> Hi I'm running a version of squirrelmail by nutsmail.com. I have Tried > version, 1.4.10a_NM-9.XPBlueSky and 1.4.13_NM-12.XP_BlueSky. > > What is happening is that foreign ips, especially Nigerian ips are sending > spam through squirrelmail. > > server versions: > > postfix mail_version = 2.2.10 > > Server version: Apache/2.0.52 > > PHP 4.3.9 (cgi) (built: Sep 20 2007 19:31:11 > > At 1st I though it was a vulnerable version that I was using but I have used > several versions and the same thing happens. I was wondering is anyone here > knew how these ips are relaying through my squirrelmail server, below are > the logs that I have. Are the spammers using a authenticated username with a > weak password, if so how can I determine the username they are using, I'm > assuming the easiest way is to look at the queued mail. > > I'm just trying to figure out how I can fix this as its becoming a big > problem. > > Postfix log: > > Jul 2 02:08:58 bigtime postfix/smtpd[21079]: B8FBD1975D2: > client=xxx.net[127.0.0.1] > > Jul 2 02:08:59 bigtime postfix/cleanup[21026]: B8FBD1975D2: > message-id=<1714.41.219.221.53.1214978939.squirrel@xxxxxxx> There should be an associated line like: Jul 02 02:09:01 mail postfix/qmgr[21695]: B8FBD1975D2: from=<spammer@xxxxxxxxxxx>, size=958, nrcpt=1 (queue active) The from address here is not necessarily believable if you have allowed users to change their outgoing address, but it gives you a start and you can turn it off as I explain below. Additionally, most IMAP servers should be able to log user activity to the maillog. This would place information about who is logged in at the time of these sends. > access log: > > 41.219.221.53 - - [02/Jul/2008:01:43:25 -0400] "GET > /index.html/src/webmail.php HTTP/1.1" 200 1506 "-" "Mozilla/4.0 (compatib > > le; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" It does appear that someone has simply determined the password to one of your accounts and is logging into SquirrelMail to send spam. You might think about turning off user ability to change their outgoing email address and make sure that the message header that adds the username is enabled in the configuration (use the configuration script, option 4 then option 9 and answer n, then n, then n or open config/config.php and change $edit_identity, $edit_name and $hide_auth_header to false. However, if the spammer has already changed the outgoing username, it might just be easier to install the Squirrel Logger plugin so you can monitor who is logging in and sending emails. That plugin will put everything you need into your logs. Alternatively, you can install the Restrict Senders plugin, which will place limits on how much mail any user can send at once. Doing this in the MTA is an even better thing, but it's a quick and easy solution (that ONLY limits mail sent thru SM). It can also be configured to send you a warning email with username information when too much mail is sent in a given period of time so you can identify the account that was hacked - it will also disable the account for you. When you figure out the compromised account, change its password and chances are your problem will go away. To prevent password guessing attacks on SM, you can also install Lockout and/or CAPTCHA plugins. > 41.219.221.53 - - [02/Jul/2008:01:43:28 -0400] "GET > /index.html/themes/css/XP_BlueSky.css HTTP/1.1" 200 12030 "http://webmail > > .meganet.net/index.html/src/webmail.php" "Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:01:43:33 -0400] "GET > /index.html/skins/XP_BlueSky/xpblue_back.gif HTTP/1.1" 200 603 "http://we > > bmail.meganet.net/index.html/src/webmail.php" "Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:01:44:13 -0400] "GET > /index.html/src/login.php HTTP/1.1" 200 4872 "http://webmail.meganet.net/ > > index.html/src/webmail.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:01:44:17 -0400] "GET > /index.html/themes/css/none.css HTTP/1.1" 404 313 "http://webmail.meganet > > .net/index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows > NT 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:01:44:19 -0400] "GET > /index.html/images/bg.png HTTP/1.1" 200 8858 "http://webmail.meganet.net/ > > index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:01:44:19 -0400] "GET > /index.html/skins/XP_BlueSky/logo.jpg HTTP/1.1" 200 11778 "http://webmail > > .meganet.net/index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:01:45:03 -0400] "POST > /index.html/src/redirect.php HTTP/1.1" 302 - "http://webmail.meganet.net > > /index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:02:10:39 -0400] "POST > /index.html/src/compose.php HTTP/1.1" 302 - "http://webmail.meganet.net/ > > index.html/src/compose.php?mail_sent=yes" "Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:02:11:07 -0400] "POST > /index.html/src/compose.php HTTP/1.1" 302 - "http://webmail.meganet.net/ > > index.html/src/compose.php?mail_sent=yes" "Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)" > > 41.219.221.53 - - [02/Jul/2008:02:11:23 -0400] "GET > /index.html/src/compose.php?mail_sent=yes HTTP/1.1" 200 72049 "http://web > > mail.meganet.net/index.html/src/compose.php?mail_sent=yes" "Mozilla/4.0 > (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Bro > > wser 2.0.1)" ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
