On Sat, 31 Oct 2009, Paul Lesniewski wrote: (re. Forcing a logout ) > You can (could have) stopped this almost right away with MTA > rate-limiting or by using the Restrict Senders plugin. The Squirrel > Logger plugin could also have alerted you to the problem. If the > attacker got the password by guessing on the login page, you can use > the Lockout and/or CAPTCHA plugins to block such attempts. We only have ~1K accounts and haven't had this trouble before, so had nothing in place to deal with it. I think our MTA rate-limits before expanding recipient lists so didn't kick in, or not much. As far as I can tell from webserver logs, there was no significant attempt at brute-forcing accounts. At least, not recently. Most of the accounts used had 8-character random passwords that we assigned - unlikely to be brute-forced in any case, if the pattern I've seen in SSH is any clue. I was wondering what other admin's experience has been with compromised SM accounts, and how spammers are able to obtain passwords. Certainly, we see a lot of webmail phishing from .edu domains, although I don't believe we ourselves have ever been previously compromised like this. I'm still somewhat concerned; it's as if the spammers deliberately chose to use some lightly-used accounts where the owners might not notice, and perhaps have a pool of others available. It would be nice to assume that the problem is all client-end - malware, conficker worm, or phishing - but the small volume on these accounts implies a reduced chance of receiving phishing messages or infected attachments compared to the typical always-online user. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
