I had a very similar account compromise a couple weeks ago. It was a different spam message, but seems to be a similar tactic. They were logging in legitimately as one of my users. The first clue we had that something was wrong was that the messages her inbox had been deleted. I initially assumed user error (it happens more frequently than you'd think), so I just restored it from backups and went on my way. A couple of days later, I discovered the mail server had been churning out many many emails from alphadi.company@xxxxxxxx, which seemed a bit suspicious. Turns out her Squirrelmail preferences had been set to use "Seidnaly Sidhamed" as her name, and alphadi.company@xxxxxxxx as her From address. The spam message (which I found replicated here: http://website.lineone.net/~farrago/cia/2007b/1675ss.htm) was set as her signature -- I assume to facilitate sending quickly. The IP addresses that were involved are 41.221.161.120 and 41.221.161.115. Those two address were responsible for 1228 calls to compose.php in an 8 hour period. According to WHOIS, they belong to the "African Network Information Center" in Mauritius, though that owns all of 41.X.X.X. After the initial login, the only activity from that account was calls to compose.php. Each message was to exactly 300 users, and I'm not sure if there was some script that called compose.php, or some spammer did it manually. On Wed, 14 Nov 2007 19:59:20 -0600 Zack Odell <zodell@xxxxxxxxxxxx> wrote: > Yes I am certain that the email originated from a compromised user > and sent out through Squirrelmail. > > See below for a sample email. > > Received: from 83.229.67.26 > (SquirrelMail authenticated user auser) > by mail.domain.net with HTTP; > Fri, 9 Nov 2007 11:30:29 -0600 (CST) > Message-ID: <4319.83.229.67.26.1194629429.squirrel@xxxxxxxxxxxxxxx> > Date: Fri, 9 Nov 2007 11:30:29 -0600 (CST) > Subject: Cash Grant/Donation For Novenber 2007!!!!!!!!!!! > From: "SIR JERRY WILLIAMS FINANCIAL INVESTMENT" > <finanical_investment@xxxxxxxxx> Reply-To: sirjerrywilliams@xxxxxxxx > Bcc: adrian@xxxxxxxxxxxxx, > adrianf86@xxxxxxx, > adrianfausto@xxxxxxxxx, > adrianfaw@xxxxxxxxx, > adrian_ferdean@xxxxxxxxx, > adrian_fidel@xxxxxxxxxxxxxx, > Adrian@xxxxxxxx, > adrian@xxxxxxxxxxxxx, > adrianfintak@xxxxxxxxx, > adrianfjc@xxxxxxx, > Adrian@xxxxxxxxxxxxx, > adrianflores420@xxxxxxxxx, > Adrian@xxxxxxxxxxxxxxxx, > adrianflowers@xxxxxxxxxxxxx, > adrianford2@xxxxxxxxxxxxxx, > Adrianfountravage@xxxxxx, > adrianfp@xxxxxxxxx, > adrianfrank@xxxxxxxxxxx, > adrian_frncs@xxxxxxxxx, > AdrianfUmoloch@xxxxxxxxxxxx, > adrian@xxxxxxxxxxxxxxx, > adrian@xxxxxxxx, > adrian@xxxxxxxxxxx, > adrian@xxxxxxxxxxxxxxxxxx, > Adriangesticulatekeller@xxxxxx, > adriangheorghe1981@xxxxxxxxx, > adrian@xxxxxxxxxx, > adrianglennclark@xxxxxxxxx, > adrianglobal@xxxxxxxxx, > adrian@xxxxxxxxxxxxxxxxxxxx, > adrian@xxxxxxxxxxxx, > adrian@xxxxxxxxxxxxxxxxx, > adrian@xxxxxxxxxxxx, > adrian_gomes2000@xxxxxxxxx, > adriangonzalez1@xxxxxxxxxxxxx, > adrian@xxxxxxxxxxxxxx, > Adrian@xxxxxxxxxx, > adrian_gore@xxxxxxxxx, > adrian@xxxxxxxxxxxxxxxxxxxx, > adrian@xxxxxxxxxxxxxxxxxxxxx, > Adrian@xxxxxxxxxxxx, > adrian@xxxxxxxxxxxxxxxxxxxxxxxx, > adrian@xxxxxxxxxxxxx, > adrian@xxxxxxxxxxxxx, > adriangrice666@xxxxxxxxx, > ***many more*** > User-Agent: SquirrelMail/1.4.10a > MIME-Version: 1.0 > Content-Type: text/plain;charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > X-Priority: 3 (Normal) > Importance: Normal > > > SIR JERRY WILLIAMS FINANCIAL INVESTMENT > 26 York Street, London > W1U 6PZ. United Kingdom. > E-mai:mail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Tel: +44-701-113-7778 > > Good day, > I am Sir Jerry Williams, a private investor I give out unsecured > guarantee loans to Business Men and women who are into Business > transaction,automobile purchase, house purchase loan and other > personal loans E.T.C. I give out long term loan for five to fifty > years maximum with 4% interest rate in this you can as well tell me > the amount you need so that i will send to you the terms and > condition that is if you are really interested in getting a loan from > me, Loans are given out in Great British Pounds and United States > Dollar the maximum I give is 10,000,000 both in pounds and $USD and > the minimum 5,000 pounds and