Looping emails: Latest scourge of the Internet?

A simple system administrator mistake is now capable of practically disabling email systems worldwide, as recent incidents show
Written by Matt Loney, Contributor

When Roman Drahtmuller saw the volume of complaints his company was receiving from disgruntled emailers, some of whom had suddenly received hundreds of spam emails from the same source, he knew something was wrong.

"We are in trouble," wrote the security expert, who works for Linux distributor SuSE in Germany, in a reply to the spam victims. He proceeded to explain why.

The problem was that people around the world were apparently getting spammed by SuSE and up to 20 other companies. And the victims were not getting just one spam from each company, but hundreds. To make matters worse, every time one victim sent an email reply to complain, that email was forwarded on to everybody else on the list. Far from abating the torrent of spam, each complaint merely exacerbated the problem.

There was, it seemed, nothing anybody could do. Although companies such as SuSE looked to be the cause of the problem they, too, were victims: the emails appeared to be coming from mailing lists including security@suse.com, said Drahtmuller, but they were in fact originating from savoixmagazine.com, the Web site of a Singapore-based women's magazine.

So when Drahtmuller wanted to send out an email explaining the problem, it was easy to reach the victims; he simply sent his email to savoixmagazine.com.

"This is the problem," wrote Drahtmuller. "Someone has set his mail system to forward all email going to latestissue@savoixmagazine.com to a large list of recipients, mainly mailing lists (which is the reason why I get these emails here: security@suse.com is also on this list)."

In addition to security@suse.com, some help and subscribe lists were included; the type of addresses that tend to send out an automatic reply confirming receipt. All these automatic replies that were being sent back to savoixmagazine.com were bounced straight back out to the magazine's mailing entire mailing list -- including security@suse.com and the other such lists, resulting in a never-ending loop, and a torrent of emails for anybody unlucky enough to find themselves on the list.

"I will therefore shutdown/blackhole our mailing list server... until the problems with latestissue@savoixmagazine.com are solved," wrote Drahtmuller. "We at SuSE are sorry for this incident, but since we are not responsible for what is going on, there is nothing much we can do against it."

Most worryingly, said Drahtmuller, was that the actual culprits may not have been seeing the emails they produced.

The SuSE/SavoixMagazine incident, while unusual, was not unique. A US-based data recovery company recently found itself in the same situation, though it is not clear whether in this case the company was to blame.

When Drahtmuller contacted savoixmagazine.com's hosting company in the US, the situation slipped into the ridiculous as the hosting company tried to reply in Drahtmuller's native German language. "Even though we contacted them in English, they ran their response through Babelfish (translation software) so we couldn't understand what they were saying," he told ZDNet UK. "In the end we blocked their servers from our mail exchanges. We did what we could but the problem still existed."

Drahtmuller said that SuSE fixed the problem quickly, "within 40 minutes", but added, "There were still mails in queues everywhere in world directed back to security list," and these emails continued to propagate the loop.

Drahtmuller's belief was that the system administrators running savoixmagazine.com's server "didn't know what they were doing." The problem, he said, was that the server was stripping part of the email headers; this was why people receiving the emails did not see savoixmagazine.com's address at the top and instead believed them to be coming from SuSE's security mailing list.

"At savoixmagazine.com the mail headers were cut so it was almost impossible to find out where the mail originated from," said Drahtmuller. The everyday analogy is a letter stripped of its envelope that had the original return address printed on it, repackaged in a new envelope with a different return address, and forwarded on. "Usually mail loops like this are not possible with Unix systems because they always maintain the headers," he added.

Drahtmuller said the incident was probably an accident, rather than a malicious attack, but noted that it would be possible for a malicious person to create such an attack intentionally, and sometimes does happen when spammers forge sender addresses on email. "All you have to do is to get a set of email addresses, put them into a mailing list, and you could trigger such a loop. It doesn't happen frequently, but I have seen it a couple of times."

Savoixmagazine.com was not available for comment.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Editorial standards