From: <si...@km...> - 2010-02-12 19:39:44
|
Dear All, I Have the following setup running for a couple of years without any problem. Centos 5 sendmail-8.13.8-2.el5 httpd-2.2.3-11.el5_1 squirrelmail-1.4.17 MailScanner 4.76.25 Mailwatch 1.04 Just yesterday I found a huge spam being originated from my Mail Server and my mqueue had over 800 emails here is some infomation I got from mailwatch ---- Received: from webmail.baladia.gov.kw (kmdns1.kmun.gov.kw [xx.xx.xx.xx]) by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id o1CIKBGo015425; Fri, 12 Feb 2010 21:20:11 +0300 Received: from 41.138.178.41 (SquirrelMail authenticated user kkharafi) by webmail.baladia.gov.kw with HTTP; Fri, 12 Feb 2010 21:21:56 +0300 (AST) Message-ID: <60f...@we...> Date: Fri, 12 Feb 2010 21:21:56 +0300 (AST) Subject: BUSINESS PROPOSAL ! From: "SGT. HENRY PETER" <sgt...@ya...> Reply-To: sgt...@ya... User-Agent: SquirrelMail/1.4.17 MIME-Version: 1.0 Content-Type: text/plain;charset=windows1256 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal From: sgt...@ya... [Add to Whitelist | Add to Blacklist] To: emi...@ge... co...@ge... chr...@ge... do...@ge... dk...@ge... cap...@ge... ell...@ge... co...@ge... daw...@ge... har...@ge... ch...@ge... ge...@ge... bro...@ge... boy...@ge... cri...@ge... fto...@ge... da...@ge... go...@ge... gf...@ge... ds...@ge... di...@ge... cz...@ge... dia...@ge... gl...@ge... car...@ge... don...@ge... gca...@ge... fst...@ge... ------------------------------------------------ (SquirrelMail authenticated user kkharafi) by webmail.baladia.gov.kw with HTTP; Fri, 12 Feb 2010 21:21:56 +0300 (AST) please note that kkharafi is my local mail user I have about 200 mail users and all the users have a shell as nologin as a additional security ---------------- On further investigations i found about 10 users whos Folders==> Personal Information has been modified . here i just paste the .pref file of one user show_html_default=0 javascript_on=1 hililist=a:0:{} archivefilenames=6 archiveattachments=1 archivetype=0 archiveent=1 spamcop_method=web_form todo_first_login=0 email_address=kkh...@km... identities=3 full_name1=Oceanic Bank Nigeria Plc email_address1=in...@at... reply_to1=atm...@ya... full_name2=SGT. HENRY PETER email_address2=sgt...@ya... reply_to2=sgt...@ya... -------- no all the 10 users have personal information under folders being changed with different information I have just changed the password of my local user kkharafi and will wait to see any instance of spam again. I do can understand if one user had his password being cracked or probably a virus on his PC could have changed his personal information squirrel mail. But its about 10 different local email users who had their personal Information being changed in squirrel mail so im confused and wondering how it could happen I do apprecite if someone could help me out and advice me as to what could be done so as to avoid such issues. I really apprecite and wait your helpful reply regards simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Marc P. <ma...@en...> - 2010-02-12 19:58:08
|
On Feb 12, 2010, at 12:19 PM, si...@km... wrote: > I do can understand if one user had his password being cracked or probably > a virus on his PC could have changed his personal information squirrel > mail. > > But its about 10 different local email users who had their personal > Information being changed in squirrel mail > > so im confused and wondering how it could happen This is quite common. If you ask them, or look through their sent mail for the past few months you're almost guaranteed to find that they sent their username and password in response to a phishing attempt. It probably claimed to be from your support or helpdesk saying that they needed to do so in order to keep their account active or something like that. -- Marc |
From: Paul L. <pa...@sq...> - 2010-02-12 20:06:31
|
