-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hal Pollenz wrote: | Here is what is probably happening ( it happened to us last week ) | Spammers are sending very specific pfishing emails, sample below. | Stupid users are responding with their passwords. | Lots of log checking and quick disabling of accounts is about all you | can do | assuming you do not have the power to terminate users for being this dumb | ---- one sample ----- | | ---------- | One of the things I did to avoid dictionary attacks against weak passwords was to implement the minimum password security rules available with the Change SQL Password plugin. I then set a force change password to true for those accounts that did not meet the minimum security. Users who login will get directed to the change password screen. To be able to do this (without forcing everyone to change passwords) you need to have passwords stored in the database in plain text. This does not help lock out already compromised accounts, but makes it harder for accounts to be compromised in the first place. John -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkhsakIACgkQd4I3jTtt9EIICACfQwpF4GGvjB6EGEPwajNoLiTk uc8An3C5KEBmJaJb6xZFveyKzU/kgAAy =aNqQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
