On 7/19/09, Marc Powell <marc@xxxxxxx> wrote: > > On Jul 17, 2009, at 9:23 AM, Gary Coleman wrote: > >> Is there a squirrelmail tool that will help me administer our frequent >> compromised squirrelmail user accounts? > > You could use the Squirrelmail_logger Squirrel Logger > plugin to notify you when these > accounts send out a mass mail. The people doing this typically send > out to several hundred recipients at a time. Or the Restrict Sender plugin, which can also alert you for the same thing but can also immediately block the user from sending any more email. >> I am finding a lot of accounts that get their signature changed so >> as to >> contain the body of the spam. > > These users were likely conned into providing their usernames and > passwords. You can probably find that in their Sent mail sometime in > the last few months. K12 and Higher Ed have been seeing this kind of > behavior for the past couple of years. The phishing e-mails are highly > targeted, often claiming to be your support or helpdesk saying that > due to 'account compromises' or 'system maintenance', the account > holder must confirm their username and password or it will be closed. > The perpetrators seem to target systems using Squirrelmail because > it's something they're familiar with and the ability to change reply- > to and .sig are usually permitted. > >> I am also looking for a method to identify the compromised account: > > You could do some simple find/greps for -- > - .sig's that are unusually large. Most are typically under 300 > bytes; anything larger than that should be a red flag; adjust as > necessary for your type of users. > - .sigs's with specific keywords that you determine from the spam > being sent out. > - .prefs with a reply-to set that is outside our domain > > You could also - > - don't allow changing of reply-to (Don't allow editing of Identity > in conf.pl). Less incentive for them to (ab)use your systems. > - Install better software on the incoming server to catch the > phishing attempts. Julian Hein (of MailScanner fame), provides a > dynamic list and ruleset for Spamassassin for these. > http://www.jules.fm/Logbook/files/anti-spear-phishing.html > Google for 'anti spear phishing'for others. > - Install software on your outgoing mail server to catch the > responses to the phishing attempts. I've heard good things about Kochi > on the spam-l and hied-emailadmin lists -- > http://oss.lboro.ac.uk/kochi1.html > - Educate your users that you will never ask for their password by e- > mail. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donations.php ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
