Response requested - Misuse of your Stanford alumni email account

      In 2013, Nor Eply was born.

I was studying at Stanford, and realized that even though I was still a student, I already had a Stanford Alumni account and accompanying email address.I still don’t have a degree, but was pleasantly surprised to find out that you don’t need one to be an alumnus.

In the Stanford Alumni web interface, there’s a thoughtful option to set up aliases for your email address. They gave me abromberg@alumni.stanford.edu as a sensible default, but I could add andy.bromberg@, or if I started going by Andrew I could add andrewbromberg@, or I could add…

… anything I wanted? It seemed like, as long as it wasn’t taken, I could register any alias. And I could have 30 of them!

a@alumni.stanford.edu was taken, unfortunately. But ab@alumni.stanford.edu wasn’t — nice! Same with bromberg@alumni.stanford.edu.

But then I asked myself: why am I constraining myself to only my own name?

I grabbed my graduation year to-be, 2016@alumni.stanford.edu. Then sir@alumni.stanford.edu. Then o@alumni.stanford.edu.

And then I wondered… what else might be available? This is where things started to get interesting.

I picked up security@alumni.stanford.edu (seems like a dicey one to leave up for grabs). And it@alumni.stanford.edu (feels like that should been reserved too). And billing@alumni.stanford.edu. And alumni.stanford.edu@alumni.stanford.edu.

And then, the best one of all: noreply@alumni.stanford.edu (or, as I later named it: “Nor Eply”).

Once I finished my haul of aliases, it was pretty late, and I went to bed satisfied.

noreply@ was a great username. But it wasn’t until the next day that I realized just how interesting it was.

I woke up to a pile of emails sent to noreply@alumni.stanford.edu, all of which landed right in my inbox.

But why were so many people sending emails to that address?

It turns out that the Stanford Alumni Association sends emails from that address all the time. In fact, it seems to be the default from: address for anything that goes through their web platform. And yet: they didn’t own the inbox. I did. They set it up as a sender, but not a receiver.

That means that any time one of Stanford’s hundreds of thousands of alumni replied to one of those automated messages, it landed in my inbox.

That morning, I found out the alumni reply to those messages a lot. Some of it was just autoresponders. But some were bona fide messages. Most of those emails seem to be because Stanford’s alumni web platform has a messaging app built into it, and when you receive a message, you get an email notification with the contents sent from — you guessed it — noreply@alumni.stanford.edu.

And what do many people do? They just respond to the message notification email and its contents, not noticing that they are sending to a noreply@ address.

I was blown away. But I didn’t want to see people’s personal correspondence, so I set up a filter, hid all the incoming emails, and promptly forgot about it — other than playing a couple pranks on friends with these official-seeming email addresses (nobody was harmed).Should I have deleted those aliases and reported them right away? Yes, probably, in hindsight. But I was an idiotic hacker-minded college kid. I apologize to anyone affected by this whole episode, but it’s over now and at least it makes for a good story.

A full decade later, in 2024, I got a scary-sounding email from a Stanford Alumni IT administrator:

    Response requested - Misuse of your Stanford alumni email account

      Response requested - Misuse of your Stanford alumni email account

          From:

              R

              Redacted Name

              <Redacted Email>

          To:

              Andy Bromberg

              <abromberg@alumni.stanford.edu>

          Date:
          Fri, May 14, 2:32 PM

      Dear Mr. Bromberg,

My name is [redacted name], and I am the [redacted title] at the Stanford Alumni Association.

I am writing to you today because it appears that you have used your Stanford alumni email account (abromberg) for a mass email or spamming effort. In just the last 30 days, over 900 emails were sent from your email alias noreply@alumni.stanford.edu. These emails are being flagged and processed by email servers which hurts our domain reputation, and potential problems for all alumni.stanford.edu users.

Could you help me understand what you were doing and why you set up this unusual email alias, along with no-reply@alumni.stanford.edu. Because of the significant potential impact, I ask that you contact me by 12 noon PT on Monday, May 20, with an explanation. If we do not hear from you, we will lock your account. After the account is locked, you will need to reach out to us in order to resolve the situation.

