Comment On CAN-(ACCIDENTALLY)-SPAM

In early 2004, John was living it up in Argentina at a startup working on a VCI product. For those unfamiliar with Value Chain Integration, in layman's terms it synergizes backward overflow while optimizing cardinal grammeters in addition to allowing customers to parabolize slithy toves at the least embiggoned cost possible. The software's development was handled in Argentina, though there were offices around the globe. They were just starting to pull together a real, live QA team to replace the last QA team (one guy in one of the US offices). They were happily building their software, expanding the team, burning through their VC capital, and entertaining dreams of a huge IPO.

It didn't take long to assemble a full QA team — everyone was excited to work at a startup that was so full of potential. After some brief training, the new QA team was turned loose to do their worst to the in-development application. In a few days, the bug list had more than quadrupled in size. Developers cranked out fixes, and the testers found more bugs.

One issue that kept cropping up was that email alerts were unpredictable. Sometimes the alerts would arrive immediately, sometimes they'd come several hours later than they were supposed to, and more often than not the tester just wouldn't receive emails at all.

After reading the bug report's heading, John sighed. The email alert issue... again. Different members of the dev team had investigated the issue, checked in little changes, only for the issue to crop back up a few days later. They'd pored over the code time and time again, and couldn't find any reason that the application would fail at sending emails.

We've got to settle this once and for all, John thought. The case had been opened by one of the newer recruits on the QA team, Fred. John got up and walked to Fred's desk for a demonstration.

"OK, have a look," Fred said. He filled out a form and clicked a button, then Alt-Tabbed to his email. "So I should have an email now, right?" He hammered the send/receive button. Nothing.

Damn, John thought, hoping the bug wouldn't be reproducible and he could just close the issue and pretend it never happened. John returned to his desk and ran the same test, and it failed again.

This has to be a config- On the verge of a breakthrough, John's thoughts were cut short by his ringing phone. It was a call from the US, but strangely not from one of their US offices.

John: This is John.
Polly: Yeah, hi, my name is Polly. I'm calling because I want you to stop spamming us.
John: ...spamming you?
Polly: According to the CAN-SPAM Act of 2003, any and all electronic mail messages-
John: I'm sorry, Polly, I think you may have the wrong number. We're a tech startup, and we don't do any bulk mailings.
Polly: Does your company own and operate the mail server mail.[company].com?
John: Yes, we do, but-
Polly: But nothing! In the last twelve hours we've recieved... over seven thousand emails from you!
John: Are you sure it's from u-
Polly: And they're still coming in! Our mail server keeps crashing every time we bring it back online! The CAN-SPAM Act is very specific abou-
John: Wait, I'm sorry, I think I know what's happening. Give me five minutes.

During the brief conversation, John was checking up on their mail server, opening a few logs, and checking up on the outbound queue. What he saw was startling.

There were 109,311 messages queued for delivery to test@sdfjgi.com. All of which originated from Fred's system.

During some stress testing, Fred had gotten annoyed and overwhelmed by an avalanche of email alerts; often amassing thousands of emails per minute. As a quick fix so that he could test without destroying his inbox, Fred opened up a web browser and mashed his keyboard to get a random domain name — sdfjgi.com (changed to protect the innocent). When he opened it in a web browser and got a 404, he assumed that meant the domain was unregistered, and that it was therefore safe to bombard sdfjgi.com with tens of thousands of emails.

After the embarrassing incident, they realized that they could make some serious cash if they switched from VCI software into spamming, so that's exactly what they did. Just kidding, they added an option to turn off email alerts and continued testing.