Yes I am certain that the email originated from a compromised user and sent out through Squirrelmail.
See below for a sample email.
Received: from 83.229.67.26
(SquirrelMail authenticated user auser)
by mail.domain.net with HTTP;
Fri, 9 Nov 2007 11:30:29 -0600 (CST)
Message-ID: <4319.83.229.67.26.1194629429.squirrel@xxxxxxxxxxxxxxx>
Date: Fri, 9 Nov 2007 11:30:29 -0600 (CST)
Subject: Cash Grant/Donation For Novenber 2007!!!!!!!!!!!
From: "SIR JERRY WILLIAMS FINANCIAL INVESTMENT" <finanical_investment@xxxxxxxxx>
Reply-To: sirjerrywilliams@xxxxxxxx
Bcc: adrian@xxxxxxxxxxxxx,
adrianf86@xxxxxxx,
adrianfausto@xxxxxxxxx,
adrianfaw@xxxxxxxxx,
adrian_ferdean@xxxxxxxxx,
adrian_fidel@xxxxxxxxxxxxxx,
Adrian@xxxxxxxx,
adrian@xxxxxxxxxxxxx,
adrianfintak@xxxxxxxxx,
adrianfjc@xxxxxxx,
Adrian@xxxxxxxxxxxxx,
adrianflores420@xxxxxxxxx,
Adrian@xxxxxxxxxxxxxxxx,
adrianflowers@xxxxxxxxxxxxx,
adrianford2@xxxxxxxxxxxxxx,
Adrianfountravage@xxxxxx,
adrianfp@xxxxxxxxx,
adrianfrank@xxxxxxxxxxx,
adrian_frncs@xxxxxxxxx,
AdrianfUmoloch@xxxxxxxxxxxx,
adrian@xxxxxxxxxxxxxxx,
adrian@xxxxxxxx,
adrian@xxxxxxxxxxx,
adrian@xxxxxxxxxxxxxxxxxx,
Adriangesticulatekeller@xxxxxx,
adriangheorghe1981@xxxxxxxxx,
adrian@xxxxxxxxxx,
adrianglennclark@xxxxxxxxx,
adrianglobal@xxxxxxxxx,
adrian@xxxxxxxxxxxxxxxxxxxx,
adrian@xxxxxxxxxxxx,
adrian@xxxxxxxxxxxxxxxxx,
adrian@xxxxxxxxxxxx,
adrian_gomes2000@xxxxxxxxx,
adriangonzalez1@xxxxxxxxxxxxx,
adrian@xxxxxxxxxxxxxx,
Adrian@xxxxxxxxxx,
adrian_gore@xxxxxxxxx,
adrian@xxxxxxxxxxxxxxxxxxxx,
adrian@xxxxxxxxxxxxxxxxxxxxx,
Adrian@xxxxxxxxxxxx,
adrian@xxxxxxxxxxxxxxxxxxxxxxxx,
adrian@xxxxxxxxxxxxx,
adrian@xxxxxxxxxxxxx,
adriangrice666@xxxxxxxxx,
***many more***
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
SIR JERRY WILLIAMS FINANCIAL INVESTMENT
26 York Street, London
W1U 6PZ. United Kingdom.
E-mai:mail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +44-701-113-7778
Good day,
I am Sir Jerry Williams, a private investor I give out unsecured guarantee
loans to Business Men and women who are into Business
transaction,automobile purchase, house purchase loan and other personal
loans E.T.C. I give out long term loan for five to fifty years maximum
with 4% interest rate in this you can as well tell me the amount you need
so that i will send to you the terms and condition that is if you are
really interested in getting a loan from me, Loans are given out in Great
British Pounds and United States Dollar the maximum I give is 10,000,000
both in pounds and $USD and the minimum 5,000 pounds and USD$.
I also render Collateral And Non- Collateral Loans For Your Business Start
up, If you are interested in this offer please kindly fill out the
application details below so that i can start the processing of your loan
sum.
APPLICATION DETAILS
Full Name:..........................................
Contact Address:.............................
Phone:...................................................
Purpose of your loan.......................
Amount Needed as Loan:...............
Loan Duration:...................................
Annual Income:.................................
Gross monthly income....................
Occupation:........................................
Sex.............................
Date of Birth............................
Marital Status........................
In acknowledgement to these details, I will send you a well calculated
Terms and Condition which will include the agreement.
Furthermore be informed that you will also need a form of Identification
which can be either a Driver's Licence or your working Identity card.
Regards
Sir Jerry Williams
Financial Controller/ Operation Manager
Tel: +44-701-113-7778.
-----Original Message-----
From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Philip Brazina
Sent: Wednesday, November 14, 2007 10:49 AM
To: Squirrelmail User Support Mailing List
Cc: Squirrelmail User Support Mailing List
Subject: Re: Spamming Through Squirrelmail
Have you looked in the INBOX.Sent to verify that they are logging in and
sending the mail via SquirrelMail? I ask this since I do occasionally get
rejects from mail I didn't send out but someone is trying to spoof my mail
server. In fact, the mail shows as being sent from an account I don't
have on my server, and relaying is turned off. I know it is just a hoax.
Hopefully it will help.
Philip
>>Can you provide more information on how SquirrelMail is being used?
> We use squirrelmail, courier-imap, postfix and apache. We had a
> squirrelmail implementation with sendmail for years, but never experienced
> this issue. If you need more/different info, let me know.
>
>>What version of SquirrelMail? PHP?
> SquirrelMail Version: 1.4.10a
> PHP 5
>
>
>> Have you investigated how the accounts were compromised?
> As far as the user accounts, we are reviewing logs to determine if they
> bruteforced the accounts or if they just "knew" the passwds. My first
> thought was a virus/spyware/keylogger on a certain users host, but it
> spread to a total of three users over the course of several days. We have
> asked the user to bring their PC into us so that we can take a look at
> them, but no such luck. I have been
>
> I ended up routing their IP block to null in my gateway router. Here is
> the IP range in case anyone else experiences this.
>
> 83.229.0.0 - 83.229.255.255
>
> Zack
>
>
>
>
>
>
> -----Original Message-----
> From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx
> [mailto:squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Jon
> Angliss
> Sent: Tuesday, November 13, 2007 8:57 PM
> To: Squirrelmail User Support Mailing List
> Subject: Re: Spamming Through Squirrelmail
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Zack
>
>> Greetings:
>
>> We have seen quite a bit of user accounts that have been targeted
>> by spammers. That is to say I think our users passwds have been
>> compromised and the spammers are then sending out 100's of messages
>> through Squirrelmail and Postfix. Since we can't keep Squirrelmail
>> from sending out messages for our legit email I didn't know if
>> there was a way to only allow "fubar.net" emails to be sent out and deny
>> "uglyasspammers.net".
>
> Can you provide more information on how SquirrelMail is being used?
> What version of SquirrelMail? PHP? Have you investigated how the
> accounts were compromised?
>
> - --
> Jon Angliss
> <jon@xxxxxxxxxxxxxxxx
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
>
> iD8DBQFHOmQJK4PoFPj9H3MRAiGAAKDbQ7ayMbpC1b9Pg+4/Zo+tt6V41gCcDIEr
> Sj/jPbuWYAOf3mO2us0zoVk=
> =er19
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
