This was also a big problem for me as well. I was able to block this by
adding geoip to server and blocking all traffic from places like Africa,
Asia, and parts of Europe. Pretty much all the abuse seems to come from
RIPE networks (really it seems almost all the abuse on the net period
comes from RIPE). Most of our user are from US/Canada so it wasn't a big
deal for us to just block entire regions like Africa from accessing
webmail. If you have clients from a region blocked for abuse you can add
their ISP's ip-range to a host.allow list to bypass the deny page. We had
also implemented captchas in squirrelmail and a flagging system for
outgoing email.
If a spammer has compromised one of your accounts they would likely not be
using squirrelmail to send the messages, but rather just connect to your
smtp server directly. Although from your logs they do appear to be using
squirrelmail.
If you want to look for compromised smtp accounts on your server try this
one-liner...
grep 'smtp_auth:' /var/log/maillog | awk '{print $9, $16}' | sort | uniq -c
It will list the users authenticating through smtp in the maillog and sort
them by the most accessed accounts (usually this would be the compromised
account(s)).
It looks like you could also block them by their user-agent using
something like this in you apache conf...
RewriteEngine on
RewriteCond %{ENV:HTTP_USER_AGENT} ^.*Crazy Browser.*$
RewriteRule ^.*$ /deny.html [L]
I haven't tested this but it should work.
You should also consider adding something like DenyHosts on your server to
block brute-force attempts.
Derek G.
> On Wednesday 02 July 2008 11:38:37 Paul A wrote:
>> Hi I'm running a version of squirrelmail by nutsmail.com. I have Tried
>> version, 1.4.10a_NM-9.XPBlueSky and 1.4.13_NM-12.XP_BlueSky.
>> What is happening is that foreign ips, especially Nigerian ips are
>> sending
>> spam through squirrelmail.
>>
>> server versions:
>>
>> postfix mail_version = 2.2.10
>> Server version: Apache/2.0.52
>> PHP 4.3.9 (cgi) (built: Sep 20 2007 19:31:11
>>
>> At 1st I though it was a vulnerable version that I was using but I have
>> used several versions and the same thing happens. I was wondering is
>> anyone
>> here knew how these ips are relaying through my squirrelmail server,
>> below
>> are the logs that I have. Are the spammers using a authenticated
>> username
>> with a weak password, if so how can I determine the username they are
>> using, I'm assuming the easiest way is to look at the queued mail.
>>
>> I'm just trying to figure out how I can fix this as its becoming a big
>> problem.
>
> Paul,
>
> We had the same problem here for a while off and on. We finally tracked it
> to
> spammers running scripts with stolen or weak passwords and sending a lot
> of
> mail through squirrelmail, one login/message at a time. We installed a PHP
> Captcha and pretty much solved the problem.
>
> This may not have been the best solution, but it worked for us. I'd be
> interested to see what other suggestions come up.
>
> Rob Wright
> debianrob@xxxxxxxxxxxxx
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
