Nick Bright wrote: > Ken A wrote: >> Nick Bright wrote: >> >>> Per some suggestions in the thread I was able to determine that they are >>> not using "mailto.php", but rather compose.php: >>> >>> /var/log/httpd/access_log:196.1.179.183 - - [07/Oct/2007:21:54:10 -0500] >>> "GET /webmail/src/compose.php?mail_sent=yes HTTP/1.1" 200 37102 >>> "http://webmail.terraworld.net/webmail/src/compose.php?mailbox=None&startMessage=0"; >>> >>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >> >> >> Are you saying that was the only entry in the log from that IP? They >> only hit compose.php? If not, what was the sequence of events? > > There were many hits from quite a few different IP addresses, and they > all looked simmilar to that. I've extracted log entries from that IP > address, and attached the file to this message. > > From what I can tell it logs in, then hits compose.php repeatedly. That's odd. It really doesn't look like a bot. Perhaps it's using an IE toolbar of some sort to control the browser. There is a CAPTCHA plugin, and a "Password Forget" plugin, but when a bot behaves like a user, it's hard to block without inconveniencing the user. :-\ Ken > > - Nick > >> >> Ken >> >> >>> Nobody can reasonably expect an ISP to keep every single users' PC clean >>> of trashware constantly, so accordingly there needs to be some way to >>> mitigate the impact of this type of issue at the common point - the >>> SquirrelMail installation. It doesn't seem to me like this is a bug >>> or a security vulnerability in SM since a valid users' password was >>> compromised, but is there any way to mitigate this type of thing? >>> >>> I would appreciate any feedback regarding this topic and methods of >>> mitigating damage done by compromised accounts. I will also answer any >>> questions that may help develop a method of mitigation. >>> >>> - Nick Bright >>> Terra World >>> http://home.terraworld.net >> > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > ------------------------------------------------------------------------ > > -- > squirrelmail-users mailing list > Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines > List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx > List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users -- Ken Anderson Pacific.Net ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
