AROUND MIDNIGHT ON TUESDAY APRIL 3, I strolled over to my trusty Macintosh to check the email one last time before retiring for the night. Sifting through the usual late night junk, I was quickened from my haze a few minutes later when the logs for the 'XusNET mail server (which hosts the SWORG SWILL mailing list) came roaring into my inbox on schedule but with extremely bloated mail volume numbers. A quick peek at those logs confirmed my suspicions. The server had been hijacked again for unsavory SPAM purposes.
Last year an attacker from outside was using our servers to relay a sales pitch of some sort or another, but a quick tweak of the security controls stopped that joker in its tracks. The next day I was alerted by ORBS, an automated email watchdog, that our mail server had been detected as an insecure email relay and was thus added to the ORBS database as a problem niche, which could have resulted in other sites blocking us, thus slowing or completely stalling our ability to serve any email at all. Instructions were given as to how to remove our site from this database, and since I had already fixed the problem, I was eager to oblige. All in all, an interesting experience, an eye-opener showing me that relative obscurity doesn't guarantee rote immunity to unwanted intrusions in cyberspace.
But last night was a whole different can of worms. Nothing I tried would stop the duplication of this single piece of email authored by one of our own and its subsequent remailing (to the tune of several thousand pieces by the time I finally solved the problem) to four or five addresses on the SWILL membership roll. The mail server was caught in some kind of memory loop. To make matters worse, I suspected that the culprint was an insider. The offending piece of mail was authored by none other than our own SWILL list buddy Reuben Keehan from down under, and so I shot off a friendly but accusatory note to him. It was 2 AM EST by this time and I had still not figured out exactly what was causing the loop effect. The evidence was this: Rebunk (Reuben) had in the past complained of duplicity issues corrupting his email, and while nothing of this stature had happened before, his SWILL postings had indeed arrived in bunches a few times over the past year or so, of which he always apologized.
Within the half hour to my utter amazement Rebunk responded, again with apologies, but short on detail in helping me troubleshoot the problem, although he did mumble something about "the fucker lurking about in my system". That was a decent clue. A mail program virus, perhaps? I still wasn't sure, so I banged out a few other hopeful quick fixes. No cigar.
By 4 AM I was desperate. I phoned Manus in Paris after Kubhlai in Nottingham failed to answer his kitchen line. It was sunrise for them both and I was cruising for any details, anything I could grasp to help sort this matter out. I also wanted to alert them that their mailboxes were being stuffed and that I was busy trying to stifle the bleeding. I had flushed Rebunk's corrupted mail down the toilet, but the generating process continued. I then tossed the mailing list subscriber database, but it was still bombs away. It appeared I had a worm which burrowed into the application itself. By 5 AM, I was too weary to think, fighting back the sinus sniffles, and simply suspended the whole server for a few hours when I would explain the mess to my wife. Maybe she knew something.
Sure enough she had heard only recently of a creepy crawler spinning nasty habits which paralleled our very own regenerative email intruder, and so it was decided to simply trash the whole SWORG-talk list service until further notice, that is to say, until I established a new one. That did it. The mail log immediately returned to normal, and those folks unfortunate enough to be on the recipient end of this crisis were soon to see the last of that culprit. The next afternoon I created a new list from scratch, and everything was back to normal.
Gabriel Thy, April 4, 2001
Top of page