Skip navigation

Beware the Unintended Network Attack

Sometimes, well-meaning employees can wreak havoc on your Exchange Server environment

Every office has at least one of these individuals: A well-respected longtime administrative assistant who occupies a parentlike role and is within a few years of retirement. Such a person is the last one you would suspect of crashing a huge email enterprise, but I recently learned of a situation in which this was the case.

The story begins with a gigantic, very carefully run Microsoft Exchange Server environment with hundreds of thousands of mailboxes spread across multiple sites and dozens of servers on each site. Careful controls were in place to limit the damage a user could do to the environment: strict mailbox size limits, carefully limited distribution lists (DLs), regular backups, and strict email policies. Yet none of these precautions protected the environment from a well-meaning employee's mouse clicks.

What happened was this. An administrative assistant much like the one I've described, whose responsibilities included corporatewide memo distribution, received an Internet hoax email message about a missing child. Not being Internet literate, and feeling genuine worry over the virtual lost child, the assistant used a dozen or so company mail lists to forward the hoax message to roughly a third of the company's email enterprise. What the assistant didn't realize was that those dozen addresses represented over 100,000 mailboxes.

The situation at that point would have been bad enough, but because large numbers of the new recipients of the hoax email message were Internet-savvy, they checked the hoax sites and felt obligated to send a Reply to All message informing recipients that the original message was a hoax. So then, roughly 20,000 or so "ignore the hoax" messages were sent to a large percentage of the original 100,000-plus mailboxes. When the earliest "ignore the hoax" messages started to appear, most of the users who had also sent "ignore the hoax" messages realized that their messages were unnecessary and recalled them, which generated a recall message to every user who had received a later "ignore the hoax" message.

By that point, the email infrastructure was slowing to a crawl because all the message activity I've described took place in a very short period of time. Then, to add insult to injury, a huge number of recipients of all the messages related to the original hoax decided that they had been added to a mailing list and sent Reply to All messages requesting that they be removed from the list. When I last heard from them, the Exchange administrators in this environment had been working for 3 days to clean up after this unintended network attack that released close to a million email messages onto their network.

I'd like to say that I have an easy solution to this problem. I believe it happened because the administrative assistant was never clearly informed of the consequences of sending non-official email messages to multiple DLs. I'm certain of one thing: No one on this enterprise's very strong team of Exchange administrators ever imagined anything like this situation happening. You can be sure that their end-user training now explicitly addresses forwarding non-business-related email.

More About Hiding Folders from Users
I received more than 50 email messages with ideas and suggestions related to last week's commentary about hiding files on certain drives from specified users. Most of the suggestions require direct administrator interaction with server configurations; few offered an enterprisewide policy-based management solution. A couple of respondents pointed out that Novell NetWare already offers such a solution. I've passed the various ideas I received along to the site that was experiencing the problem, and I'll report in Windows Client UPDATE when I hear back about which solutions did and didn't work.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.