2010/2/12 <si...@km...>: > Dear All, > > I Have the following setup running for a couple of years without any problem. > > Centos 5 > sendmail-8.13.8-2.el5 > httpd-2.2.3-11.el5_1 > squirrelmail-1.4.17 > MailScanner 4.76.25 > Mailwatch 1.04 > > Just yesterday I found a huge spam being originated from my Mail Server > and my mqueue had over 800 emails > > here is some infomation I got from mailwatch Did you check your web server access log to confirm that these messages were sent using webmail? Your maillog is also a good source of information. You should read those and confirm you know how and where the attacker used your system. > ---- > Received: from webmail.baladia.gov.kw (kmdns1.kmun.gov.kw [xx.xx.xx.xx]) > by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id o1CIKBGo015425; > Fri, 12 Feb 2010 21:20:11 +0300 > Received: from 41.138.178.41 > (SquirrelMail authenticated user kkharafi) > by webmail.baladia.gov.kw with HTTP; > Fri, 12 Feb 2010 21:21:56 +0300 (AST) > Message-ID: > <60f...@we...> > Date: Fri, 12 Feb 2010 21:21:56 +0300 (AST) > Subject: BUSINESS PROPOSAL ! > From: "SGT. HENRY PETER" <sgt...@ya...> > Reply-To: sgt...@ya... > User-Agent: SquirrelMail/1.4.17 > MIME-Version: 1.0 > Content-Type: text/plain;charset=windows1256 > Content-Transfer-Encoding: 8bit > X-Priority: 3 (Normal) > Importance: Normal > From: sgt...@ya... [Add to Whitelist | Add to Blacklist] > > To: emi...@ge... > co...@ge... > chr...@ge... > do...@ge... > dk...@ge... > cap...@ge... > ell...@ge... > co...@ge... > daw...@ge... > har...@ge... > ch...@ge... > ge...@ge... > bro...@ge... > boy...@ge... > cri...@ge... > fto...@ge... > da...@ge... > go...@ge... > gf...@ge... > ds...@ge... > di...@ge... > cz...@ge... > dia...@ge... > gl...@ge... > car...@ge... > don...@ge... > gca...@ge... > fst...@ge... > ------------------------------------------------ > > > (SquirrelMail authenticated user kkharafi) > by webmail.baladia.gov.kw with HTTP; > Fri, 12 Feb 2010 21:21:56 +0300 (AST) > > please note that kkharafi is my local mail user > I have about 200 mail users and all the users have a shell as nologin as a > additional security "additional security" would be creating a system where your mail users don't have local accounts at all. > ---------------- > > On further investigations i found about 10 users whos Folders==> Personal > Information has been modified . > > here i just paste the .pref file of one user > show_html_default=0 > javascript_on=1 > hililist=a:0:{} > archivefilenames=6 > archiveattachments=1 > archivetype=0 > archiveent=1 > spamcop_method=web_form > todo_first_login=0 > email_address=kkh...@km... > identities=3 > full_name1=Oceanic Bank Nigeria Plc > email_address1=in...@at... > reply_to1=atm...@ya... > full_name2=SGT. HENRY PETER > email_address2=sgt...@ya... > reply_to2=sgt...@ya... > > -------- > > > no all the 10 users have personal information under folders being changed > with different information > > I have just changed the password of my local user kkharafi and will wait > to see any instance of spam again. > > I do can understand if one user had his password being cracked or probably > a virus on his PC could have changed his personal information squirrel > mail. > > But its about 10 different local email users who had their personal > Information being changed in squirrel mail > > so im confused and wondering how it could happen Poor user password selection? The fact that you are running an outdated version of SquirrelMail? You tell us, please. > I do apprecite if someone could help me out and advice me as to what could > be done so as to avoid such issues. Use plugins like Lockout and/or CAPTCHA as well as Restrict Senders and Squirrel Logger. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Benedict s. <si...@km...> - 2010-02-13 11:05:29
|
> 2010/2/12 <si...@km...>: >> Dear All, >> >> I Have the following setup running for a couple of years without any >> problem. >> >> Centos 5 >> sendmail-8.13.8-2.el5 >> httpd-2.2.3-11.el5_1 >> squirrelmail-1.4.17 >> MailScanner 4.76.25 >> Mailwatch 1.04 >> >> Just yesterday I found a huge spam being originated from my Mail Server >> and my mqueue had over 800 emails >> >> here is some infomation I got from mailwatch > > Did you check your web server access log to confirm that these > messages were sent using webmail? Your maillog is also a good source > of information. You should read those and confirm you know how and > where the attacker used your system. > >> ---- >> Received: from webmail.baladia.gov.kw (kmdns1.kmun.gov.kw [xx.xx.xx.xx]) >> by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id o1CIKBGo015425; >> Fri, 12 Feb 2010 21:20:11 +0300 >> Received: from 41.138.178.41 >> (SquirrelMail authenticated user kkharafi) >> by webmail.baladia.gov.kw with HTTP; >> Fri, 12 Feb 2010 21:21:56 +0300 (AST) >> Message-ID: >> <60f...