The time I spammed Capitol Hill

April 25, 2008

The following story at Ish’s request.

It was only luck that woke me up a little before 4:00 on Friday morning, but it was a good opportunity to see if the automated newsletter we’d written for Congressional staffers had been sent successfully. So I waited until four, checked my email, saw the message had gone through, and breathed a little sigh of relief.

The message was also successfully a minute later. And at 4:02 am. And 4:03 am. It was being successfully sent every minute.

I had two questions: how do I stop this? And should I turn in my resignation letter now or wait to be fired?

What had happened was this. I was working as a government contractor for a part of the Legislative branch. They created a Congressional portal, and part of this portal was an event calendar. The event calendar itself was a pretty amazing technological feat, integrating data from many different sources and forcing different parts of this agency to cooperate in ways they’d never cooperated before. One of the promised features was an opt-in weekly mailing of Congressional events.

The portal had been up for nearly a year but nary a newsletter had gone out. And it was decided to take the easy way out: write a script that selected all the data out of the database, formatted it, and mailed it out to everyone. Then set up that script to fire at a certain time every week — what we in the UNIX world call a “cron job.”

So that’s what we did. We tested it, and it broke, and we fixed it and it worked, and then I set up the cron job. Which we didn’t test. In retrospect that was a poor choice.

Cron has a very rudimentary command-line interface. You write a string that looks something like:


0 4 * * 5 mail < spamEveryone.php


And it knows to mail the results of spamEveryone.php every Friday at 4 AM. The first digit is the minute, the second the hour, the third the day of the month, the fourth the month, and the fifth the day of the week. The above parses to: “the zero minute of the fourth hour every Friday.”

My cron string had a little error in it. It read:


* 4 * * 5 mail < spamEveryone.php


Which parses to: “Every minute of the fourth hour every Friday.” And that’s what was happening.

You can cancel cron jobs rather easily as long as you have access to the computer. Since I was a contractor and agency rules prohibited contractors having remote access to servers without getting written permission signed in triplicate and buried in a peat bog for twenty years, I did not have access to a command line. I was, however, able to upload files to the web server from home. So I wrote a script I could load in my web browser that would delete the list of subscribers, effectively ending the mailing.

That took me a while to think of and do. By that time, forty five copies had already been mailed.

People were understandably upset but I wasn’t fired and no one seemed to think I was supposed to resign. Higher-ups wrote a probably familiar-to-you “sorry for the inconvenience” mail message, but we only received one complaint anyway: someone who said “the event calendar looks good, but I only need one copy.” But I never wrote another cron job without someone looking over my shoulder, and never will.

Which is just good practice anyway.

Posted in Diary, Technology