Good example of how to deal with security
Published January 27th, 2006 edit replace rm!
I use the EasySpeedy for my hosting. They already provide the most transparent hosting plans and hosting contract I have seen, but they continue to impress me. I’ve got 2 servers there and will put my 3rd one there if need be.
Apparently one of their clients where spamming with spoofed IP addresses from other users on their network. This is obviously a big problem as no one wants to get black listed.
From the beginning they have been incredibly open about it and gone that extra yard in uncovering the spamming vendor of Viagra and Penis enlargers.
I am not 100% sure if he used one of my ip addresses. I haven’t got mail servers on any of my servers. Both of do do outgoing mail though via ActionMailer in Rails.
Now what they did is send out a fantastic email that I will share with you below:
Dear Pelle,
You have recently been contacted by our Abuse Team concerning massive spamming
which appeared to be coming from your server.
Your feed-back made us feel more and more convinced that we had
an IP hijacker within our network who had stolen your identity. This is why
our Abuse Team asked you to use our Forensic Tool, to be found in you
personal Control Center, to protect your server from further abuse and to
alert you of the situation.
As you probably are aware of, we take pride in providing you with the real
story when incidents happen – the facts, the causes, the solutions
and the recommendations. That’s how we do business.
****************************************************************************
This is what happened
****************************************************************************
A skilled spammer, unfortunately a customer of ours, designed fake mailheaders
in a number of ways including spoofing your IP address and using third party
‘Return-Path’ and/or ‘From’ addresses – often @gmail.com addresses.
The real server with the abused IP (belonging to you) gave the target
MTA a valid response and the third party ‘Return-Path’ and/or ‘From’
addresses received the bounce, if any. Mails from owners of these
‘From’ addresses started complaining Jan. 17-18 2006 increasing in
numbers over the days that followed. So did spam complaints on your IP!
The spammer used several of our customers IP’s besides yours and
bulk-mailed in odd patterns i.e. giving only fractions of information
in our regular network scan until we started an emergency scanning on Jan. 19
2006.
Once alerted, we knew what to look for and we quickly found the patterns and
subsequently tracked the spammer down some hours later.
The Spammer in question had his account terminated within minutes after the
trace, and documentation has been handed over to the proper authorities.
****************************************************************************
Author’s Note
****************************************************************************
Unfortunately this situation could not have been avoided as we do not scan
mail content due to our privacy policy.
It was simply brilliantly carried out. The spammer cleverly used the
way MTA’s are communicating as part of the scheme and rarely generated
bounces. Of course we received spam complaints but at the time they
started arriving on a large scale, we already knew they where fake.
If you read your logfiles (and please do that on a daily basis) and find
traces of messages regarding mail you know you have not sent, then
start investigating at once and report to abuse@
Thank you very much for your co-operation.
The EasySpeedy Abuse. Team
Anyway this is how you deal with a security issue. You don’t hide it, but offer full transparency immediately.
For more ideas on how to handle security in your web apps read my article Trust points and Breach points in Web Apps .