@we...> >> Date: Fri, 12 Feb 2010 21:21:56 +0300 (AST) >> Subject: BUSINESS PROPOSAL ! >> From: "SGT. HENRY PETER" <sgt...@ya...> >> Reply-To: sgt...@ya... >> User-Agent: SquirrelMail/1.4.17 >> MIME-Version: 1.0 >> Content-Type: text/plain;charset=windows1256 >> Content-Transfer-Encoding: 8bit >> X-Priority: 3 (Normal) >> Importance: Normal >> From: sgt...@ya... [Add to Whitelist | Add to >> Blacklist] >> >> To: emi...@ge... >> co...@ge... >> chr...@ge... >> do...@ge... >> dk...@ge... >> cap...@ge... >> ell...@ge... >> co...@ge... >> daw...@ge... >> har...@ge... >> ch...@ge... >> ge...@ge... >> bro...@ge... >> boy...@ge... >> cri...@ge... >> fto...@ge... >> da...@ge... >> go...@ge... >> gf...@ge... >> ds...@ge... >> di...@ge... >> cz...@ge... >> dia...@ge... >> gl...@ge... >> car...@ge... >> don...@ge... >> gca...@ge... >> fst...@ge... >> ------------------------------------------------ >> >> >> (SquirrelMail authenticated user kkharafi) >> by webmail.baladia.gov.kw with HTTP; >> Fri, 12 Feb 2010 21:21:56 +0300 (AST) >> >> please note that kkharafi is my local mail user >> I have about 200 mail users and all the users have a shell as nologin as >> a >> additional security > > "additional security" would be creating a system where your mail users > don't have local accounts at all. > >> ---------------- >> >> On further investigations i found about 10 users whos Folders==> >> Personal >> Information has been modified . >> >> here i just paste the .pref file of one user >> show_html_default=0 >> javascript_on=1 >> hililist=a:0:{} >> archivefilenames=6 >> archiveattachments=1 >> archivetype=0 >> archiveent=1 >> spamcop_method=web_form >> todo_first_login=0 >> email_address=kkh...@km... >> identities=3 >> full_name1=Oceanic Bank Nigeria Plc >> email_address1=in...@at... >> reply_to1=atm...@ya... >> full_name2=SGT. HENRY PETER >> email_address2=sgt...@ya... >> reply_to2=sgt...@ya... >> >> -------- >> >> >> no all the 10 users have personal information under folders being >> changed >> with different information >> >> I have just changed the password of my local user kkharafi and will wait >> to see any instance of spam again. >> >> I do can understand if one user had his password being cracked or >> probably >> a virus on his PC could have changed his personal information squirrel >> mail. >> >> But its about 10 different local email users who had their personal >> Information being changed in squirrel mail >> >> so im confused and wondering how it could happen > > Poor user password selection? The fact that you are running an > outdated version of SquirrelMail? You tell us, please. > >> I do apprecite if someone could help me out and advice me as to what >> could >> be done so as to avoid such issues. > > Use plugins like Lockout and/or CAPTCHA as well as Restrict Senders > and Squirrel Logger. > > -- > Paul Lesniewski > SquirrelMail Team > Please support Open Source Software by donating to SquirrelMail! > http://squirrelmail.org/donate_paul_lesniewski.php > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Dear Guys, Thanks a lot for the quick reply . and specially to you Paul for the great advice. infact i have changed the password of all the 10 users whose OPtions ==> Personal Inormafation had been changed in squirrel mail and until now there is no spam problem . I do see in my /var/secure logs that 2 of the users whos personal information was changed are denied logon access to squirrel mail. I will also now upgrade my squirrel mail and also implement the pluggins you have suggested Once again thanks and apprecite so much Regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Michelle K. <lin...@ta...> - 2010-02-13 12:04:30
|
