-fifth of the Goodies to Go list. And, as Murphy's Law points out, whatever can go wrong will go wrong, and at the worst possible time.
Of course this happened at 1AM. I'm asleep as are 95% of the Earthweb staff. So, you're thinkingone little email, what can it hurt?
Well, once that email hit, all heck broke loose.
The email was sent out to everyone on the list. That's bad enough. The fact that the SPAM had the Goodies To Go listserve address as sender less than a week after my newsletter tirade regarding how much I don't like SPAM was even worse.
The problem then was that many of the subscribers to the newsletter have auto-replies. I get at least 20 every week. Someone goes on vacation or is out of the office and they set up an auto-reply. Usually they bounce to me and I erase them. Oh boy
The auto responders bounced and went to the entire list. At this point, those affected have about 12 messages in their email boxes. It's 1:05AM and all goes quite for about three more hours.
I get up Friday morning around 5AM, as usual, shower and make my toast. I have to be at school all day so I sit down to quickly go through the morning's mail. I download the mail from my three personal accounts. There's nothing there. No SPAM. That's important because I receive the newsletter at three different email addresses. I wasn't affected and I own the newsletter. Go figure.
When I logged the mail from my firstname.lastname@example.org account, the floodgates opened. It was blank the night before when I went to bed around 10:30. That morning there were 543 messages. I'll never forget that number.
By this point in time people had began an avalanche of SPAM like many have never seen.
Remember now this is all off of one person's attempt to push their URL by responding to the list.
Those who woke up and found twelve letters from the Goodies To Go listserve simply replied asking what was happening. That went out to the listserve list.
The auto responders triggered. Now you have 24 messages in your box.
Someone else responds asking what is up 36.
That person is angry now and sends a letter to unsubscribe them from the list 48.
The first domino tumble has started. You can time them just about every hour as each time zone wakes up. People begin to send email to the list asking what's up or asking to be unsubscribing, or just a general curse-laden tirade.
I made the people at Earthweb aware of the problem around 7AM Central Time. Within the hour the crush of email was enormous. There were almost 8000 original replies to the listserve just waiting to go out. Each would have been sent to the list, each would have created an auto-response. The engineers at Earthweb used a very intricate method to cease the mudslide of email.
They pulled the plug. Dead server no more email.
We put together an apology explaining the situation and wanted to send it out the list. We also wanted to send out a letter explaining that every time you respond, it goes to the list. Stop responding!
No luck. We couldn't get the server to sit still long enough to send our messages. The responses were coming in at the rate of three per minute. That would go on for a short while and then another group would either wake up or get home from work or go on lunch break. Boom! Now the messages were coming three per second. None of them were going out to the list, but you can imagine how many were coming in.
I stopped attempting to reply to all the people writing to me personally after the first hour. I had to go to work at the university. Besides, I couldn't keep up to save my life. I would erase 300 emails and twenty minutes later another 300 were in the box. It was insane.
By 8 that night, the situation has quieted enough that we felt we could again begin using the listserve, but by then the damage had been long since done.
One email created a flood of email that rivaled the Melissa virus. But you know what the really funny part was? Where the real problems occurred was when everyone wrote back telling me they were being Spammed. That email Spammed everyone else, who in turn replied and Spammed everyone else. I was screaming at my computer screen for people to stop responding and the entire problem would have stopped right then and there. No luck.
The responses to the problem fell into many categories. The majority of the emails were attempting to tell me that we got hacked or invaded. The second group of emails were requests to unsubscribe. Then there were the heavily curse-laden emails that went out to the entire list. People were writing telling me that others were using the list to send out filthy text. I saw some of them. They were awful.
It was the curse-laden emails that I just didn't understand. First off, I was surprised that some thought I was doing this on purpose. They felt I had somehow struck a deal with a Web site that sold basket kits and decided to pay for my next vacation by Spamming the Goodies To Go! List with the URL. Please.
I can understand being angry, but I think some people set records using the F-word in one email. I'm sure that a ton of young kids and people opposed to cursing saw the email letters. I hate that that happened and I apologize for those who did it.
Of course, it didn't help that the problem occurred only days after my tirade on Spamming. Some called it poetic. I called it darn dumb luck.
Finally, to answer some questions:
Yes. The hole has been fixed. All replies to the listserve die at the front door. They won't even be bounced to me anymore. They will be officially pronounced dead when they arrive.
No. There were no viruses or other harmful programs sent out. None of the email had attachments. Nothing was delivered to your computer.
No. No one got your email address or had access to the list itself. The listserve was never violated. It was simply used to send email. No one entered it.
No. This won't happen again.
No. I don't want you to unsubscribe. (Unless you're one of the people that replied with heavy cursing you can go. Please. Go.)
It's Saturday morning and I am still getting emails regarding the incident. Luckily I can reply that all is well now. I've decided to take Saturday off, go out to breakfast, and allow my day-long headache to go away.
That's that. Thanks for reading and thanks for sticking around.
Joe Burns, Ph.D.
And Remember: I went out this past weekend to get some new shoes for school. The salesman used that metal measuring instrument to assure me I still wear a thirteen. Do you know what that instrument is called? A Brannock device.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...