Virgin Media newsletter snowballs, burying customers with unwanted emails

Virgin Media in a snow driftThe classic mistake when emailing a large number of people is to include all of their addresses in the cc: field rather than the bcc:

Doing that means that everyone gets to see everyone else's email address.

Which is fine if you don't mind complete strangers (including perhaps spammers, fraudsters, and pushy sales people) knowing that you're a subscriber to the newsletter and how to contact you.

But Virgin Media didn't make the cc: blunder. Instead, it screwed up in a different way.

Virgin Media wanted to advise customers of changes that were being made to how they could log into Google services (including YouTube, Chrome and Maps) with their virgin.net email addresses in future.

But when the company sent their newsletter out yesterday, it used a mailing list which wasn't configured properly.

As a result, anyone who *replied* to the message would have their response forwarded - via the mailing list - to all of the other people on the list.

And then, of course, people would inevitably reply to the unsolicited message with their own message - which would then get forwarded to everyone on the list again.

Before you know it, you have a snowball effect.

Users turned to Twitter to vent their annoyance, and Virgin asked people not to respond to the emails.

A small proportion of our customers have received an email from one of our suppliers which, if they reply-all, it is sent to a wider group. We’re investigating exactly what has happened and, in the meantime, advise people not to respond to this email. We apologise for the inconvenience caused.

The good news is that no-one appears to have exploited the company's messed-up mailing list by intentionally sending a phishing message, or a link to a malicious website.

But the people who joined in on the email storm, were - in the process - exposing their email address to others. Those addresses could then be scooped up by a spammer who might want to launch an attack posing as, say, Virgin at a later date.

Even though it doesn't appear as anyone abused the screwup maliciously, it clearly was a nuisance for people on the list as they would have received hundreds of messages in their inbox, effectively drowning out their legitimate mail.

If you run a mailing list, please be very careful with how you set it up. Otherwise, you might find yourself like Virgin Media - having to say sorry, over and over again.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

2 Responses

  1. Philip Le Riche

    April 17, 2014 at 2:42 pm #

    A number of people took the opportunity to run their own spam campaigns, advertising their own businesses, holiday cottages, Youtube videos, JustGiving campaigns etc. Had the professional spammers got in on the act then their efforts probably would have received even less attention than usual, assuming they got through Virgin's spam filter, which seems to work pretty well for me. Those who joined the email storm have most to worry about – their email addresses will now be on nearly every Virgin subscriber's computer, at least one of which (probably many more) I imagine will be harvesting email addresses for the spammers. The rest of us, hopefully, will not have had our email addresses compromised.

  2. Coyote

    April 18, 2014 at 9:50 pm #

    Re: "If you run a mailing list, please be very careful with how you set it up. Otherwise, you might find yourself like Virgin Media – having to say sorry, over and over again."

    I would like to also point out that that isn't necessarily the wrong way to set it up. For a newsletter like an ISP, some organisation you are part of, and in general when only one person is to be mailing (and potentially – though not necessarily – the reply-to address will hit the bit bucket) then yes it would be a very bad thing indeed, just like Virgin Media did (although I would argue those replying made even worse a mistake, much like those who do in fact cc instead of bcc mass recipients when sending out mails to others without a mailing list to take care of it.. the latter being the worst by a lot!).

    However, there are other mailing lists that _should_ be done this way (responding to the list which sends to everyone on the list). That is when it is – for example – a project that you work with others on, and you have the mailing list to discuss progress, ideas, decision making and any other internal affairs (and I suppose the occasion fun and funny email though most likely that is quite rare). If you don't do it this way, it is fine but only if you don't want a meaningful discussion. There is of course another variable: the response does not go to the list but rather the sender. Mailman (for example) has all three of these options (one sender only, response goes to sender, response goes to group) and others (remove from, reply-to and sender = now these are shown as the list address[es] as well as stripping reply-to in original message that weren't added by mailman).

    On the subject of having to say sorry: I think that especially applies to those who don't use bcc when sending to multiple recipients that either do not know each other or one or more of them do not want anyone else to see their address no matter who it is (the most cautious approach, which is what I insist others do… and those who don't follow will be berated by me quite harshly).

    Or to summarise my entire point (one might suggest I add this at the beginning but that is _far_ less fun for me) in one sentence (two versions though):
    "There's always an exception to the rule."
    and for those who are more rebelious:
    "Some rules are made to be broken.".

Leave a Reply