Thanks Derek, I will implement your apache suggestion since all smtp relay are done using the Crazy Browser. Thanks, Paul P.A > -----Original Message----- P.A > From: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx P.A > [mailto:squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of P.A > derek@xxxxxxxxxxx P.A > Sent: Wednesday, July 02, 2008 3:05 PM P.A > To: debianrob@xxxxxxxxxxxxx; Squirrelmail User Support Mailing List P.A > Subject: Re: squirrelmail used for spam P.A > P.A > P.A > This was also a big problem for me as well. I was able to block this P.A > by P.A > adding geoip to server and blocking all traffic from places like P.A > Africa, P.A > Asia, and parts of Europe. Pretty much all the abuse seems to come P.A > from P.A > RIPE networks (really it seems almost all the abuse on the net period P.A > comes from RIPE). Most of our user are from US/Canada so it wasn't a P.A > big P.A > deal for us to just block entire regions like Africa from accessing P.A > webmail. If you have clients from a region blocked for abuse you can P.A > add P.A > their ISP's ip-range to a host.allow list to bypass the deny page. We P.A > had P.A > also implemented captchas in squirrelmail and a flagging system for P.A > outgoing email. P.A > P.A > If a spammer has compromised one of your accounts they would likely P.A > not be P.A > using squirrelmail to send the messages, but rather just connect to P.A > your P.A > smtp server directly. Although from your logs they do appear to be P.A > using P.A > squirrelmail. P.A > P.A > If you want to look for compromised smtp accounts on your server try P.A > this P.A > one-liner... P.A > P.A > grep 'smtp_auth:' /var/log/maillog | awk '{print $9, $16}' | sort | P.A > uniq -c P.A > P.A > It will list the users authenticating through smtp in the maillog and P.A > sort P.A > them by the most accessed accounts (usually this would be the P.A > compromised P.A > account(s)). P.A > P.A > It looks like you could also block them by their user-agent using P.A > something like this in you apache conf... P.A > P.A > RewriteEngine on P.A > RewriteCond %{ENV:HTTP_USER_AGENT} ^.*Crazy Browser.*$ P.A > RewriteRule ^.*$ /deny.html [L] P.A > P.A > I haven't tested this but it should work. P.A > P.A > You should also consider adding something like DenyHosts on your P.A > server to P.A > block brute-force attempts. P.A > P.A > P.A > Derek G. P.A > P.A > P.A > > On Wednesday 02 July 2008 11:38:37 Paul A wrote: P.A > >> Hi I'm running a version of squirrelmail by nutsmail.com. I have P.A > Tried P.A > >> version, 1.4.10a_NM-9.XPBlueSky and 1.4.13_NM-12.XP_BlueSky. P.A > >> What is happening is that foreign ips, especially Nigerian ips are P.A > >> sending P.A > >> spam through squirrelmail. P.A > >> P.A > >> server versions: P.A > >> P.A > >> postfix mail_version = 2.2.10 P.A > >> Server version: Apache/2.0.52 P.A > >> PHP 4.3.9 (cgi) (built: Sep 20 2007 19:31:11 P.A > >> P.A > >> At 1st I though it was a vulnerable version that I was using but I P.A > have P.A > >> used several versions and the same thing happens. I was wondering P.A > is P.A > >> anyone P.A > >> here knew how these ips are relaying through my squirrelmail P.A > server, P.A > >> below P.A > >> are the logs that I have. Are the spammers using a authenticated P.A > >> username P.A > >> with a weak password, if so how can I determine the username they P.A > are P.A > >> using, I'm assuming the easiest way is to look at the queued mail. P.A > >> P.A > >> I'm just trying to figure out how I can fix this as its becoming a P.A > big P.A > >> problem. P.A > > P.A > > Paul, P.A > > P.A > > We had the same problem here for a while off and on. We finally P.A > tracked it P.A > > to P.A > > spammers running scripts with stolen or weak passwords and sending a P.A > lot P.A > > of P.A > > mail through squirrelmail, one login/message at a time. We installed P.A > a PHP P.A > > Captcha and pretty much solved the problem. P.A > > P.A > > This may not have been the best solution, but it worked for us. I'd P.A > be P.A > > interested to see what other suggestions come up. P.A > > P.A > > Rob Wright P.A > > debianrob@xxxxxxxxxxxxx P.A > > P.A > > -------------------------------------------------------------------- P.A > ----- P.A > > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! P.A > > Studies have shown that voting for your favorite open source P.A > project, P.A > > along with a healthy diet, reduces your potential for chronic P.A > lameness P.A > > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 P.A > > ----- P.A > > squirrelmail-users mailing list P.A > > Posting guidelines: http://squirrelmail.org/postingguidelines P.A > > List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx P.A > > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user P.A > > List info (subscribe/unsubscribe/change options): P.A > > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users P.A > > P.A > P.A > P.A > P.A > ---------------------------------------------------------------------- P.A > --- P.A > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! P.A > Studies have shown that voting for your favorite open source project, P.A > along with a healthy diet, reduces your potential for chronic lameness P.A > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 P.A > ----- P.A > squirrelmail-users mailing list P.A > Posting guidelines: http://squirrelmail.org/postingguidelines P.A > List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx P.A > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user P.A > List info (subscribe/unsubscribe/change options): P.A > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users P.A > No virus found in this incoming message. P.A > Checked by AVG. P.A > Version: 8.0.134 / Virus Database: 270.4.3/1528 - Release Date: P.A > 7/1/2008 7:26 AM ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