USD$. > > I also render Collateral And Non- Collateral Loans For Your Business > Start up, If you are interested in this offer please kindly fill out > the application details below so that i can start the processing of > your loan sum. > > APPLICATION DETAILS > > Full Name:.......................................... > Contact Address:............................. > Phone:................................................... > Purpose of your loan....................... > Amount Needed as Loan:............... > Loan Duration:................................... > Annual Income:................................. > Gross monthly income.................... > Occupation:........................................ > Sex............................. > Date of Birth............................ > Marital Status........................ > > In acknowledgement to these details, I will send you a well calculated > Terms and Condition which will include the agreement. > Furthermore be informed that you will also need a form of > Identification which can be either a Driver's Licence or your working > Identity card. > > Regards > Sir Jerry Williams > Financial Controller/ Operation Manager > Tel: +44-701-113-7778. > > > > > > > -----Original Message----- > From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx > [mailto:squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf > Of Philip Brazina Sent: Wednesday, November 14, 2007 10:49 AM To: > Squirrelmail User Support Mailing List Cc: Squirrelmail User Support > Mailing List Subject: Re: Spamming Through Squirrelmail > > Have you looked in the INBOX.Sent to verify that they are logging in > and sending the mail via SquirrelMail? I ask this since I do > occasionally get rejects from mail I didn't send out but someone is > trying to spoof my mail server. In fact, the mail shows as being > sent from an account I don't have on my server, and relaying is > turned off. I know it is just a hoax. > > Hopefully it will help. > > Philip > > > >>Can you provide more information on how SquirrelMail is being used? > > We use squirrelmail, courier-imap, postfix and apache. We had a > > squirrelmail implementation with sendmail for years, but never > > experienced this issue. If you need more/different info, let me > > know. > > > >>What version of SquirrelMail? PHP? > > SquirrelMail Version: 1.4.10a > > PHP 5 > > > > > >> Have you investigated how the accounts were compromised? > > As far as the user accounts, we are reviewing logs to determine if > > they bruteforced the accounts or if they just "knew" the passwds. > > My first thought was a virus/spyware/keylogger on a certain users > > host, but it spread to a total of three users over the course of > > several days. We have asked the user to bring their PC into us so > > that we can take a look at them, but no such luck. I have been > > > > I ended up routing their IP block to null in my gateway router. > > Here is the IP range in case anyone else experiences this. > > > > 83.229.0.0 - 83.229.255.255 > > > > Zack > > > > > > > > > > > > > > -----Original Message----- > > From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx > > [mailto:squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf > > Of Jon Angliss > > Sent: Tuesday, November 13, 2007 8:57 PM > > To: Squirrelmail User Support Mailing List > > Subject: Re: Spamming Through Squirrelmail > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi Zack > > > >> Greetings: > > > >> We have seen quite a bit of user accounts that have been targeted > >> by spammers. That is to say I think our users passwds have been > >> compromised and the spammers are then sending out 100's of messages > >> through Squirrelmail and Postfix. Since we can't keep Squirrelmail > >> from sending out messages for our legit email I didn't know if > >> there was a way to only allow "fubar.net" emails to be sent out > >> and deny "uglyasspammers.net". > > > > Can you provide more information on how SquirrelMail is being used? > > What version of SquirrelMail? PHP? Have you investigated how the > > accounts were compromised? > > > > - -- > > Jon Angliss > > <jon@xxxxxxxxxxxxxxxx -- Dan Bongert dbongert@xxxxxxxxxxxx SSCC Unix System Administrator (608) 262-9857
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
