5267a.bb.sky.com [94.5.38.122])
by tony-andersson.com (Postfix) with ESMTPSA id 9E26F24007
for <users@???>; Fri, 7 Dec 2012 09:57:19 +0000 (GMT)
Date: Fri, 7 Dec 2012 09:57:03 +0000
From: Tony Andersson <BitFolkList@???>
X-Priority: 3 (Normal)
Message-ID: <763976915.20121207095703@???>
To: users@???
In-Reply-To: <1706451964.20121207095251@???>
References: <20121207021942.GT3867@???>
<1706451964.20121207095251@???>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
07 Dec 2012 09:57:20 +0000
X-SA-Exim-Connect-IP: 85.119.82.79
X-SA-Exim-Mail-From: BitFolkList@???
X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: Tony Andersson <BitFolkList@???>
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 09:57:20 -0000
Sorry about the excessive headers, that's a user error. Silly me! I'll
go to my room and think about what I have done. Sorry!
__
/ony
-------
Friday, December 7, 2012, 9:52:51 AM, Tony wrote:
> I think it is an excellent idea Andy!
> If the volume is low (as your later post suggests), personally I se no
> need to create yet another e-mail list for this. A subject line
> starting with a tag like [general security alert] would probably help
> people like me. Where the word "general" is the key. If I receive an
> e-mail saying [security alert] or such it would require immediate
> attention, whilst a general security alert is of a slightly lesser
> urgency . But that's just semantics. I'd be happy with whatever
> solution you come up with. This kind of info is, just like you write,
> quite interesting and enlightening.
> Cheers,
> __
> /ony
> -------
> Friday, December 7, 2012, 2:19:42 AM, Andy wrote:
>> Return-Path:
>> <users-bounces+bitfolklist=tony-andersson.com@???>
>> X-Original-To: BitFolkList@???
>> Delivered-To: BitFolkList@???
>> Received: by tony-andersson.com (Postfix, from userid 500)
>> id F090B24008; Fri, 7 Dec 2012 02:19:46 +0000 (GMT)
>> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
>> spamd3.lon.bitfolk.com
>> X-Spam-Level:
>> X-Spam-ASN:
>> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
>> shortcircuit=ham autolearn=disabled version=3.3.1
>> X-Spam-Report:
>> * -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule
>> * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
>> Received: from mail.bitfolk.com (bitfolk.com [85.119.80.223])
>> by tony-andersson.com (Postfix) with ESMTPS id CDB5524007
>> for <BitFolkList@???>; Fri, 7 Dec 2012 02:19:46 +0000 (GMT)
>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bitfolk.com; s=alpha;
>>
>> h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:To:From:Date;
>> bh=vRbIloMoG9gJ141i3a7pQTJwQvEPRJCMNXFddRhCqVw=;
>>
>> b=NxPuc0+iwzaEN71o7gWpkatFlLBIa6VbsG3NyqWcaNeYmSPICkTDeE7lSNBNxJTkYf6Qjd5aA7LejgILtndux+t/cLXeYgjQpCIVUBp1/19AkTs9HrWRPAUWF6cDYGv6;
>> Received: from localhost ([127.0.0.1] helo=bitfolk.com)
>> by mail.bitfolk.com with esmtp (Exim 4.72)
>> (envelope-from
>> <users-bounces+bitfolklist=tony-andersson.com@???>)
>> id 1TgnXW-0001Mr-K4
>> for BitFolkList@???; Fri, 07 Dec 2012 02:19:46 +0000
>> Received: from andy by mail.bitfolk.com with local (Exim 4.72)
>> (envelope-from <andy@???>) id 1TgnXS-0001Lk-6E
>> for users@???; Fri, 07 Dec 2012 02:19:42 +0000
>> Date: Fri, 7 Dec 2012 02:19:42 +0000
>> From: Andy Smith <andy@???>
>> To: users@???
>> Message-ID: <20121207021942.GT3867@???>
>> MIME-Version: 1.0
>> OpenPGP: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
>> X-URL: http://strugglers.net/wiki/User:Andy
>> User-Agent: Mutt/1.5.20 (2009-06-14)
>> X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
>> 07 Dec 2012 02:19:42 +0000
>> Subject: [bitfolk] Proposal: Security incidents postings
>> X-BeenThere: users@???
>> X-Mailman-Version: 2.1.13
>> Precedence: list
>> List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
>> List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
>> <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
>> List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
>> List-Post: <mailto:users@lists.bitfolk.com>
>> List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
>> List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
>> <mailto:users-request@lists.bitfolk.com?subject=subscribe>
>> Content-Type: multipart/mixed; boundary="===============1702776325=="
>> Sender: users-bounces+bitfolklist=tony-andersson.com@???
>> Errors-To:
>> users-bounces+bitfolklist=tony-andersson.com@???
>> X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri, 07 Dec 2012 02:19:46 +0000
>> X-SA-Exim-Connect-IP: 127.0.0.1
>> X-SA-Exim-Mail-From:
>> users-bounces+bitfolklist=tony-andersson.com@???
>> X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false
>> Hello,
>> From time to time BitFolk customer VPSes occasionally become subject
>> to various kinds of compromise. Frustratingly, the kinds of
>> compromise encountered are generally the result of run of the mill,
>> completely preventable and unremarkable root causes.
