> Please provide more information about your setup.
> 1. SquirrelMail version
1.4.4 (have not upgraded due to various themes, etc we have installed)
> 2. All modifications made in standard SquirrelMail scripts
None
> 3. List and order of enabled plugins with version numbers.
Installed Plugins
1. sqclock
2. show_user_and_ip
3. calendar
4. abook_take
5. squirrelspell
6. msg_flags
7. attachment_common
8. bookmarks
9. compatibility
10. smallcal
11. delete_move_next
12. message_details
13. view_as_html
14. check_quota
15. abook_import_export
16. variable_sent_folder
17. auto_prune_sent
18. templates
19. bounce
20. autocomplete
21. startup_folder
22. empty_trash
23. sent_confirmation
24. login_auto
25. unsafe_image_rules
26. html_mail
27. translate
28. newmail
29. filters
30. folder_sizes
No clue about versions, sorry.
> 4. Spam message headers and body. Replace private information with
> user@xxxxxxxxxxx, mail.example.org and xxx.xxx.xxx.xxx
Return-Path: <claimsdept_1@xxxxxxx>
Received: from rly-yj03.mx.aol.com (rly-yj03.mail.aol.com
[172.18.180.141]) by air-yj01.mail.aol.com (v119.9) with ESMTP id
MAILINYJ11-80846ddfd991a2; Tue, 04 Sep 2007 20:51:57 -0400
Received: from smtp2-ha.chilitech.net (smtp2-ha.chilitech.net
[63.174.244.23]) by rly-yj03.mx.aol.com (v119.9) with ESMTP id
MAILRELAYINYJ38-80846ddfd991a2; Tue, 04 Sep 2007 20:51:37 -0400
Received: (qmail 10118 invoked from network); 5 Sep 2007 00:51:28 -0000
Received: from smtp6-ha.chilitech.net (HELO webmail1.chilitech.net)
([63.174.244.107])
(envelope-sender <claimsdept_1@xxxxxxx>)
by 0 (qmail-ldap-1.03) with SMTP
for <rformic@xxxxxxxxxxxxxxxxxx>; 5 Sep 2007 00:51:28 -0000
Received: from 213.185.118.203 (proxying for 192.168.17.230)
(SquirrelMail authenticated user raysmith)
by webmail1.chilitech.net with HTTP;
Tue, 4 Sep 2007 20:26:39 -0400 (EDT)
Message-ID: <58802.213.185.118.203.1188951999.squirrel@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 4 Sep 2007 20:26:39 -0400 (EDT)
Subject: WINNER APPROVAL.
From: "BRITISH NATIONAL LOTTERY" <claimsdept_1@xxxxxxx>
Reply-To: claimsprocessdept077@xxxxxxxxxxx
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AOL-IP: 63.174.244.23
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo :
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from :
To: <Undisclosed Recipients>
X-Mailer: Unknown (No Version)
Dear winner.
We happily announce to you the Draw (#671) of the BRITISH NATIONAL
LOTTERY held on the 4th of sept, 2007.Your E-mail Address attached
to Ticket Number :4156189324, Agent ID Number:110 won you a total sum of
GBP 5,500,000.00 POUNDS STERLING.
Contact Mr. TALES SMITH
Claims and Release OrderDepartment,
Email:claimsprocessdept077@xxxxxxxxxxx
TEL: +44-704-573-7235
LONDON, UNITED KINGDOM
For claims validation.
Yours Truly,
Jenny Afred
> 5. PHP session.gc_maxlifetime value and other not default PHP session
> settings.
session.gc_maxlifetime = 1440
>
> Are you sure that trojans or worms are abusing webmail and not some broken
> form on your webserver?
Absolutely... again, when the accounts are terminated (e-mail access
shut off) the spam stops (From that user). When I check the SENT
box of the offending sending user, all of the spam that was sent is in
the sent folder. Additionally, the FROM name and E-MAIL address have
been changed to the spammers. (We have since disabled the ability of
users to change their from e-mail and name in an attempt to discourage
the spammers.
The Synopsis seems to be: virus gets installed on machine. virus
uses saved username/password values from IE to log into the webmail,
change the username and password values and then start sending spam
from the webmail interface.
As an example, here is a piece of spam in the sent box of one of the
affected users:
Subject: CALL TO CONFIRM!!!
