TTLE: How I took down mega-company’s e-mail with a single “rule”.
Some years ago, the company I worked for provided a computer systems to many customers, including [mega multinational. We also provided support and maintenance for these systems. In order to do this we needed access to the systems. [mega multinational] were very security conscious, our system was inside their company intranet, no access from the external Internet. We did not want to have to travel to the site every time we received a support call, so the company provided us with laptops which connected via a VPN into their internal network from outside, exactly like one of their employees working from home. These laptops were locked down tighter than a [choose your crudity]. No admin access, no installation of extra programs allowed, could not connect to my own employers network. So I now had 2 laptops on my desk.
With this laptop came an account on [mega multinational]’s domain, a [mega multinational] e-mail address etc. This had the disadvantage that when one of [mega multinational]’s employees wished to send me an e-mail, they entered my name in their e-mail and it defaulted to my [mega multinational] e-mail address, not [my company]’s one. I got phone calls complaining I had not responded to urgent e-mails. I now had to start up my [mega multinational] laptop and check e-mails twice a day, just in case somebody from this one customer had sent me one, a PIA.
Solution: In [mega multinational]’s e-mail client, set a “forward all” rule to [my company]. It worked. Saved remembering to check twice a day.
All went well for a few weeks. Then I came into work one Monday. Phone calls, [mega multinational]’s whole e-mail was down due to overloading and they were blaming us, claiming we were sending them thousands of e-mails.
It appeared that on Saturday [my company]’s e-mail provider had screwed up. All incoming e-mails were being returned to sender “domain not known”. A problem for my bosses to sort out.
The [mega multinational] e-mail address was also used to send daily status reports automatically. Sunday’s report was sent to [my company]. Return to sender “Domain invalid”. The rule I set up in [mega multinational] e-mail was forwarding it to [my company], return to sender ([mega multinational]) “Domain invalid”. Rinse and repeat many times per second. [mega multinational] e-mail overloaded and crashed. Worldwide.
Quickly log in to [mega multinational] and nuke the “rule”. Then wait a few hours for the backlog of thousands of e-mails to clear.
[my company] was told off, but in reality [mega multinational]’s e-mail should not have been that vulnerable. Back to checking my second laptop for e-mails twice a day.
And that is how I single-handedly broke a multinational company’s e-mail with one forwarding rule.