The DDoS attack of a different kind – 65,000 e-mails overload server!

M.Sc. Chris Wojzechowski

The DDoS attack of a different kind – 65,000 e-mails overload server!

An e-mail to 65,000 recipients can put a strain on your own infrastructure – and provide a DDoS attack of a different kind. Email distribution lists can be handy: Target group-oriented approach, without much effort. However, given the size of the mailing list, you should not overdo it.

Calendar setting changed – all informed.

The mishap was triggered by an employee who changed her authorizations for her released calendars. Up to this point, day-to-day business. However, the mistake was caused by the wrong distribution list. All employees of the FHH (Free and Hanseatic City of Hamburg) then received a mail.

This alone can bring one or the other e-mail server to its knees. However, when colleagues pointed out their mistake to the person, some e-mails were also sent to the entire mailing list. At the latest here the load is rounded off. And the e-mail servers are at their limit.

The somewhat different DDoS attack – self-triggered!

Reach all employees quickly. Very useful in an emergency or to quickly send an important message. But despite the functionality, the target groups should be divided. This will increase the workload, but reduce the likelihood of such an incident.

Separating e-mails into different lists also limits the damage that can be caused by compromising a corporate e-mail account. If there are several lists, the attacker must guess, try and test them. If there is “one” list, enormous damage can be caused.

The problem was rather annoying at the end of the day – not problematic. But enough working time was wasted by the incident. It took about 2 1/2 hours to normalize the infrastructure.

Extensive e-mail recipients, broadcast news & newsletter

We recommend that you always use newsletter services when sending extensive mails. From a certain contingent these become liable to pay costs – but the own infrastructure is not burdened by it. As a rule, employees do not need the rights to send an e-mail to all employees. This function should, if needed in this size, be implemented via a newsletter service. That can be if necessary also the own.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.