MetaChat - Reply-All Strikes Again

MetaChat is an informal place for MeFites to touch base and post, discuss and chatter about topics that may not belong on MetaFilter. Questions? Check the FAQ. Please note: This is important.

03 February 2009

Reply-All Strikes Again So today I (and the rest of the school) get an email from my college's enrollment services. It was sent, obviously, to the URI student listserv (URI_STUDENTS@listserv.uri.edu).→[More:]

The email was as follows:

Dear Students,

The IRS has asked that we distribute the following information to our students to ensure they are aware of the Free File programs and the education benefits they may be entitled to. We have also enclosed a helpful link to the IRS Website for Students.

Now at the bottom, in blue text, very noticeable, is the following note:

This electronic mail and any attachments have been forwarded to students enrolled at the Unversity of Rhode Island for the Spring 2009 semester as part of the IRS outreach efforts to inform students regarding specific tax benefits they may be eligible for. Please do not reply by return email. Contact information for the IRS is included in each attachment.

I forward the email to my mother, and she tells me that we're all set.

A few hours later, however, I get another reply about the email:

HI Andrew,
Unfortunately, or fortunately(however you want to look at it) Daddy makes too much to qualify for anything.
Love, Mom

-Cindy
#########@twcny.rr.com
315 ###-0694/ cell 315 ###-4439

For those of you who don't know, my name is Andrew. My mother's name, however, is not Cindy. So I have no clue what the hell is going on. I call my mom and ask her about it, and she tells me the woman probably sent it to the wrong Andrew (there is another person at my school with both my first and last name, so it's not impossible).

I email the woman and tell her she has the wrong email address. That's pretty embarrassing, I thought.

Turns out it's a whole lot worse.
The woman, apparently ignoring who the email was from, did not send it to me, or to her son, but to the entire URI student listserv.
...oh boy.

I've been at the student newspaper office all night, and we just now got an email from the best friend of this woman's son.
Apparently her son has been getting hundreds of facebook friend requests, and the phone numbers that were included at the end of the email have been getting phone calls all night.

The kicker?

According to this guy the woman is planning on "suing the school for all the disruption this has caused."

Hahahahaha. OK.

He sent an email a few minutes later saying something along the lines of "my friend and his mother are refusing to talk to anyone about it so if you want to do this story you'll have to do it through me."

Sorry pal, there's no story here, just you writing in about this woman's really unfortunate and careless mistake.

I love people. This made my night.

post by: CitrusFreak12 at: 00:51 | 23 comments

uh oh. She's going to sue you for posting this.

posted by stavrogin 03 February | 01:07

This is major stupidity by the college too. Someone dosen't know how to set up a listserve. For such a widely distributed list someone needs to read up on Editor, Moderator, and Send settings.

posted by arse_hat 03 February | 01:10

You say "reply" I say "reply all".

Where's that telepathic interface when you really need it?

posted by trinity8-director 03 February | 01:10

arse_hat, could you explain? I'm not really all that tech savvy.

posted by CitrusFreak12 03 February | 01:21

Also see this related MeFi thread.. :)

posted by unsurprising 03 February | 01:27

unsurprising, it's not loading for me but if it's the one with the awesome "bananas in the kitchen" story, then yeah, that's pretty great.
I think this whole thing would make a pretty good stepping stone for a column, but I can't help but just want to republish the bananas in the kitchen story. It's so great.

posted by CitrusFreak12 03 February | 01:31

Well CF, listserv was written back when the Internet was still a small club and most people online knew most of the others. At it's most basic anyone can join the group and then send mail to the whole group. Anyone in the group can then reply to the whole group. This works fine in a small controlled setting like a group of 20 folks working on the same project.

When used for one to many broadcasting (that is one or a few people, like your college leaders, sending out stuff to a large number of people) then the people on the list should not be able to send stuff to the list or reply to the list. To allow everyone access to the listserv is folly and bad management and a great vector for spam and viruses.

unsurprising, that is something all together different.

posted by arse_hat 03 February | 01:37

Haha, I understand that it's a different scenario (with a different cause) than the MeFi thread, but the effect is very much the same - unless I'm totally misunderstanding something.

posted by unsurprising 03 February | 01:39

Exactly unsurprising.

posted by arse_hat 03 February | 01:41

To allow everyone access to the listserv is folly and bad management and a great vector for spam and viruses.

Yeah, that was my thought after your first comment, and is kind of why I thought this WASN'T the case, but apparently it is. I'm not really surprised.

I told my friend/editor that there could be a story there but she just kinda rolled her eyes at me. I think it'd be interesting.

posted by CitrusFreak12 03 February | 01:43

It's 2009 and institutions are still making basic information security mistakes sound like a story to me.

posted by arse_hat 03 February | 01:45

haha! I just read the "bananas" story. Beautiful.

