The Frustrations with Social Engineering, Even in Support

I just got another first-hand experience in the difficulty of trying to affect computing through social engineering. Our fax forwarding people do their forwarding based on the cover letter. Whoever is listed on the From: line gets a TIFF of the fax forwarded to their e-mail inbox. Normally, this works great. However, just a few minutes ago, a customer sent a fax where the cover letter just had a generic destination. Since there was an e-mail alias that matched this generic description, the fax got forwarded, and targeted literally thousands of people.

My first reaction was confusion, since I hadn't looked at who it was intended for. (After all, you usually don't get a fax to a distribution list.) I looked it over, and when it didn't make any sense I finally looked at who it was intended for. I laughed, and thought about all the confused souls out there who will be getting this too. Then, the inevitable happened. Someone replied to all, saying the fax wasn't meant for them. Then the flood of Me Too's came. It reminded me in a painful way of the Bedlam DL3 fiasco that happened right after I joined Microsoft 7 years ago. The Exchange team covers it in all its painful detail here.

People who have been here long enough, and are "technical" enough to know better, are just as guilty of replying to everyone as anyone else. In this case, the smaller scale, Exchange 2003 servers, and the quick action of others prevented the disaster that Bedlam caused. Still, I can't help but wonder how we're supposed to prevent people from taking self-damaging actions when it seems it's part of human nature to do so, and ignore the mistakes of the past.