On 2014-12-27 18:15, ml@xxxxxxxxxxxxxxx wrote: > On 2014-12-24 17:36, Paul Lesniewski wrote: >>> Since yesterday we are getting a lot of requests to the file: >>> src/redirect.php >>> >>> The attack is targeting the HS, so we are getting traffic from Tor, >>> which is impossible to discriminate and filter (all requests looks >>> like >>> they are coming from 127.0.0.1). >>> >>> That said .. do you have any suggestions ? >>> What is the file redirect.php responsible for ? >> >> This is most likely a brute force password guessing attack. If you >> simply inspect the login page code, you'd see that the form submit >> goes to that URI. Most providers use either webmail plugins (of >> course vanilla RoundCube is just as susceptible) or MTA features to >> mitigate such attacks. squirrelmail.org offers several such plugins. >> >> -- >> Paul Lesniewski >> SquirrelMail Team >> Please support Open Source Software by donating to SquirrelMail! >> http://squirrelmail.org/donate_paul_lesniewski.php >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming! The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, >> is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. >> Take a >> look and join the conversation now. http://goparallel.sourceforge.net >> ----- >> squirrelmail-users mailing list >> Posting guidelines: http://squirrelmail.org/postingguidelines >> List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx >> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user >> List info (subscribe/unsubscribe/change options): >> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > > Hi thanks for your suggestions, but since a Tor Hidden Service sees all > incoming traffic coming from 127.0.0.1, do you think that the > mitigation > techniques will still work ? > An attacker can just use a cURL script, all the requests will be > identical to legit traffic. > > Thanks for your comments, > RuggedInbox team > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. > Take a > look and join the conversation now. http://goparallel.sourceforge.net > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users Hi, at the end we installed a couple of plugins to enable captchas on both squirrelmail and roundcube and the attack ceased immediately. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users