We have been through the exact issue about two weeks ago. We had to route entire blocks of IP to null0 in my router and also killed them in the firewall. But I have seen a renewed "attack" from new ranges of IP's. Of course, the results of these attacks are that we have been blacklisted in just about every RBL. This of course is a major pain in the ass! We have used SM for years now and this is the first time that we have seen this. I also saw 10 - 20 attempts to log in and then we had a successful login on a users account. We have implemented sender_restriction and will implement CAPTCHA after Thanksgiving. Zack ________________________________________ From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx [squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Rob Wright [debianrob@xxxxxxxxxxxxx] Sent: Wednesday, November 21, 2007 9:17 AM To: Squirrelmail User Support Mailing List Subject: Re: Compromised Accounts On Wednesday 21 November 2007 09:06, Vernon A. Fort wrote: > Rob Wright wrote: > > On Wednesday 21 November 2007 08:27, Vernon A. Fort wrote: > >> To all, > >> I run a large webmail server, 19k + accounts. Lately, just this > >> month, i have had three different email account send out spam email. > >> Basically, the accounts have their personal information changed to a > >> different name and reply to address. Then they send out quite a large > >> amount of spam email. It appears the exploiter obtained the password > >> and then compromised the account. The actual email user is completely > >> unaware of the compromise - meaning they did NOT send this spam email. > >> > >> What i have: > > > > We had the exact same problem here. What we did last week was to install > > the CAPTCHA plugin, and that seems to have solved the problem. > > > > It seems that the spammers were using an automated script to login via > > HTTP and squirrelmail to do their dirty work that way. The messages were > > definitely coming through our server and were not faked or spoofed. > > > > This was not a compromise of the user accounts on our server, but rather > > an explotation of the system using genuine and valid usernames/accounts. > > The last episode we had we contacted the users individually and had them > > change their password, but this time around we realized we need to be > > pro-active and thus went with the CAPTCHA. If anyone has a better > > suggestion I'd like to hear it. Is using a Certificate the better thing > > to do? > > List info (subscribe/unsubscribe/change options): > > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > I was thinking of using the CAPTCHA plugin as well. Your experience is > exactly like mine - someone exploited the email account by gaining valid > access. The only ports open on the server are 80/443/25/110. I plan on > (shortly) changing the pop to pop3s. Did you do anything else in > locking down the apache/php/squirrelmail? > > Reviewing the auth.log(s), I do see several bad-logins for the exploited > accounts but i only see 10-20 attempts before a successful login. I > kind of expected to see more than 30-40 attempts.... > The only other thing we've done is some IP blocking at the firewall from the networks where the attacks were coming from, but we all know that's nothing more than a stop gap measure, at best. The main problem with locking it down any more is that, really, the logins were valid, the system was used to do exactly what it's supposed to do. The CAPTCHA is an extra hassle for the users, but we so far haven't been able to come up with anything that wouldn't make the webmail completely useless altogether. Rob Wright debianrob@xxxxxxxxxxxxx ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