[redacted name]

[redacted title]

Stanford Alumni Association

[redacted email]

[redacted phone number]

(he, him, his)

I was confused: they were telling me I was sending hundreds of emails. But I definitely wasn’t. I hadn’t touched my alumni account in a long time.

It took a minute for me to connect the dots, and then the memory of Nor Eply came rushing back.

I realized: I wasn’t sending those emails — they were. They saw hundreds or thousands of emails going out from noreply@alumni.stanford.edu (their very own automated emails from their very own web platform), looked up that address and saw it registered to me, failed to realize that they were sending those emails themselvesI found this very funny. Basically the equivalent of making your spouse an authorized user on your credit card, you yourself spending a ton of money on the card, and then yelling at them for transactions you made, forgetting that you were the one spending.

Had they looked at a single one of the outbound emails, they would have realized it wasn’t me. , and then reached out to accuse me of abuse.

I had some brief correspondence with the administrator, gave him back noreply@alumni.stanford.edu (no objection from my end!), and that was it.

But for some reason, he left me with all the rest: security@, it@, billing@, and so on.

I couldn’t get the situation out of my head, so a few months later, I decided I should probably return the rest and suggest that they audit all the aliases and reserve a larger sensitive set of them.

I wasn’t quite sure where to reach out — you know, security@alumni.stanford.edu would have been the natural point-of-contact, but as we’re aware at this point, that wouldn’t have gone anywhere other than my own inbox — so I reached out to all the vulnerability disclosure channels I could find, plus the support desk. I sent a detailed message with what happened and my suggestions.

They eventually got back to me with the following email (albeit confusingly referencing a change they say they made in 2003, when I was nine years old and certainly not pentesting the Stanford Alumni web platform):

    RE: Responsible Security Vulnerability Disclosure regarding Email Alias Registration

      RE: Responsible Security Vulnerability Disclosure regarding Email Alias Registration

          From:

              A

              Alumni Web Help

              <alumniwebhelp-t1@stanford.edu>

          To:

              Andy Bromberg

              <abromberg@alumni.stanford.edu>

          Date:
          Tue, Jan 7, 1:38 PM

      Hello Mr. Bromberg,

Thank you for reaching out to us about the issue involving the Alumni email alias registration system.

We are aware of this issue and in the summer of 2003 took steps to ensure similar email aliases cannot be used going forward.  Specifically, we have implemented a more comprehensive blocklist of restricted aliases and have changed the process so that end users can no longer create email addresses themselves.  Instead, they will need to contact the support desk to create an alias email address.

We appreciate your offer to return or relinquish the aliases you currently hold.  Please go ahead and delete them on your end.  If you encounter any issues, feel free to reach out to us for assistance.

Thank you again for your time, attention, and efforts in helping us secure the Alumni community.

Regards,

[Redacted name]

And so I suppose this is my first security vulnerability disclosure. I’m told it is standard to put a timeline of events in such reports, and so here we are:

  2013: I set up the aliases
  May 17, 2024: I get an email from the Stanford Alumni Association accusing me of sending spam
  May 18, 2024: I reply and delete the requested aliases
  December 13, 2024: I reach out to several Stanford vulnerability disclosure channels and the support desk, reporting the ability to create arbitrary aliases
  January 7, 2025: the customer service desk replies and says they have hardened the system, making it impossible for users to create new aliases without requesting them from the support desk
  January 13, 2025: with the issue resolved, I publish this post

Long live Nor Eply, and may the Stanford Alumni infrastructure remain secure.

    Looking for more to read?

     Previous post

      So, you're going on TV? Here's your media training

        Next post 

        You're at the latest post already!

    Want to hear about new essays? Subscribe to my roughly-monthly newsletter recapping my recent writing and things I'm enjoying:

    And I'd love to hear from you directly: andy@andybromberg.com