In a former life I was working for a large NHS organisation with a track record of inept IT. One non-clinical and completely non-essential vanity website had a trivially exploitable hole courtesy of an open SMTP relay and some PHP coded by an amateurish but highly paid vendor.
I raised this issue with the project team and the vendor. Apparently the attack vector and fix were "highly sophisticated", unlikely to be exploited, and would take some weeks to fix so sod off and stop being difficult.
So by way of demonstration I knocked up a quick Python script and sent a hundred or so automated emails to the project team and the vendor's helpdesk. They switched off the relay sharpish and had a code fix in place within a couple of days. Funny that.
Biting the hand that feeds IT
