To everyone on the Free-Conversant Support mailing list, I offer my sincerest apologies for the deluge of email that was sent to the list last night.

I won't play it down, I recognize that this was a huge problem for some people: a number of accounts were filled to the limits set by the ISP's that host them.

Those that didn't reach their limit didn't fare as well: they had to download hundreds of messages, each one larger than the one before.

For those of you who don't want details, I'll summarize: someone discovered a way to create a mail loop on any Conversant site, and did so last night. We killed the loop once we realized what was happening (this morning), but we didn't actually figure out what they did until this evening. The problem has now been corrected, and won't happen again.

For those who DO want details, read on.

Last night someone signed up (here on the support site) using the address <support-confirm@free-conversant.com>, and then subscribed to the mailing list. Due to the way the confirmation step works, this could have been done via email (by faking the "From" header to appear to have come from the confirm address, Conversant would send the confirmation step to itself) OR via the web site.

We're not sure which approach was used, and it doesn't really matter. Unfortunately, we have no idea who did this.

Once the -confirm address was subscribed to the mailing list, the work was done, the loop was in place. Here's what happened:

1. Mark posted a message to the site.

2. Conversant mailed it out, sending it to every address subscribed to the mailing list, including the support-confirm address. HOWEVER, remember that the To: address on the mailing list is always the address of the list itself (as it is on most mailing lists).

3. The -confirm address received it, and forwarded it to the private address used by the free-conversant server for all incoming mail.

4. Free-Conversant checked its mailbox, downloaded the message it just sent out, and checked the To: address to determine where to route it. Instead of seeing the -confirm address (which would have just resulted in an error, as there was nothing to confirm), it saw the -site address.

5. As the message was FROM a member (Mark Morgan), and sent to the address for posting to the site, it was added to the message database.

6. There's now a new message on the site, so return to step 2.

The fix for this was relatively simple, once the problem was understood. It's no longer possible to create a member with one of the email addresses used by a Conversant site on the same server. So if someone were to try this again, they wouldn't be able to sign up as support-site@, support-confirm@, support-subscribe@, support-unsubscribe@, or support-error@.

If it's any consolation, I was "bitten" by this worse than anyone else. Not only did this seriously irritate a lot of Macrobyte's clients (and potential clients), but I received all of those messages myself AND once the mailboxes started filling up I received all of the bounces (which were larger than the original messages).

I downloaded over 1500 email messages today, many of them quite large.

Again, my apologies for the problems this caused.

Sincerely,

Seth Dillingham
President, Macrobyte Resources