>> I would like to find a way to raise awareness of these very simple
>> security concerns amongst the customer base, in order to hopefully
>> cut down on how often they happen.
>> I was thinking that if customers saw how often these things happen
>> to people very much like themselves then it might help remove some
>> of the "yeah I've heard of that but it will never happen to me"
>> mindset that we all regrettably can fall into.
>> So I was contemplating posting an email thread to this ("users")
>> list every time we become aware of a customer compromise, and I was
>> wondering what you thought of that idea.
>> It might look something like this:
>> Today at around 04:30 we became aware of a customer VPS
>> initiating an abnormal amount of outbound SSH connections (~200
>> per second). The VPS's network access was suspended and customer
>> contacted.
>> It was later determined that a user account on the VPS had been
>> accessed starting 3 days ago, via an SSH dictionary attack. The
>> attacker installed another copy of the SSH dictionary attack
>> software and set it going. We do not believe that root access
>> was obtained.
>> The amount of detail would vary because we may only become aware of
>> a compromise when the customer's VPS itself starts perpetrating
>> abusive activity, and then we rely on the customer to investigate
>> why that is.
>> If the customer is unable/unwilling to do this then we may never
>> know why their VPS began misbehaving. We don't examine customer data
>> unless given permission to do so, and even then this is often too
>> time-consuming to undertake on an unpaid basis. I would consider the
>> above an example of the maximum amount of detail we would go into.
>> No identifying information regarding the affected customer would be
>> shared. We already share non-identifying information similar to the
>> above to peers within the industry to aid deterrence and detection
>> of future abuses.
>> Would this sort of posting be welcomed or would it be unwelcome
>> noise? If the consensus is that it would be unwelcome noise then I
>> may create a new list specifically for it, but I would rather not do
>> so as then that is just another list that we have to raise awareness
>> of.
>> Please also note that those with an extremely low tolerance for
>> email noise may wish to quit this list and instead join the
>> "announce" list, as it contains only announcements from BitFolk with
>> no customer discussion whatsoever:
>> https://lists.bitfolk.com/mailman/listinfo/announce
>> http://lists.bitfolk.com/lurker/list/announce.html
>> (just 19 threads this year)
>> Thoughts?
>> Cheers,
>> Andy
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
From matt@??? Fri Dec 07 10:05:34 2012
Received: from mx.bf.smtl.co.uk ([85.119.82.254])
by mail.bitfolk.com with esmtp (Exim 4.72)
(envelope-from <matt@???>) id 1TguoI-0003Ef-CM
for users@???; Fri, 07 Dec 2012 10:05:34 +0000
Received: from mailhost.smtl.co.uk (mailhost.smtl.co.uk [176.35.190.158])
by mx.bf.smtl.co.uk (Postfix) with ESMTP id 1B57694DEA
for <users@???>; Fri, 7 Dec 2012 09:58:47 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
by mailhost.smtl.co.uk (Postfix) with ESMTP id EDFE214E947
for <users@???>; Fri, 7 Dec 2012 09:58:46 +0000 (GMT)
Received: from mailhost.smtl.co.uk ([127.0.0.1])
by localhost (ktinga.smtl.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 28857-08 for <users@???>;
Fri, 7 Dec 2012 09:58:46 +0000 (GMT)
Received: from [10.187.129.148] (unknown [10.187.129.148])
by mailhost.smtl.co.uk (Postfix) with ESMTP id BD28914FB6A
for <users@???>; Fri, 7 Dec 2012 09:58:46 +0000 (GMT)
Message-ID: <50C1BDD7.8020703@???>
Date: Fri, 07 Dec 2012 09:58:47 +0000
From: Matthew Moore <matt@???>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: users@???
References: <20121207021942.GT3867@???>
<1706451964.20121207095251@???>
<763976915.20121207095703@???>
In-Reply-To: <763976915.20121207095703@???>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at smtl.co.uk
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
07 Dec 2012 10:05:34 +0000
X-SA-Exim-Connect-IP: 85.119.82.254
X-SA-Exim-Mail-From: matt@???
X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 10:05:34 -0000
On 07/12/12 09:57, Tony Andersson wrote:
>
>>> So I was contemplating posting an email thread to this ("users")
>>> list every time we become aware of a customer compromise, and I was
>>> wondering what you thought of that idea.
>
Another vote from me. Sounds good.
In the unlikely event that it gets too much trafficwise (which I
strongly doubt) then just setup a new list.
Cheers,
--
Matthew Moore
Surgical Materials Testing Laboratory
System Administrator
Telephone: +44 (0)1656 752165
Email: matt@???
From rich@??? Fri Dec 07 10:21:59 2012
Received: from atomic-x.co.uk ([2001:ba8:1f1:f1dc::2])
by mail.bitfolk.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
(Exim 4.72) (envelope-from <rich@???>) id 1Tgv4B-0004G6-9V
for users@???; Fri, 07 Dec 2012 10:21:59 +0000
Received: from [2001:470:1f09:11bb:1d5c:11fa:44ca:2563]
by atomic-x.co.uk with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:128)
(Exim 4.80) (envelope-from <rich@???>) id 1Tgv4A-0006cu-9o
for users@???; Fri,
