> 2010/2/12 <simon@xxxxxxxxxxx>:
>> Dear All,
>>
>> I Have the following setup running for a couple of years without any
>> problem.
>>
>> Centos 5
>> sendmail-8.13.8-2.el5
>> httpd-2.2.3-11.el5_1
>> squirrelmail-1.4.17
>> MailScanner 4.76.25
>> Mailwatch 1.04
>>
>> Just yesterday I found a huge spam being originated from my Mail Server
>> and my mqueue had over 800 emails
>>
>> here is some infomation I got from mailwatch
>
> Did you check your web server access log to confirm that these
> messages were sent using webmail? Your maillog is also a good source
> of information. You should read those and confirm you know how and
> where the attacker used your system.
>
>> ----
>> Received: from webmail.baladia.gov.kw (kmdns1.kmun.gov.kw [xx.xx.xx.xx])
>> by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id o1CIKBGo015425;
>> Fri, 12 Feb 2010 21:20:11 +0300
>> Received: from 41.138.178.41
>> (SquirrelMail authenticated user kkharafi)
>> by webmail.baladia.gov.kw with HTTP;
>> Fri, 12 Feb 2010 21:21:56 +0300 (AST)
>> Message-ID:
>> <60fa0f24708364e202bfa32c4a41083a.squirrel@xxxxxxxxxxxxxxxxxxxxxx>
>> Date: Fri, 12 Feb 2010 21:21:56 +0300 (AST)
>> Subject: BUSINESS PROPOSAL !
>> From: "SGT. HENRY PETER" <sgthenrypeter1111@xxxxxxxxxxxx>
>> Reply-To: sgthenrypeter4@xxxxxxxxxxxx
>> User-Agent: SquirrelMail/1.4.17
>> MIME-Version: 1.0
>> Content-Type: text/plain;charset=windows1256
>> Content-Transfer-Encoding: 8bit
>> X-Priority: 3 (Normal)
>> Importance: Normal
>> From: sgthenrypeter1111@xxxxxxxxxxxx [Add to Whitelist | Add to
>> Blacklist]
>>
>> To: emitchell@xxxxxxxx
>> corey@xxxxxxxx
>> chris.garcia@xxxxxxxxxxxxxxx
>> donnae@xxxxxxxxxxxxx
>> dkay@xxxxxxxxxxxxxxxxxxxxxxx
>> capric77@xxxxxxxxxx
>> ellen.richard@xxxxxxxxxxxxx
>> contact@xxxxxxxx
>> dawn.miller@xxxxxxxxxxxxxxxxxxx
>> hardwood@xxxxxxxxx
>> chipper@xxxxxxxxx
>> gene@xxxxxxxxxxxxxx
>> broberts@xxxxxxxxxx
>> boyanzhu@xxxxxxxx
>> cristinamercado@xxxxxxxxxx
>> ftortorice@xxxxxxxxxxx
>> dashby@xxxxxxxxxxxxxxxxxx
>> goffin@xxxxxxxxxxxxxx
>> gfinn@xxxxxxxx
>> dsaxon@xxxxxxxxxxxxxxx
>> dianm@xxxxxxxxxx
>> czucal@xxxxxxxxxxxxx
>> diamante@xxxxxxxxxxxxx
>> gladys@xxxxxxxxxxxxx
>> caroline@xxxxxxxxxxxxxxxxxxxxxxxxx
>> donna.barlow@xxxxxxxxxxxxxxx
>> gcalabrese@xxxxxxxxxx
>> fstrobel@xxxxxxxxxxxxxx
>> ------------------------------------------------
>>
>>
>> (SquirrelMail authenticated user kkharafi)
>> by webmail.baladia.gov.kw with HTTP;
>> Fri, 12 Feb 2010 21:21:56 +0300 (AST)
>>
>> please note that kkharafi is my local mail user
>> I have about 200 mail users and all the users have a shell as nologin as
>> a
>> additional security
>
> "additional security" would be creating a system where your mail users
> don't have local accounts at all.
>
>> ----------------
>>
>> On further investigations i found about 10 users whos Folders==>
>> Personal
>> Information has been modified .
>>
>> here i just paste the .pref file of one user
>> show_html_default=0
>> javascript_on=1
>> hililist=a:0:{}
>> archivefilenames=6
>> archiveattachments=1
>> archivetype=0
>> archiveent=1
>> spamcop_method=web_form
>> todo_first_login=0
>> email_address=kkharafi@xxxxxxxxxxx
>> identities=3
>> full_name1=Oceanic Bank Nigeria Plc
>> email_address1=info@xxxxxxx
>> reply_to1=atmcard.dept01@xxxxxxxxxxxx
>> full_name2=SGT. HENRY PETER
>> email_address2=sgthenrypeter1111@xxxxxxxxxxxx
>> reply_to2=sgthenrypeter4@xxxxxxxxxxxx
>>
>> --------
>>
>>
>> no all the 10 users have personal information under folders being
>> changed
>> with different information
>>
>> I have just changed the password of my local user kkharafi and will wait
>> to see any instance of spam again.
>>
>> I do can understand if one user had his password being cracked or
>> probably
>> a virus on his PC could have changed his personal information squirrel
>> mail.
>>
>> But its about 10 different local email users who had their personal
>> Information being changed in squirrel mail
>>
>> so im confused and wondering how it could happen
>
> Poor user password selection? The fact that you are running an
> outdated version of SquirrelMail? You tell us, please.
>
>> I do apprecite if someone could help me out and advice me as to what
>> could
>> be done so as to avoid such issues.
>
> Use plugins like Lockout and/or CAPTCHA as well as Restrict Senders
> and Squirrel Logger.
>
> --
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Dear Guys,
Thanks a lot for the quick reply . and specially to you Paul for the great
advice.
infact i have changed the password of all the 10 users whose OPtions ==>
Personal Inormafation had been changed in squirrel mail and until now
there is no spam problem .
I do see in my /var/secure logs that 2 of the users whos personal
information was changed are denied logon access to squirrel mail.
I will also now upgrade my squirrel mail and also implement the pluggins
you have suggested
Once again thanks and apprecite so much
Regards
simon
--
Network ADMIN
-------------
KUWAIT MUNICIPALITY:
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
