Quantcast

Spam on my squirrelmail server

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Spam on my squirrelmail server

difuntos
Hello, im having a security issue in my squirrelmail server :

Some spammers are sending spam from my server (it´s also my SMTP server).

I have configured sendmail exactly the same as others servers that do not have this problems, so im guessing it´s a squirrelmail bug. Here is an example of one log entry :

 from=<yeboahc@bellsouth.net>, size=2960, class=0, nrcpts=10, msgid=<30c754cff9a4db493366099b63d1b282.squirrel@mydomain.com.ar>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Apr  7 14:30:03 webmail sm-msp-queue[377]: s379p679023635: to=bob.girardi@yahoo.com,bob.thompson107@gmail.com,bob1213@aol.com,bob17012003@yahoo.com,bob20f4@aol.com,bob2rip32@roadrunner.com,bob3@bobclark.com,bob420skater@yahoo.com,bob8883641@aol.com,bob@innovativeteks.com, delay=07:38:57, xdelay=00:00:01, mailer=relay, pri=3725072, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s37HLD9P000379 Message accepted for delivery)

The message id says squirrel@mydomain...

Anyone can help me with this please?????

Thank you very much and sorry for my terrible english....

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

Paul Lesniewski
On Mon, Apr 7, 2014 at 11:46 AM, difuntos <[hidden email]> wrote:
> Hello, im having a security issue in my squirrelmail server :
>
> Some spammers are sending spam from my server (it´s also my SMTP server).
>
> I have configured sendmail exactly the same as others servers that do not
> have this problems, so im guessing it´s a squirrelmail bug.

You probably shouldn't make such claims (that can be perceived as
offensive to developers of the free software you are using) unless you
can back them up.

> Here is an
> example of one log entry :
>
>  from=<[hidden email]>, size=2960, class=0, nrcpts=10,
> msgid=<*[hidden email]*>,
> proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
> Apr  7 14:30:03 webmail sm-msp-queue[377]: s379p679023635:
> to=[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],
> delay=07:38:57, xdelay=00:00:01, mailer=relay, pri=3725072,
> relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s37HLD9P000379 Message
> accepted for delivery)
>
> The message id says squirrel@mydomain...
>
> Anyone can help me with this please?????

Change the password for the offending account.  Install security and
logging plugins such as Squirrel Logger, Lockout, CAPTCHA, etc.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

difuntos
The thing is that the offending account is an external mail....nothing to do with my domain accounts.....

Some spammers are using the server, but not the accounts, because my pop server i somewhere else...
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

Ted Hatfield-2
In reply to this post by difuntos
On Mon, 7 Apr 2014, difuntos wrote:

> Hello, im having a security issue in my squirrelmail server :
>
> Some spammers are sending spam from my server (it?s also my SMTP server).
>
> I have configured sendmail exactly the same as others servers that do not
> have this problems, so im guessing it?s a squirrelmail bug. Here is an
> example of one log entry :
>
> from=<[hidden email]>, size=2960, class=0, nrcpts=10,
> msgid=<*[hidden email]*>,
> proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
> Apr  7 14:30:03 webmail sm-msp-queue[377]: s379p679023635:
> to=[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],
> delay=07:38:57, xdelay=00:00:01, mailer=relay, pri=3725072,
> relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s37HLD9P000379 Message
> accepted for delivery)
>
> The message id says squirrel@mydomain...
>
> Anyone can help me with this please?????
>
> Thank you very much and sorry for my terrible english....
>
>
>
>
>
difuntos,

This is a fairly common occurence that anyone who has run a webmail server
for any length of time has probably seen before.

All it takes is for one user to have their password compromised and the
spammers can login to the squirrelmail server,  change the "from" address
to anything they like, and start sending out their spam from your server.

You will need to login to that server and find out which accounts are
compromised and change the passwords on those accounts.

Your httpd logs might be able to help.

Installing and activating the Squirrel Logger plugin may be able to help
you as well.  http://squirrelmail.org/plugin_view.php?id=52

Ted Hatfield.




------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

difuntos
Thanks a lot to everyone. I´ve found that an account was hacked and they were sending spam from that account.

The thing is that they were using another mail address to send (they changed it in the "Personal Information" option).

So, i was wondering...is there any way to take out that options from the squirrelmail? ( only "Full Name", "E Mail Address" and "Reply To")

Thanks again!!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

"Tóth Attila"
I don't know if you've already tried RTFM, but:

 bool $edit_name (line 598)
Identity Controls
If you don't want to allow users to change their email address then you
can set $edit_identity to false, if you want them to not be able to change
their full name too then set $edit_name to false as well. $edit_name has
no effect unless $edit_identity is false;
(taken from the manual)

Reply to address is generated.

Apart from these options: SMTP protocol is not identity safe by design.

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.Április 8.(K) 17:07 időpontban difuntos ezt írta:

> Thanks a lot to everyone. I´ve found that an account was hacked and they
> were
> sending spam from that account.
>
> The thing is that they were using another mail address to send (they
> changed
> it in the "Personal Information" option).
>
> So, i was wondering...is there any way to take out that options from the
> squirrelmail? ( only "Full Name", "E Mail Address" and "Reply To")
>
> Thanks again!!
>
>
>
> --
> View this message in context:
> http://squirrelmail.5843.n7.nabble.com/Spam-on-my-squirrelmail-server-tp25799p25804.html
> Sent from the squirrelmail-users mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>



------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

Ted Hatfield-2
In reply to this post by difuntos
On Tue, 8 Apr 2014, difuntos wrote:

> Thanks a lot to everyone. I?ve found that an account was hacked and they were
> sending spam from that account.
>
> The thing is that they were using another mail address to send (they changed
> it in the "Personal Information" option).
>
> So, i was wondering...is there any way to take out that options from the
> squirrelmail? ( only "Full Name", "E Mail Address" and "Reply To")
>
> Thanks again!!
>
>
>

Difuntos,

This line of reasoning is a dead end.  If spammers can't send email using
a spoofed email address they will simply send the spam as the account they
have hacked instead.

Users have the uncanny ability to use weak passwords, have their machines
get hacked/compromised and to respond to phishing attacks with their
username and password.

The best method I've found is to place restrictions on how many emails
they can send and to monitor, monitor, monitor their activity.

I would recommend installing the restrict_senders plugin and the squirrel
logger plugin.

Use one to restrict how many emails your users can send and the other to
monitor who's sending those emails.


Ted Hatfield


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Spam on my squirrelmail server

difuntos
Ted, you´re absolutely right...

I have already installed the captcha plugin and i will try with the restrict_senders...

Thank you very much for all your help guys!

Regards
Loading...