On Wed, Jul 16, 2008 at 7:46 AM, Rob Wright <debianrob@xxxxxxxxxxxxx> wrote: > Greetings, > > I know this topic has been beaten to death but I'm asking for a review of some > spam complaints we've received from AOL. We got a slew of these last Summer, > installed the CAPTCHA plugin and killed them dead. Now we're getting them > again and I just want to be sure that I'm reading right and that these are > coming from our Squirrelmail install via stolen or phished passwords. We had > a run of phishing attempts last week, now this week we're getting spam > complaints, I'm sure the two are related. > > So before I start freaking out thinking something worse has happened than has, > can I get someone to just double check this for me? They look like they are > indeed coming off my server, but I'd appreciate a more critical eye looking > at them. I read the security note on squirrelmail.org about SquirrelMail > spam, and while there are some definite similarities, the differences (mainly > that the server information is accurate) kind of throws me off. The received information shows that the AOL server got the mail from yours. The IP address is accurate, so it does look like you are correct. That information is not likely forged. > Should I also do something about our the CAPTCHA plugin? Even if the passwords > were stolen, I'd have thought the CAPTCHA might have prevented any automated > usage of the SM. CAPTCHAs are not foolproof. They are hackable, some more than others. You can try changing the mechanism you've chosen. But you should also consider using the Lockout plugin to help eliminate password guessing attacks, and the Restrict Senders plugin to catch accounts that have already been compromised and are being used to send spam. That plugin can lock down such accounts based on thresholds you define in its configuration file. You can also monitor such problems and do extensive logging of events like sent messages and logins/logouts using the Squirrel Logger plugin. > Headers from AOL feedback loop below my signature. I'm using SquirrelMail > 1.5.1 on Debian Etch. > > Thank you so very much, > > Rob Wright > poncacity.net > debianrob@xxxxxxxxxxxxx > > Headers from email reported by AOL: > ---------------------------------------- > Return-Path: <jute_okpe2005@xxxxxxxx> > Received: from rly-me04.mx.aol.com (rly-me04.mail.aol.com [172.20.83.38]) by > air-me05.mail.aol.com (v121.5) with ESMTP id MAILINME053-9b1487d1136163; Tue, > 15 Jul 2008 17:06:29 -0400 > Received: from mail.poncacity.net (mail.poncacity.net [70.254.229.3]) by > rly-me04.mx.aol.com (v121.5) with ESMTP id MAILRELAYINME045-9b1487d1136163; > Tue, 15 Jul 2008 17:05:58 -0400 > Received: (qmail 16150 invoked by uid 33); 15 Jul 2008 21:05:58 -0000 > Cc: > Received: from 41.219.128.202 > (SquirrelMail authenticated user djv@xxxxxxxxxxxxx) > by mail.poncacity.net with HTTP; > Tue, 15 Jul 2008 16:05:58 -0500 (CDT) > Message-ID: <1218.41.219.128.202.1216155958.squirrel@xxxxxxxxxxxxxxxxxx> > Date: Tue, 15 Jul 2008 16:05:58 -0500 (CDT) > Subject: From Brother Jute > From: "Jute Okpe" <jute_okpe2005@xxxxxxxx> > Reply-To: jute_okpe2005@xxxxxxxx > User-Agent: SquirrelMail/1.5.1 > MIME-Version: 1.0 > Content-Type: text/plain;charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > X-AOL-IP: 70.254.229.3 > X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : + > X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : n > X-Mailer: Unknown (No Version) ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
