Rob Wright wrote: > On Wednesday 21 November 2007 08:27, Vernon A. Fort wrote: > >> To all, >> I run a large webmail server, 19k + accounts. Lately, just this >> month, i have had three different email account send out spam email. >> Basically, the accounts have their personal information changed to a >> different name and reply to address. Then they send out quite a large >> amount of spam email. It appears the exploiter obtained the password >> and then compromised the account. The actual email user is completely >> unaware of the compromise - meaning they did NOT send this spam email. >> >> What i have: >> > > We had the exact same problem here. What we did last week was to install the > CAPTCHA plugin, and that seems to have solved the problem. > > It seems that the spammers were using an automated script to login via HTTP > and squirrelmail to do their dirty work that way. The messages were > definitely coming through our server and were not faked or spoofed. > > This was not a compromise of the user accounts on our server, but rather an > explotation of the system using genuine and valid usernames/accounts. The > last episode we had we contacted the users individually and had them change > their password, but this time around we realized we need to be pro-active and > thus went with the CAPTCHA. If anyone has a better suggestion I'd like to > hear it. Is using a Certificate the better thing to do? > List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > I was thinking of using the CAPTCHA plugin as well. Your experience is exactly like mine - someone exploited the email account by gaining valid access. The only ports open on the server are 80/443/25/110. I plan on (shortly) changing the pop to pop3s. Did you do anything else in locking down the apache/php/squirrelmail? Reviewing the auth.log(s), I do see several bad-logins for the exploited accounts but i only see 10-20 attempts before a successful login. I kind of expected to see more than 30-40 attempts.... Vernon ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
