Rob Wright wrote: > On Wednesday 21 November 2007 09:06, Vernon A. Fort wrote: >> Rob Wright wrote: >>> On Wednesday 21 November 2007 08:27, Vernon A. Fort wrote: >>>> To all, >>>> I run a large webmail server, 19k + accounts. Lately, just this >>>> month, i have had three different email account send out spam email. >>>> Basically, the accounts have their personal information changed to a >>>> different name and reply to address. Then they send out quite a large >>>> amount of spam email. It appears the exploiter obtained the password >>>> and then compromised the account. The actual email user is completely >>>> unaware of the compromise - meaning they did NOT send this spam email. >>>> >>>> What i have: >>> We had the exact same problem here. What we did last week was to install >>> the CAPTCHA plugin, and that seems to have solved the problem. >>> >>> It seems that the spammers were using an automated script to login via >>> HTTP and squirrelmail to do their dirty work that way. The messages were >>> definitely coming through our server and were not faked or spoofed. >>> >>> This was not a compromise of the user accounts on our server, but rather >>> an explotation of the system using genuine and valid usernames/accounts. >>> The last episode we had we contacted the users individually and had them >>> change their password, but this time around we realized we need to be >>> pro-active and thus went with the CAPTCHA. If anyone has a better >>> suggestion I'd like to hear it. Is using a Certificate the better thing >>> to do? >>> List info (subscribe/unsubscribe/change options): >>> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users >> I was thinking of using the CAPTCHA plugin as well. Your experience is >> exactly like mine - someone exploited the email account by gaining valid >> access. The only ports open on the server are 80/443/25/110. I plan on >> (shortly) changing the pop to pop3s. Did you do anything else in >> locking down the apache/php/squirrelmail? >> >> Reviewing the auth.log(s), I do see several bad-logins for the exploited >> accounts but i only see 10-20 attempts before a successful login. I >> kind of expected to see more than 30-40 attempts.... >> > The only other thing we've done is some IP blocking at the firewall from the > networks where the attacks were coming from, but we all know that's nothing > more than a stop gap measure, at best. The main problem with locking it down > any more is that, really, the logins were valid, the system was used to do > exactly what it's supposed to do. The CAPTCHA is an extra hassle for the > users, but we so far haven't been able to come up with anything that wouldn't > make the webmail completely useless altogether. If you were not running pop3s, imaps, and SSL on the web interface, then your 19k usernames & passwords were flying around the net in plain text and were more than likely sniffed at some point. Try something like ossec hids to block the password guessing (ossec.net), and require decent passwords from users. This isn't a squirrelmail issue. Spammers are attacking all exposed systems. Ken > > Rob Wright > debianrob@xxxxxxxxxxxxx > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > -- Ken Anderson Pacific.Net ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