Hello Simon, I am 99% sure it was a phishing attack against you users. I have currently over 300 accounts runing on my corporated domain and told ALL USERS, that I will never send (admin) messages without there full First- and Family-Name, to identify, the Mail is comeing realy from me. This is normaly what all bigger and more serious ISPs do. It reay prevent phishing attacks. And since I know the native langage of all of my customers (mailly foreigner) I put a paragraph in there native language in the admin message... :-D No chance for phishers... Think about it! Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### <http://www.tamay-dogan.net/> Michelle Konzack <http://www.can4linux.org/> Apt. 917 <http://www.flexray4linux.org/> 50, rue de Soultz Jabber lin...@ja... 67100 Strabourg/France IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886 Tel. FR: +33 6 61925193 |
From: Chris H. <ta...@sq...> - 2010-02-13 14:42:19
|
On 2/13/2010 7:04 AM, Michelle Konzack wrote: > Hello Simon, > > I am 99% sure it was a phishing attack against you users. > > I have currently over 300 accounts runing on my corporated domain and > told ALL USERS, that I will never send (admin) messages without there > full First- and Family-Name, to identify, the Mail is comeing realy from > me. > > This is normaly what all bigger and more serious ISPs do. > > It reay prevent phishing attacks. And since I know the native langage > of all of my customers (mailly foreigner) I put a paragraph in there > native language in the admin message... :-D > > No chance for phishers... Think about it! More importantly, tell them that you'll never need to ask them for their password. Anyone asking for their password is a thief and a liar. That's what I tell them, anyway. Chris |
From: Michelle K. <lin...@ta...> - 2010-02-14 14:29:42
|
Hello, Am 2010-02-13 09:23:07, schrieb Chris Hilts: > More importantly, tell them that you'll never need to ask them for their > password. Anyone asking for their password is a thief and a liar. > > That's what I tell them, anyway. This is a part of the Messages too... However, I have curently a problem with 1.4.20-rC2, the "comatibiity" and "change_passwd" plugin. So, users can not change therre password... More in another (new) message... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### <http://www.tamay-dogan.net/> Michelle Konzack <http://www.can4linux.org/> Apt. 917 <http://www.flexray4linux.org/> 50, rue de Soultz Jabber lin...@ja... 67100 Strabourg/France IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886 Tel. FR: +33 6 61925193 |
From: Benedict s. <si...@km...> - 2010-02-13 15:06:57
|
> Hello Simon, > > I am 99% sure it was a phishing attack against you users. > > I have currently over 300 accounts runing on my corporated domain and > told ALL USERS, that I will never send (admin) messages without there > full First- and Family-Name, to identify, the Mail is comeing realy from > me. > > This is normaly what all bigger and more serious ISPs do. > > It reay prevent phishing attacks. And since I know the native langage > of all of my customers (mailly foreigner) I put a paragraph in there > native language in the admin message... :-D > > No chance for phishers... Think about it! > > Thanks, Greetings and nice Day/Evening > Michelle Konzack > Systemadministrator > 24V Electronic Engineer > Tamay Dogan Network > Debian GNU/Linux Consultant > > -- > Linux-User #280138 with the Linux Counter, http://counter.li.org/ > ##################### Debian GNU/Linux Consultant ##################### > <http://www.tamay-dogan.net/> Michelle Konzack > <http://www.can4linux.org/> Apt. 917 > <http://www.flexray4linux.org/> 50, rue de Soultz > Jabber lin...@ja... 67100 Strabourg/France > IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 > ICQ #328449886 Tel. FR: +33 6 61925193 > ------------------------------------------------------------------------------ Thanks a lot Michellefor ur reply I dont rule out the possiblity of a phishing attack but since im do running MailScanner I was not really hoping about this cause i do see many times MailScanner catching lots of phising attacks but nevertheless it could have slipped through MailScanner is a just a wonderful software. Any way right now things are Ok after i changed passwords of my users I will definately broadcast a mail for all our users. but as Mr thomas said it could have been very simple password of the users that could be also been guessed Also I want to upgrade my Squirrel mail n do wanna implement the security pluggins.. anyother advice will be highly appreciated regards simon > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Marc P. <ma...@en...> - 2010-02-13 15:33:51