It's a comment in the thread unsurprising linked, with 258 well-deserved favorites.

posted by taz 03 February | 01:47

CF, this could actually be a fantastic news story. Seriously. It's no frat party with vat so strong that twenty kids have to be taken to the ER for alcohol poisoning. It's not a fire, or a shooting, or a string of muggings across campus.

But c'mon. It's better than your usual "The cafeteria lines are too long" article -- which, by the way, was the package story on the front page of the orientation issue when I was a senior in college. (I have to say it looked great, even if it was the same fodder we ran year after year.)

Anyway, this listserv breach has a ton of angles: The main story is a breach of security. How many times has this sort of thing happened in recent years? (Info box with bullet points detailing each incident?) What does the school administration have to say about it? Sidebar, but only if you can actually interview the kid's mom: Mother to sue school because of listserv incident.

That is ... unless you can be the person who finally cracks that one unsolved college mystery: Who steals all the bikes? I spent four years wondering why we had so many bike thefts, and why no one was ever caught.

posted by brina 03 February | 01:59

PS. How many students are at URI? Quite a few, I imagine. What, if any, security measures does the university take to ensure that reply-all is not an option? Who called this woman? How many calls did she receive, and what was the content of the phone calls? What is she suing for? Does the university administration have any comment? What's to prevent people from spamming the entire student body now? What about viruses being spread through these e-mails? Are there any other security problems with the university's e-mail systems, web pages, etc.?

Now that I think of it, this happened once to a girl I was at school with. She got permission from the university to send a message to all students because she left her glasses in the library. She included her phone number, full name and mailing address in her e-mail. I do believe she was the unfortunate recipient of several packages, including adult diapers. Not that I had anything to do with it. Nope. Not a thing.

posted by brina 03 February | 02:06

"What's to prevent people from spamming the entire student body now?"

Some good news. I can't subscribe to the list. "Sorry, the URI_STUDENTS list is closed. Contact the list owner"

I also sent an email to the list. Good news there too. I CAN send email to the list but it must be vetted first. "Your message dated Tue, 3 Feb 2009 01:50:00 -0500 with subject "Hello" has
been submitted to the moderator of the URI_STUDENTS list:"

It does leave a question open. Why was this women's reply sent to everyone on the list? Either the list is still wide open to all it's subscribers OR it is moderated, but poorly.

posted by arse_hat 03 February | 02:17

Arse_hat, are you sending your test message from the same address that's subscribed to the list?

I've run majordomo lists (among friends) where you can reply freely as long as you're subscribed by the address you send from, or if I'd added your additional address(es) to a list. Otherwise you'd get shunted to moderating queue.

posted by loiseau 03 February | 03:02

No loiseau, I am a total outsider to the list so that's why I say it's good that I can't get in. "where you can reply freely as long as you're subscribed by the address you send from" That is exactly what I think is the problem.

posted by arse_hat 03 February | 03:08

Oh yeah, hell, that should be an announcement list... I wonder WTF they were thinking???

posted by loiseau 03 February | 03:19

I love those big reply-all parties. There was one on an NYU Stern (business school) listserv I was on a few years back. It was great, lots of lulz.

posted by ThePinkSuperhero 03 February | 09:23

What brina and arse_hat said: do the story from the broader angle. If you want another case study, my own alma mater, Connecticut College, managed to expose all alumni social security numbers last year during a server breach, and had to buy us all a year of data protection. It's kind of a huge deal.

Barring that - publish the best friend's letter only, for chuckles.

j/k about that last. Seriously - do the story. The University needs to get a handle on its communications policies and technologies. You can help push them in that direction before you find yourselves examining your future credit-card statements for identity theft.

posted by Miko 03 February | 11:34

Recently I had a need to switch billing services. Without asking, my business contact at the hospital gave my email address to a local billing service, and the manager, without asking, promptly added my name to a Cc: list (not Bcc) used to spam his customers.

I figured if the guy couldn't figure out how to work Bcc:, he wasn't going to be doing my billing. So I sent back a polite message thanking him very much for his time, and explaining that I had decided to outsource the work to a company in Wisconsin, called such-and-such, and here is their website, and they seem like nice enough folks and I'll let you know how it goes, but meanwhile, might as well take me off your list.

Whoopsie! Seems I hit reply-all! Looks like all your customers get to read my email! Gosh, sorry about that. Maybe you ought to learn how to use Bcc!

He took me right off the list.

posted by ikkyu2 03 February | 11:46

How devious, ikkyu!

posted by halonine 03 February | 14:47

So my friend/the editor never got back to me about whether it would make a good story idea or not. And I texted her asking about it tonight and she replied "We're already on it but there are some complications already."

...

So I guess other people are going to be writing this one. Even though I'm not sure how anyone could have beat me to it. Whatevs. I will continue my successful career of not ever writing for the paper.

posted by CitrusFreak12 03 February | 20:58

← OMG Read-Only Kitty! || 50 years ago today, →

HOME || REGISTER || LOGIN