You're an Accidental Spammer: What Do You Do When You've Been Hacked?

Submitted by Annaliese on Mon, 01/24/2011 - 11:14am

Gavin Clabaugh, Vice President and Chief Information Officer, Charles Stewart Mott Foundation

Effective IT management is more about wetware than it is about hardware and software: it's all about managing the intersection of technology and these rather strange things called people. Moreover, in the formula of Hardware + Software + Wetware, the tech is easy; the people are tough. We know what to expect from the tech, but people come with foibles and idiosyncrasies. People will surprise you. They will do things you'd never expect.

Because people are so ingenious, nothing is foolproof. If you think otherwise, Pollyanna is going to bite you in the butt. Avoid that bite by thinking the unthinkable: imagine what might go wrong and plan ahead.

Scenario: Spam, spam, spam, spam, spam, bacon and spam.

The following is real — or should I say, sotto voce, the following events occur in real time. The names have been changed to protect the paranoid.

Suddenly you're a spammer.

One of your web servers has been hijacked and has been sending out hundreds of thousands of messages from some fellow named "Wilson." Wilson is offering a "Free Video on how to earn $251,283" from something called an "affiliate strategy" with, of course, links. The links connect to a malware site that installs a drive-by Trojan. It's been going on for a few days, at least. And now, all of your messaging queues are overflowing with bounces and undeliverables (and nasty notes from former friends and colleagues).

Moreover, your bandwidth is overloaded as the poor abused SMTP server loops through the other eight hundred thousand pending messages, seemingly unable to deliver anything to anyone, including all the bounce-back notifications — which are, in turn, generating more and more notifications. Everything is spinning out of control. It's a server gone rogue.

What happened?

It seems your baby steps into the world of user-generated content and social networking have turned on you. Perhaps that innocuous "Share this Page" widget on your web site — through no fault of your own — has been turned to the dark side. Perhaps it's something else, but regardless the cause, some ingenious script-kiddy has turned the tables and suddenly you're responsible for thousands upon thousands of spam messages.

If that's not bad enough, right smack-dab in the middle of every [*ahem*] message is a reference to your web site, testimony to the time you spent setting up those nice tag lines: "Follow us on Twitter" and "Friend us on Facebook." Worse, there are a couple of thousand anti-spam-bots gunning for you now.

As a result of this mayhem, your email service has been blacklisted by every anti-spam system in the universe. Your email reputation is so far in the toilet that no one will accept delivery of your email. Staring at your rogue server, you consider "pulling a Palin" and quitting right there. All the while, the refrain from Alice Cooper's "Talk Talk" echos unbidden through your head:

My social life's a dud. My name is really mud. I'm up to here in lies. I guess I'm down to size.

The only saving grace is the fact the spam is coming from your web server and not your primary email system. On the other hand, it is the one used by everything on your web site, including your extranet. Consequently, none of your closest constituents, your membership, your friends and family and board, are getting any of the normal transactional messages — little things like password change confirmations, or perhaps receipts or other administrivia that makes the world go 'round.

What's the fix?

Sure, there are tech fixes here — holes to patch in your internet armor— but there are bigger problems too:

  • How do you get your good reputation back?
  • How do you take responsibility without taking the blame?
  • And, finally, what's an avoidance strategy for the future — one that anticipates what might be, but communicates that nothing is foolproof.

This is the first in a new series from guest contributor Gavin Clabaugh, Vice President and Chief Information Officer, Charles Stewart Mott Foundation. Every quarter, Gavin will provide hypothetical scenarios that could -- and maybe already have -- happen to your nonprofit. Now, it's your turn to respond: what would you do? Please share in the comments, below.