Sorry to reopen a thread, but I am seeing the same issue as the original poster in this thread: http://sourceforge.net/mailarchive/message.php?msg_id=c11d02530709050557ldb78519i4cdecd1ea08dc368%40mail.gmail.com In that I am seeing spam sent through my SM install, packages are: CentOS 4.5 w/ squirrelmail-1.4.8-4.0.1.el4.centos. Plugins are: Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail 4. mpppolicygroup 5. quota_usage Available Plugins: 6. translate 7. compatibility 8. spamcop 9. sent_subfolders 10. check_quota 11. filters 12. calendar 13. info 14. message_details 15. listcommands 16. mail_fetch 17. twc_weather 18. show_thumb 19. captcha 20. bug_report 21. fortune 22. lockout 23. administrator 24. addgraphics 25. abook_take Apache version httpd-2.0.52-32.3.ent.centos4 w/ mod_access_rbl PHP version php-4.3.9-3.22.9 Symtoms are: Somehow a botnet operator gets ahold of a valid username and password. I assume through trojan activity. The botnet then proceeds to sent mail through squirrelmail using a *valid* username and password. I think that it is a botnet because the same username has many hits from widely varying IP addresses. Changing the password blocks the spam and stops the behavior. I am certain that this is not a case of forged headers for the same reasons as the OP: Spam shows up in the Sent folder, disabling the account stops the spam, and I see the traffic in the web server logs. We have also been blacklisted on a couple of RBL's due to this issue. Per some suggetions in the thread I was able to determine that they are not using "mailto.php", but rather compose.php: /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" It doesn't seem to me like this is a bug or a security vulnerability in SM since a valid users' password was compromised, but is there any way to mitigate this type of thing? Nobody can reasonably expect an ISP to keep every single users' PC clean of trashware constantly, so accordingly there needs to be some way to mitigate the impact of this type of issue. This happened once before, but it was an assault against weak passwords in our accounting systems. We cleaned that problem up and as a result installed mod_access_rbl on the web server, which does RBL checks against spamcop - anyone that tries to log in to webmail has to make it past that RBL check, but still this has happened! The total number of spams in the users "Sent" box was only a few hundred, so it seems like the RBL mod helped quite a bit, but still some IP addresses on the botnet were not RBL'd. I would appreciate any feedback regarding this topic and methods of mitigating damage done by compromised accounts. I will also answer any questions that may help develop a method of mitigation. If anyone is interested in the mod_access_rbl, I'm having trouble finding the original page, but I do have a patch file I can send you. - Nick Bright Network Admin Terra World ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
