On Jul 3, 2008, at 7:25 AM, Nabin Limbu wrote: > - All exploited accounts preference were changed (Name, email, reply > address) > - All exploited accounts were forced to use signature and multiple > signatures were full of spam messages with filename in this pattern > username.si1 username.si2 username.si3..... for same user. This is what we saw as well. A find for large .sig files helped identify the compromised accounts. In most cases we were able to discover the Sent mail replying to the phishing attempt previously mentioned in this thread. cd /path/to/squirrel/data; find . -size +1000c -name *.si* -ls example -- 83469 4 -rw------- 1 apache apache 2468 Jun 10 15:53 ./ <redacted>/6/8/3/6/<redacted>.net.sig $ cat <redacted>.net.sig BMW GROUP PROMOTION PUBLIC RELATIONS DEPARTMENT,BMW Automobiles 22 Garden Close, Stamford, Linc's, PE9 2YP, London United Kingdom 10/ 06 / 2008 Attention: Winner, This is to inform you that you have been selected for a cash prize of ? 850,000.00 (Eight hundred and fifty thousand Great British Pounds) from the BMW e-LOTTERY BONANZA International programs held on Thursday the 9th Of JUNE 2008, in London United Kingdom. ... -- Marc ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
