Chris Hilts wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vernon A. Fort wrote: > > >> amount of spam email. It appears the exploiter obtained the password >> and then compromised the account. The actual email user is completely >> unaware of the compromise - meaning they did NOT send this spam email. >> > <SNIP> > >> When looking at the mail queue file, you can see the squirrelmail >> authenticated user name and the queue file clearly show it came from the >> localhost indicating the squirrelmail interface. >> > > If you are indicating the Received: header, it can and has been faked by > spammers in the past. Are you certain this is not the case? What do > your SMTP logs show? Did the messages in question truly pass through > your mail system? > > >> We did not have the webmail with a CERT (ssl) but do NOW! Is there any >> know way of easily compromising a email account directly with PHP and or >> squirelmail. >> > > Well if they have the password as you indicated above, there isn't a > whole lot to "compromising" the account, is there? > > This is TRUE - it appears they did have the password but I am trying to find any know exploit in the authentication method. Looking at the email, a deferred message in the queue using postcat, it did come from through the squirrelmail interface. I also installed the restrict_sender plugin after the first attack and it send/logged (assumed it blocked) the next three mass-mail attempts. I'm leaning towards a user using a public PC which had a key-logger and or Trojan. Any other suggestions are welcome. All the PHP settings are in accordance to the documentation on the squirrelmail website. Vernon Fort ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