From: "Mrs. Becky Owen" <info_internationalawards006@xxxxxxxx>
Date: Wed, September 5, 2007 6:40 am
Bcc: cneal@xxxxxxxxxxx (less)
cneal@xxxxxxxxxxxx
cneal@xxxxxxxxxxxxx
cneal@xxxxxxxxxxxxxxx
cneal@xxxxxxxxxxxx
cnealy@xxxxxxxxxxxxxxxxxx
cneander2@xxxxxxxxx
cnearpass@xxxxxxxxxxx
cnearpass@xxxxxxxxxxxxxx
cneary@xxxxxxxxxxxxxxxxxxx
cnebenfuhr@xxxxxxxxxxxx
cneblett@xxxxxxxxx
cned004@xxxxxxx
cneddy@xxxxxxxxxxx
cnedjohnson1@xxxxxxxxx
cnedved@xxxxxxxxx
cnedwards@xxxxxxxxxxxxxxxxxxxxx
cneedham@xxxxxxxxxxx
cneeley@xxxxxxxxxx
cneelf@xxxxxxxxx
cneellis@xxxxxxxxxxx
cneely@xxxxxxxxxxxx
cneer@xxxxxxxxxxxx
cneese@xxxxxxxxxxxx
cneessen@xxxxxxxxxxxxx
cneff7277@xxxxxxxxx
cneff@xxxxxxxxxxxxx
cneff@xxxxxxxxxxxx
cneff@xxxxxxxxx
cneff@xxxxxxxxxx
cneglew@xxxxxxxxx
cnego2424@xxxxxxxxx
cnehest1@xxxxxxxxx
cnehiley@xxxxxxxxxxx
cneidel@xxxxxxxxxxxxxxxxx
cneighbor@xxxxxxxxxx
cneighbors@xxxxxxxxxxxxxxx
cneill@xxxxxxxxxxxxxxxxxx
cneilsen@xxxxxxxxxxxxxx
cneitzel@xxxxxxxxx
cnelder@xxxxxxxxxxxxxx
cnellis@xxxxxxxxxxxxxx
cnellsimpson@xxxxxxxxx
cnelly01@xxxxxxxxxxx
cnelso11@xxxxxxxxxxxxxxx
cnelso@xxxxxxxxxxxxx
cnelson0131@xxxxxxxxxxx
cnelson0314@xxxxxxxxxxxxx
cnelson1950@xxxxxxxxxxxxx
cnelson1@xxxxxxxxxxx
cnelson23@xxxxxxxxx
cnelson346n@xxxxxxxxxxxx
cnelson419@xxxxxxxxxxx
cnelson463@xxxxxxxxxxx
cnelson627@xxxxxxx
cnelson652@xxxxxxxxxxxx
cnelson822@xxxxxxx
cnelson9@xxxxxxxxx
cnelson@xxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxx
cnelson@xxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxx
cnelson@xxxxxxxxx
cnelson@xxxxxxxxxxxx
cnelson@xxxxxxx
cnelson@xxxxxxxx
cnelson@xxxxxxxxxxxxxxxxxxxxx
cnelson@xxxxxxx
cnelson@xxxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxxxx
cnelson@xxxxxxxxxxxxxx
cnelsonlvsterry@xxxxxxx
cnelsonsr@xxxxxxxxxxx
cnelspar3@xxxxxxxxxxx
cnelspar3@xxxxxxxxxxx
cnelyi108@xxxxxxx
cnen22@xxxxxxxxx
cnephin@xxxxxxxxx
cneprofico@xxxxxxx
cnerat@xxxxxxxxxx
Priority: Normal
Options: View Full Header | View Printable Version | View Message
details | Bounce | Report Spam | Not Spam
EUROPEAN PRIZE AWARD DEPT
1 Plough Place,
London EC4A 1DE
UNITED KINGDOM
REF: WE67/4360/34
BATCH: 11/4578/GN
Dear Sir/Ma .
Top of days greetings to you.Finally today, we announce that you are
one of the winners of the ELECTRONIC LOTTERY PROGRAMS.
held on 1st July,2007. Your company and your personal
e-mail addresses, attached to ticket number: 7-1-8-36-4-22 under
agent ID: 18 and lucky ball number 7363789,which consequently won in the
Tenth lottery category.
You have therefore been awarded a lump sum pay out of 860,641.28 Great
British Pounds(GBP) which
amounts to $1,500,000.00 (One Million,Five Hundred
Thousand United States DOLLARS).
The online draws was conducted by a random selection of email addresses
from an exclusive list of 29,031 E-mail addresses of individuals and
corporate bodies picked by an advanced automated random computer search
from the internet. No ticket were sold but all email addresses were
assigned to different ticket numbers for representation and privacy.
This is to encourage our prominent and consistent Microsoft Internet
Explorer users all over the world, and for the Continues use of E-mail.
Your fund has been insured with your identification number
{CPEL/OWN/9876}. To claim your winning prize, you must first contact
the claims department by email for Processing and remittance of your prize
to you.
Mr.David Nelson
TEL:+44-702-407-7543
TEL:+44-702-402-3245
TEL:+44-701-113-2446
FAX:+44-707-570-0301
EMAIL:european_lotterycompany04@xxxxxxxxxxxx
Do email the above email address all at once. In order to avoid
unnecessary delays and complications, please remember to quote your
reference and winning numbers in all correspondences with your claims
officer.
You are to keep all lotto information away from the general public
especially your ticket number and ballot number.All your personal datas
are to be sent to YAHOO/MICROSOFT ACCREDITED AGENT via email for the
processing of your winning.
FILL THE FORM BELOW WITH YOUR DATAS
1.Full Name:____________________
2.Address:______________________
3.Nationality:____________________
4.Age:______________________________
5.Occupation:____________________
6.Phone:________________________
7.State of Origin:_________________
8.Country:______________________
Sincerely,
Mrs. Becky Owen
Online Co-ordinator Secretary
====================================================
OUR Executives:
Dr. P. Swier (CEO), Mr. Gerald Goodman (Manager
Foreign Operations), Mr. Franklyn Van Der Weijden
(Manager Domestic Banking Operations), Dr. James
Williams (Director International Credit Department),
Mrs. Lonni K Anderson (Legal Representative), Mrs.
Lyudmyla Marchukova(Regional Manager), Mr. Stephen
Boer (Chairman), Mr. Chris Moritz(International
Relation Officer).
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
