2010/2/12 <simon@xxxxxxxxxxx>:
> Dear All,
>
> I Have the following setup running for a couple of years without any problem.
>
> Centos 5
> sendmail-8.13.8-2.el5
> httpd-2.2.3-11.el5_1
> squirrelmail-1.4.17
> MailScanner 4.76.25
> Mailwatch 1.04
>
> Just yesterday I found a huge spam being originated from my Mail Server
> and my mqueue had over 800 emails
>
> here is some infomation I got from mailwatch
Did you check your web server access log to confirm that these
messages were sent using webmail? Your maillog is also a good source
of information. You should read those and confirm you know how and
where the attacker used your system.
> ----
> Received: from webmail.baladia.gov.kw (kmdns1.kmun.gov.kw [xx.xx.xx.xx])
> by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id o1CIKBGo015425;
> Fri, 12 Feb 2010 21:20:11 +0300
> Received: from 41.138.178.41
> (SquirrelMail authenticated user kkharafi)
> by webmail.baladia.gov.kw with HTTP;
> Fri, 12 Feb 2010 21:21:56 +0300 (AST)
> Message-ID:
> <60fa0f24708364e202bfa32c4a41083a.squirrel@xxxxxxxxxxxxxxxxxxxxxx>
> Date: Fri, 12 Feb 2010 21:21:56 +0300 (AST)
> Subject: BUSINESS PROPOSAL !
> From: "SGT. HENRY PETER" <sgthenrypeter1111@xxxxxxxxxxxx>
> Reply-To: sgthenrypeter4@xxxxxxxxxxxx
> User-Agent: SquirrelMail/1.4.17
> MIME-Version: 1.0
> Content-Type: text/plain;charset=windows1256
> Content-Transfer-Encoding: 8bit
> X-Priority: 3 (Normal)
> Importance: Normal
> From: sgthenrypeter1111@xxxxxxxxxxxx [Add to Whitelist | Add to Blacklist]
>
> To: emitchell@xxxxxxxx
> corey@xxxxxxxx
> chris.garcia@xxxxxxxxxxxxxxx
> donnae@xxxxxxxxxxxxx
> dkay@xxxxxxxxxxxxxxxxxxxxxxx
> capric77@xxxxxxxxxx
> ellen.richard@xxxxxxxxxxxxx
> contact@xxxxxxxx
> dawn.miller@xxxxxxxxxxxxxxxxxxx
> hardwood@xxxxxxxxx
> chipper@xxxxxxxxx
> gene@xxxxxxxxxxxxxx
> broberts@xxxxxxxxxx
> boyanzhu@xxxxxxxx
> cristinamercado@xxxxxxxxxx
> ftortorice@xxxxxxxxxxx
> dashby@xxxxxxxxxxxxxxxxxx
> goffin@xxxxxxxxxxxxxx
> gfinn@xxxxxxxx
> dsaxon@xxxxxxxxxxxxxxx
> dianm@xxxxxxxxxx
> czucal@xxxxxxxxxxxxx
> diamante@xxxxxxxxxxxxx
> gladys@xxxxxxxxxxxxx
> caroline@xxxxxxxxxxxxxxxxxxxxxxxxx
> donna.barlow@xxxxxxxxxxxxxxx
> gcalabrese@xxxxxxxxxx
> fstrobel@xxxxxxxxxxxxxx
> ------------------------------------------------
>
>
> (SquirrelMail authenticated user kkharafi)
> by webmail.baladia.gov.kw with HTTP;
> Fri, 12 Feb 2010 21:21:56 +0300 (AST)
>
> please note that kkharafi is my local mail user
> I have about 200 mail users and all the users have a shell as nologin as a
> additional security
"additional security" would be creating a system where your mail users
don't have local accounts at all.
> ----------------
>
> On further investigations i found about 10 users whos Folders==> Personal
> Information has been modified .
>
> here i just paste the .pref file of one user
> show_html_default=0
> javascript_on=1
> hililist=a:0:{}
> archivefilenames=6
> archiveattachments=1
> archivetype=0
> archiveent=1
> spamcop_method=web_form
> todo_first_login=0
> email_address=kkharafi@xxxxxxxxxxx
> identities=3
> full_name1=Oceanic Bank Nigeria Plc
> email_address1=info@xxxxxxx
> reply_to1=atmcard.dept01@xxxxxxxxxxxx
> full_name2=SGT. HENRY PETER
> email_address2=sgthenrypeter1111@xxxxxxxxxxxx
> reply_to2=sgthenrypeter4@xxxxxxxxxxxx
>
> --------
>
>
> no all the 10 users have personal information under folders being changed
> with different information
>
> I have just changed the password of my local user kkharafi and will wait
> to see any instance of spam again.
>
> I do can understand if one user had his password being cracked or probably
> a virus on his PC could have changed his personal information squirrel
> mail.
>
> But its about 10 different local email users who had their personal
> Information being changed in squirrel mail
>
> so im confused and wondering how it could happen
Poor user password selection? The fact that you are running an
outdated version of SquirrelMail? You tell us, please.
> I do apprecite if someone could help me out and advice me as to what could
> be done so as to avoid such issues.
Use plugins like Lockout and/or CAPTCHA as well as Restrict Senders
and Squirrel Logger.
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
