Framed!

I had a pretty hectic 24 hours so I figured I would share with everyone, this could happen to you as well. First off the night started about 7pm last night with ddos getting through the firewalls on my high risk box, this is nothing new, there is lots of new kinds of ddos that are basically legitimate requests and cannot be blocked. This afternoon when I talked to the owner Justin he said I was getting about 300 mbit. So 300 mbit was being filtered at the ddos firewall and a LOT got through I had to ban manually. But this is usual, nothing special.

So after a long night with a few pots of coffee I decided it was time to crash, probably about 9:30 am, I went to check my mail before I crashed and seen about 200 bounces, Got to looking and they was all pharmacy spam. I was like “oh shit: and went directly into my server shut down exim and went to investigating. So I looked about 2 hours, even interrogated some customers, could not find anything. I was still getting steady bounces but seen nothing in eximlog and apache processes.

So I submitted a server admin ticket to softlayer, let them take a look. Seems like they never fully read a ticket, at least the first guy did’t. I seen him login the server and look around some, he replied to my ticket saying ” If they start sending a spam attack again then tell us, we did’t see anything in the log” So I think to myself, surely this guy doesn’t think I have opened a ticket and paying because I’m getting spam mails, well he did.

I finally get him on the right track, he investigates for a while then finally says he just does not see no spam or any evidence at all. I could not fault him on that because I did’t either, I also done almost every find or slocate string I could think of to find any php, pl, or cgi files that send mail. I was pretty puzzled and exhausted all options. I finally went to configserver and installed a few of their tools, then I seen where they offer an antispam service where they track spam on your server. I sent them a support ticket asking if they can do it today, Probably only a few hours ago. Would have coast me $75.

I installed and ran this http://www.webhostgear.com/232.html and on the mail queue manager from configserver I could see all outgoing mail, could not find anything, no php or perl mailers in home directories - nothing. I finally realized my domain and ip had been spoofed. They was using an email account I did not even have on the server. Why someone would do this, its beyond me. I don’t remember pissing off any spammers lately. Here is the final response from the softlayer ticket, this is someone from the abuse and security department.

” What seems to have happened is that the spammers had spoofed your email address. That is they have sent out spam pretending to be from your domain. They did this using their own servers, and not through your server. And since they used their own server, there is nothing we can do to stop it. This is how most spammers work. But you need not worry about your servers IP being blocked because of the spam. If someone reports this spam, the Spam Authorities will be able to get the IP of the spammers server from the spam mail, and they will add that IP to the blacklist and not yours.

Regards,
Vince    ”

So as long as they confirmed it and remember this situation that’s fine by me, I would hate to get suspended on down the road for something I did’t do. But it would also suck to get my ip blacklisted. Crap like this is just my luck, if there is a chance something crazy, stupid, and far fetched can happen to someone it will most likely happen to me. As I say everytime just one of many things of a long line of bad luck but of well, cant whine about it, makes things interesting. I will say that if I was someone else and heard some of my stories I probably wouldn’t believe them.

Thanks for reading my rant today, hope you enjoyed