Nick Bright wrote: > Per some suggestions in the thread I was able to determine that they are > not using "mailto.php", but rather compose.php: > > /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] > "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 > "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; > > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Are you saying that was the only entry in the log from that IP? They only hit compose.php? If not, what was the sequence of events? Ken > > Nobody can reasonably expect an ISP to keep every single users' PC clean > of trashware constantly, so accordingly there needs to be some way to > mitigate the impact of this type of issue at the common point - the > SquirrelMail installation. It doesn't seem to me like this is a bug or a > security vulnerability in SM since a valid users' password was > compromised, but is there any way to mitigate this type of thing? > > I would appreciate any feedback regarding this topic and methods of > mitigating damage done by compromised accounts. I will also answer any > questions that may help develop a method of mitigation. > > - Nick Bright > Terra World > http://home.terraworld.net -- Ken Anderson Pacific.Net ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
