Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#560 Signature Length Restrictions

open
nobody
5
2010-02-17
2010-02-17
Kirk Ismay
No

REQUEST:
Have administrator configurable limits on signature lengths, both line number and lengths, with a reasonable default. 6 lines 80 characters wide would be a reasonable default, and reduce the impact of phishing attacks. This could be implemented as a plugin at first, but I feel it should be a built in feature in future SquirrelMail editions. It should also grandfather existing signatures, so that when this feature is implemented, existing signatures should not be truncated.

RATIONALE:
I've seen widespread phishing of SquirrelMail accounts. Once compromised, the account is used to send out spam. The content of the spam message is saved as a signature.

Discussion

  • Kirk Ismay
    Kirk Ismay
    2010-02-17

    • priority: 5 --> 7
     
  • We can consider this in the future. You are welcome to send us a plugin submission for this.

    Regarding the rationale, I believe you are chasing the bits that spammers throw to you. Instead, you need to fix the reason they got into your system. REQUIRE strong passwords for your users, implement strong SMTP controls and anti-spam filtering on outgoing messages. If you can't do those things, you should turn to plugins like Restrict Senders, Squirrel Logger, Lockout, and CAPTCHA, some of which can be configured to send you warnings when suspicious mail blasts are being sent and/or stop them automatically.

     
    • priority: 7 --> 5
     
  • Kirk Ismay
    Kirk Ismay
    2010-02-17

    Consider this as one part of a Defense in Depth strategy. I already require strong passwords, and I have used Squirrel Logger and Fail2Ban with good success to mitigate the effects of spear Phishing type attacks.

    I have one user that has had their account successfully Phished about 5 times now. Each time we've changed their password for them, explain the need to keep systems patched and up to date, and have stressed that we will never, ever email them to ask for their password.

    I would like to submit a patch/plugin for this, can you provide some direction as to where to start?

    Thanks.

     
  • Kirk Ismay
    Kirk Ismay
    2010-02-17

    • priority: 5 --> 7
     
    • priority: 7 --> 5
     
  • It's trivial for spammers to write a simple automated script that re-POSTs form data to src/compose.php to send emails over and over again, so I don't think this kind of limitation is going to help you. In fact, the email body might be in the signature, but the recipient addresses have to be sent in the manner that I am describing. Thus, if you curtail their ability to put the body in the signature text, they'll simply put the body into their script. Easy.

    It's better to use Restrict Senders to automatically stop the blasts while they are happening if you don't have better SMTP controls to do that.

    If you want to submit a plugin for this, see:

    http://squirrelmail.org/docs/devel/devel-4.html

    Also have a look at any of the more recently released plugins as possible templates for how one should look.

    Thanks for your input.