On Jul 17, 2009, at 9:23 AM, Gary Coleman wrote: > Is there a squirrelmail tool that will help me administer our frequent > compromised squirrelmail user accounts? You could use the Squirrelmail_logger plugin to notify you when these accounts send out a mass mail. The people doing this typically send out to several hundred recipients at a time. > I am finding a lot of accounts that get their signature changed so > as to > contain the body of the spam. These users were likely conned into providing their usernames and passwords. You can probably find that in their Sent mail sometime in the last few months. K12 and Higher Ed have been seeing this kind of behavior for the past couple of years. The phishing e-mails are highly targeted, often claiming to be your support or helpdesk saying that due to 'account compromises' or 'system maintenance', the account holder must confirm their username and password or it will be closed. The perpetrators seem to target systems using Squirrelmail because it's something they're familiar with and the ability to change reply- to and .sig are usually permitted. > I am also looking for a method to identify the compromised account: You could do some simple find/greps for -- - .sig's that are unusually large. Most are typically under 300 bytes; anything larger than that should be a red flag; adjust as necessary for your type of users. - .sigs's with specific keywords that you determine from the spam being sent out. - .prefs with a reply-to set that is outside our domain You could also - - don't allow changing of reply-to (Don't allow editing of Identity in conf.pl). Less incentive for them to (ab)use your systems. - Install better software on the incoming server to catch the phishing attempts. Julian Hein (of MailScanner fame), provides a dynamic list and ruleset for Spamassassin for these. http://www.jules.fm/Logbook/files/anti-spear-phishing.html Google for 'anti spear phishing'for others. - Install software on your outgoing mail server to catch the responses to the phishing attempts. I've heard good things about Kochi on the spam-l and hied-emailadmin lists -- http://oss.lboro.ac.uk/kochi1.html - Educate your users that you will never ask for their password by e- mail. Good Luck! -- Marc ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
