> -----Original Message----- > From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:squirrelmail- > users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Paul Lesniewski > Sent: Sunday, May 04, 2008 3:29 PM > To: Squirrelmail User Support Mailing List > Subject: Re: is this a spam > > On Sun, May 4, 2008 at 1:34 PM, Benedict simon <simon@xxxxxxxxxxx> wrote: > > Dear All, > > > > I have the following setup for almost a year on a single machine running > > as a Mail and Dns server and has been workin perfectly fine > > > > CentOS 5 OS > > DNS server using bind-9.3.3-10.el5 > > Mailserver using sendmail-8.13.8-2.el5 > > apache web server 2.2.3-11.el5_1 > > SquirrelMail/1.4.13 > > dovecot-1.0-1.2.rc15.el5 > > MailScanner ver 4.66.5 > > mailwatch-1.0.4 > > > > Now jus i loged into mailwatch and found my outbound queue has about 30 > > messages and i opened one of it the latest of message and here below the > > details > > > > ------------------------------ > > > > Received: from kmdns1.kmun.gov.kw (localhost [127.0.0.1]) > > by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id m447Few7008716 > > for <info@xxxxxxxxxx>; Sun, 4 May 2008 10:15:40 +0300 > > Received: (from apache@localhost) > > by kmdns1.kmun.gov.kw (8.13.8/8.13.8/Submit) id m3UFqte8002976; > > Wed, 30 Apr 2008 18:52:55 +0300 > > X-Authentication-Warning: kmdns1.kmun.gov.kw: apache set sender to > > loanskathryn@xxxxxxxxx using -f > > Received: from 196.220.10.253 > > (SquirrelMail authenticated user ladmin) > > Is the username for your account (or a valid one on your mail system) > called "mailadmin"? Looks to me like someone figured out your > password. Change the password to the account and see if the problem Just as an FYI, we have seen a dramatic increase in the number of targeted phishing attempts against our users. Successful phishing results in the account in question being used to send spasm to Yahoo and Hotmail most often similar to the above, always via SM (no other SMTP/ASMTP based attempts are logged). Based on the timing between messages, variability in number of recipients and other factors, there are almost certainly humans on the other end doing the spamming and not scripts. Most often they are from Chinese or African IP space. Once they acquire an account they -- - modify the Reply-To address to be a gmail or yahoo account. - modify the From: address to be in the same domain that they are sending to. - change the user's .sig to be the contents of the spam they are sending. You can grep through local prefs to find the first two and the latter can be seen by a .sig sized greater than about 100Bytes. (I actually had some users with very long .sigs). -- Marc ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
