E-mail Storm of April 3, 2003 and Lessons Learned

On the morning of April 3 an Exchange Outlook e-mail was sent to a very large list of addressees. The large volume of e-mail was compounded by the fact that the sender elected to send the message to many groups, who's membership overlapped. The content was objectionable to most of the recipients. A few persons reacted by using “REPLY ALL” to express various sentiments regarding the content of the original e-mail. Others expressed in various ways their displeasure at receiving such e-mail, some requesting that their names be deleted from such mailings.

The compounding effect of these several (more than 20) e-mails addressed to many recipients was to seriously degrade the performance of the Exchange Outlook e-mail system. This, in turn, caused significant interruption to communications and the conduct of university operations.

The AVP of CIS, Bob Cape, authorized the Exchange Administrators to stabilize the e-mail system by purging the lengthy queues of these yet-undelivered e-mails. In addition, the Exchange system administrator posted a message to Exchange clients, asking everyone to "Please IMMEDIATELY STOP sending Exchange Outlook e-mail addressed to many recipients and distribution lists" in an attempt to avoid further replication of the e-mail volume. Approximately three hours after the initial e-mail, Outlook Exchange was back to normal. CIS is investigating the entire matter and exploring ways to deal effectively with any future such incidents. In the meantime, there are some basic things all Exchange clients can do to help reduce the negative impact of such incidents when they do happen. The following text explains some of these options.

WHAT TO DO IF YOU RECEIVE UNWANTED E-MAIL

It is a natural reaction to want to open, read, and respond to e-mail messages. However, it is best to not respond to some messages, and it is advisable to not open questionable messages without verifying whether they are safe to open. When opening a message from an unknown sender, especially one with a subject line that makes you wonder why you received the message, consider the possibility that this message could be not only unwelcome, but it also could be a malicious e-mail with attachments that could have hidden functionality built in. When in doubt, consider calling the sender to verify whether in fact that person sent the message to you, and whether they are confident that it is not malicious. When you do respond to a mail message, it is important to consider whether you only are responding to the sender, or whether you are responding to all recipients of the original message. In some cases, such as the April 3 e-mail about gas prices that was distributed to the campus recipients, the act of several recipients replying to "all" generated many times more heavy e-mail traffic than did the original posting alone. It is also important to remember that some mass mailings are generated not by people, rather, they are generated by malicious software on an infected desktop computer. The malicious software causes the e-mail program on that desktop to generate mailings to large number of recipients by automatically sending infected e-mail to everyone in the address book of the e-mail program. By opening such mail, your desktop computer and e-mail program propagates the message further without your knowledge.

When e-mail storms, such as the one experienced on April 3, happen on the UNH campus, the e-mail administrators consider the situation a serious threat to a healthy operation of the e-mail system, and are obliged to begin immediately an assessment of the situation, and taking necessary steps to protect the mail system functionality. If you are a recipient of such mailing, and are not sure that the administrators are aware of the situation, please do not propagate the message further by replying to it, or by forwarding it. Please contact the CIS Help Desk and Dispatch center at 862-4242 to report it. If the staff already is aware of the situation, they will advise you so, and will confirm that the appropriate system administrators are working on the problem. As additional information becomes available, the Help Desk and Dispatch center will compile the information, share it with callers, and post it on the UNH web page in the "Service Status" pull down section of http://www.unh.edu/cis/. Depending on the severity of the situation, and the client groups affected, the Help Desk and Dispatch center will take additional steps to notify specific groups, or distribute the necessary information through other appropriate means.

As the use of e-mail grows, some senders are tempted to utilize the system to distribute information to large groups of recipients, without following established processes and without consideration of whether such e-mail is welcomed. As users of this community service, we all have a role in using the e-mail system responsibly, and respond constructively to misuse of the system. As individuals, some of our effective options to minimize the damage caused by, and discourage the use of unwelcome e-mail, is to not send such messages to large groups, to not respond to such messages, and to delete such messages when we do receive them.