Re: squirrelmail used for spam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: squirrelmail used for spam
Here is what is probably happening ( it happened to us last week )
Spammers are sending very specific pfishing emails, sample below.
Stupid users are responding with their passwords.
Lots of log checking and quick disabling of accounts is about all you can do
assuming you do not have the power to terminate users for being this dumb
---- one sample -----
----------

>Date: Tue, 01 Jul 2008 19:46:15 +0100 (BST)
>From: JTSA HELP DESK <helpdesk@xxxxxxxx>
>Subject: ******Verify Your Email Account******
>To: undisclosed-recipients: ;
>Reply-to: hdeskcenter2008@xxxxxxxxx
>X-MIME-Autoconverted: from 8bit to 7bit by courier 0.47
>User-Agent: SquirrelMail/1.4.8
>X-PMAS-Software: PreciseMail V2.4-2 [080701] (alpha2.jtsa.edu)
>
>
>
>
>Dear jtsa.edu Webmail User,
>
>To complete your jtsa.edu webmail account, you must reply to this email
>immediately and enter the following informations below:
>
>Username:
>Password:
>
>Failure to do this will immediately render your email address deactivated
>from our database.
>
>You can also confirm your email address by logging into your jtsa.edu
>webmailaccount at https://webmail.jtsa.edu
>
>We apologise for any inconveniences, but trust you understand that our
>primary concern is for our customers to be totally secure.
>
>
>Thank you for using jtsa.edu!
>THE DESK.


Paul A wrote:

Hi Im running a version of squirrelmail by nutsmail.com. I have Tried version, 1.4.10a_NM-9.XPBlueSky and 1.4.13_NM-12.XP_BlueSky.

What is happening is that foreign ips, especially Nigerian ips are sending spam through squirrelmail.

server versions:

postfix mail_version = 2.2.10

Server version: Apache/2.0.52

PHP 4.3.9 (cgi) (built: Sep 20 2007 19:31:11

At 1st I though it was a vulnerable version that I was using but I have used several versions and the same thing happens. I was wondering is anyone here knew how these ips are relaying through my squirrelmail server, below are the logs that I have. Are the spammers using a authenticated username with a weak password, if so how can I determine the username they are using, Im assuming the easiest way is to look at the queued mail.

Im just trying to figure out how I can fix this as its becoming a big problem.

 Postfix log:

Jul  2 02:08:58 bigtime postfix/smtpd[21079]: B8FBD1975D2: client=xxx.net[127.0.0.1]

Jul  2 02:08:59 bigtime postfix/cleanup[21026]: B8FBD1975D2: message-id=<1714.41.219.221.53.1214978939.squirrel@xxx.net>

access log:

41.219.221.53 - - [02/Jul/2008:01:43:25 -0400] "GET /index.html/src/webmail.php HTTP/1.1" 200 1506 "-" "Mozilla/4.0 (compatib

le; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:43:28 -0400] "GET /index.html/themes/css/XP_BlueSky.css HTTP/1.1" 200 12030 "http://webmail

.meganet.net/index.html/src/webmail.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:43:33 -0400] "GET /index.html/skins/XP_BlueSky/xpblue_back.gif HTTP/1.1" 200 603 "http://we

bmail.meganet.net/index.html/src/webmail.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:44:13 -0400] "GET /index.html/src/login.php HTTP/1.1" 200 4872 "http://webmail.meganet.net/

index.html/src/webmail.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:44:17 -0400] "GET /index.html/themes/css/none.css HTTP/1.1" 404 313 "http://webmail.meganet

.net/index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:44:19 -0400] "GET /index.html/images/bg.png HTTP/1.1" 200 8858 "http://webmail.meganet.net/

index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:44:19 -0400] "GET /index.html/skins/XP_BlueSky/logo.jpg HTTP/1.1" 200 11778 "http://webmail

.meganet.net/index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:01:45:03 -0400] "POST /index.html/src/redirect.php HTTP/1.1" 302 - "http://webmail.meganet.net

/index.html/src/login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:02:10:39 -0400] "POST /index.html/src/compose.php HTTP/1.1" 302 - "http://webmail.meganet.net/

index.html/src/compose.php?mail_sent=yes" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:02:11:07 -0400] "POST /index.html/src/compose.php HTTP/1.1" 302 - "http://webmail.meganet.net/

index.html/src/compose.php?mail_sent=yes" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.1)"

41.219.221.53 - - [02/Jul/2008:02:11:23 -0400] "GET /index.html/src/compose.php?mail_sent=yes HTTP/1.1" 200 72049 "http://web

mail.meganet.net/index.html/src/compose.php?mail_sent=yes" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Bro

wser 2.0.1)"

Thanks,

 

----------------------------------------------------

Paulo Amaral

MegaNet Communications

P: 508 646 0030

-----------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
  

-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
  
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux