Why reply all is a silent threat to modern business

Illustration of people's arms holding messages, to represent being flooded by emails
(Image credit: Shutterstock)

Email forms a critical part of modern business operations, with this technology so prevalent that some individuals have multiple email accounts. Its ubiquitous nature, however, also makes it dangerous, with accidental reply-all messages potentially damaging business productivity and grinding IT systems to a halt. These email storms can even inadvertently replicate the effects of distributed denial of service (DDoS) attacks.

One of the reasons reply all storms pose such a risk is they’re so easy to execute, and a simple reply-all message to a multi-recipient email can accidentally disrupt an entire organisation. Reply all also places a significant load on servers, with demand for resources rising substantially depending on the number of recipients, as well as the number, and size, of attachments. “Data storage can be filled with surprising rapidity when a user sends a large document, especially one containing video media or similar, to multiple recipients locally,” explains Gary Smith, a customer services engineer for Capita.

Lina Siegl, a PhD researcher with the University of Manchester, also notes that reply all can disrupt productivity. “Even if it only takes you five minutes to pick up your thought where you left off, if this happens six times a day, you’ve lost 30 minutes a day,” Siegl says. “That means you probably spend over a day each month wasting time just looking at unnecessary email traffic.”

The perfect storm

A classic example of reply all causing an email storm was when a test email was sent to 840,000 NHS accounts in November 2016. This resulted in 186 million emails being sent as various recipients responded – also using reply all. The subsequent statement by the NHS had to be issued over the phone, as their email system had ground to a halt, according to BBC News.

Not only are the largest organisations at risk, however, but relatively smaller businesses too. For example, IT consultant Chris Clemson recalls an incident in which somebody sent a Christmas card to everyone in a company with several thousand mailboxes. “The email itself had an 8MB bitmap image file in it,” he says. “Then, people started replying saying “please don't send this”, while still including the 8MB picture, which exacerbated the problem. The only real damage it caused was poor performance for a day, some admin, and more helpdesk calls, but it showed how easy it is to make the problem worse.”

Another danger is inadvertently leaking data through a reply-all message to multiple recipients. Not only can this violate GDPR, but confidential and sensitive information may be shared. “Even the most honest business deal can be irreparably damaged if internal discussions and opinions are accidentally leaked to a business partner as if they were company policy,” Smith explains.


2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world


Such an incident occurred when a mother and child were moved to new accommodation to escape domestic abuse. Because the accused was representing himself in court, he was exchanging emails with solicitors and the court. He received, through a reply-all chain, an unredacted statement that included the mother’s new address. This isn’t the only example, however, with the Independent similarly reporting that family courts were putting domestic abuse victims at risk by sharing their addresses with abusive ex-partners.

Technological solutions for a human problem

One obvious mitigation is for organisations to block reply-all functionality entirely using information rights management (IRM) tools, which have been available for years. IRM, however, requires administrative efforts to properly manage. “Active Directory (AD) allows the creation of permission groups, which become the basis for email policies,” explains freelance network administrator, Peter Gatehouse. “It isn’t a lot of extra work unless there’s a mass reorganisation; it's more creating a policy and allocating the respective groups.”

Alternatively, should organisations wish to retain the option of using reply all when required, there are various add-ons for your app of choice that allow the original sender to decide whether recipients can use reply-all messages. There’s also Microsoft’s Reply All Storm Protection tool, launched in May, which is intended for larger organisations using Office 365 or Exchange Online. This tool blocks all subsequent replies to an email thread for four hours once it detects ten reply-all emails to more than 5,000 recipients within the space of an hour. It still allows for some strain to be placed on the server, but far less than if it weren’t there.

One of the key challenges is developing a solution compatible with multiple email clients. While all applications essentially operate in the same way, they don’t fully integrate with one other. Although an organisation may have strict email policies in place, too, external parties may not, unless it’s been pre-agreed in a contract.

Embedded attachments within reply-all messages, meanwhile, produce additional strain. They can be mitigated by blocking attachments and requiring internal staff to use collaborative platforms, or smart email systems. “Smart email systems recognise that the same file is going to everyone, and they cache a single copy on the server,” explains Gatehouse. “This can, however, still cause a flood of network traffic, if many people attempt to access a large attachment within a short timeframe.”

Life after email

Some people go so far as to shut down their email applications to avoid being distracted, but this means they could miss urgent information. Some recipients also use filters or rules to prioritise emails in which they’re addressed in the To field rather than CC or BCC fields. Senders of reply-all emails, therefore, need to be aware that any important information in their reply may be missed.

Reply all is, ultimately, a human problem and whilst technological solutions exist to mitigate the problem, only a cultural shift in how we approach online communications will resolve it. One solution is training staff in the best ways of using email, such as encouraging staff to use mailing lists, as well as using appropriate communications platforms and collaborative tools for sharing information.

“If you want to send a message, where everybody can collaboratively speak about an issue, there’s a better format than reply all on an email chain,” Siegl says, adding you could create a group on communications platforms such as Teams and Slack, among a host of others.

Ultimately, reply all is a global problem, and little can be done to stop receiving reply-all emails from external parties. Nonetheless, with the appropriate safeguards and training in place, the worst effects of an email storm can be mitigated.