Good example of how to deal with security 2
I use the EasySpeedy for my hosting. They already provide the most transparent hosting plans and hosting contract I have seen, but they continue to impress me. I’ve got 2 servers there and will put my 3rd one there if need be.
Apparently one of their clients where spamming with spoofed IP addresses from other users on their network. This is obviously a big problem as no one wants to get black listed.
From the beginning they have been incredibly open about it and gone that extra yard in uncovering the spamming vendor of Viagra and Penis enlargers.
I am not 100% sure if he used one of my ip addresses. I haven’t got mail servers on any of my servers. Both of do do outgoing mail though via ActionMailer in Rails.
Now what they did is send out a fantastic email that I will share with you below:
Dear Pelle,You have recently been contacted by our Abuse Team concerning massive spamming which appeared to be coming from your server.
Your feed-back made us feel more and more convinced that we had an IP hijacker within our network who had stolen your identity. This is why our Abuse Team asked you to use our Forensic Tool, to be found in you personal Control Center, to protect your server from further abuse and to alert you of the situation.
As you probably are aware of, we take pride in providing you with the real story when incidents happen – the facts, the causes, the solutions and the recommendations. That’s how we do business.
This is what happened
A skilled spammer, unfortunately a customer of ours, designed fake mailheaders in a number of ways including spoofing your IP address and using third party ‘Return-Path’ and/or ‘From’ addresses – often @gmail.com addresses. The real server with the abused IP (belonging to you) gave the target MTA a valid response and the third party ‘Return-Path’ and/or ‘From’ addresses received the bounce, if any. Mails from owners of these ‘From’ addresses started complaining Jan. 17-18 2006 increasing in numbers over the days that followed. So did spam complaints on your IP!
The spammer used several of our customers IP’s besides yours and bulk-mailed in odd patterns i.e. giving only fractions of information in our regular network scan until we started an emergency scanning on Jan. 19 2006.
Once alerted, we knew what to look for and we quickly found the patterns and subsequently tracked the spammer down some hours later.
The Spammer in question had his account terminated within minutes after the trace, and documentation has been handed over to the proper authorities.
Author’s Note
Unfortunately this situation could not have been avoided as we do not scan mail content due to our privacy policy.
It was simply brilliantly carried out. The spammer cleverly used the way MTA’s are communicating as part of the scheme and rarely generated bounces. Of course we received spam complaints but at the time they started arriving on a large scale, we already knew they where fake. If you read your logfiles (and please do that on a daily basis) and find traces of messages regarding mail you know you have not sent, then start investigating at once and report to abuse@
Thank you very much for your co-operation.
The EasySpeedy Abuse. Team
Anyway this is how you deal with a security issue. You don’t hide it, but offer full transparency immediately.
For more ideas on how to handle security in your web apps read my article Trust points and Breach points in Web Apps .
Trackbacks
Use the following link to trackback from your own site:
http://stakeventures.com/articles/trackback/134
-
I am Petra, very interesting article that contained the information I was searching for in Google, thanks.
WoW!
Kudos to EasySpeedy! Wouldn’t life be simpler if every company worked like that?!
Yes, that is the kind of “You Ain’t No Idiot Customer” emails I’d like to get once in a while.
And Pelle: Great that you give the folks at EasySpeedy credit in public like this. Encouragement helps, I believe. Now I know more about them. (I’ll check them out now.)
I’ve begun a similar “personally thanking people in the Open Source world” project, by sending them short fanmails. A cheap start, I guess, but 100% of these FOSS fan emails have been returned the same day with happy greetings.