|
On Feb 13, 2010, at 9:09 AM, Benedict simon wrote: > I dont rule out the possiblity of a phishing attack but since im do > running MailScanner I was not really hoping about this Why do you think Mailscanner protects you from the following -- "Dear kmun.gov.kw user, This is your email support team. We're going to be doing maintenance on the mail system and will be disabling all inactive accounts. If you want to keep using your account, please reply to this email and provide the following information to prove your account is still active - Username: Password: Full Name: Thanks! Your kmun.gov.kw Support Team" The answer is that Mailscanner does *nothing* to protect against this form of phishing (spear phishing). It is widely used because it can be highly effective against gullible users and undetected by base configurations of Mailscanner and spam assassin. If you think that Mailscanner is detecting or blocking this then you're going to continue to have this happen. Mailscanner's phishing detection is for a completely different type of phishing. I use Mailscanner, SA, Squirrelmail (and other software) to host 40,000+ accounts (teachers). I see this kind of attack all the time. You can do things with SA to look for keywords in the body and flag or delete as appropriate but some will get through and only by educating your users can you really prevent it. This might also be helpful - http://www.scamnailer.info/ -- Marc |
From: Benedict s. <si...@km...> - 2010-02-13 18:21:41
|
Dear Marc, Thank you so much.. its really so nice of you to reply to me so quick with a wonderful advice and example. Its just that i had nothing really of this type for the last couple of years.. Once again i do immensly thank you and God bless you I will immediately inform and educate all my users about providing their usernames and passwords. regards simon > > On Feb 13, 2010, at 9:09 AM, Benedict simon wrote: > >> I dont rule out the possiblity of a phishing attack but since im do >> running MailScanner I was not really hoping about this > > Why do you think Mailscanner protects you from the following -- > > "Dear kmun.gov.kw user, > > This is your email support team. We're going to be doing maintenance on > the mail system and will be disabling all inactive accounts. If you want > to keep using your account, please reply to this email and provide the > following information to prove your account is still active - > > Username: > Password: > Full Name: > > Thanks! > > Your kmun.gov.kw Support Team" > > The answer is that Mailscanner does *nothing* to protect against this form > of phishing (spear phishing). It is widely used because it can be highly > effective against gullible users and undetected by base configurations of > Mailscanner and spam assassin. If you think that Mailscanner is detecting > or blocking this then you're going to continue to have this happen. > Mailscanner's phishing detection is for a completely different type of > phishing. > > I use Mailscanner, SA, Squirrelmail (and other software) to host 40,000+ > accounts (teachers). I see this kind of attack all the time. You can do > things with SA to look for keywords in the body and flag or delete as > appropriate but some will get through and only by educating your users can > you really prevent it. This might also be helpful - > http://www.scamnailer.info/ > > -- > Marc > > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Benedict s. <si...@km...> - 2010-02-14 10:06:19
|
> > On Feb 13, 2010, at 9:09 AM, Benedict simon wrote: > >> I dont rule out the possiblity of a phishing attack but since im do >> running MailScanner I was not really hoping about this > > Why do you think Mailscanner protects you from the following -- > > "Dear kmun.gov.kw user, > > This is your email support team. We're going to be doing maintenance on > the mail system and will be disabling all inactive accounts. If you want > to keep using your account, please reply to this email and provide the > following information to prove your account is still active - > > Username: > Password: > Full Name: > > Thanks! > > Your kmun.gov.kw Support Team" > > The answer is that Mailscanner does *nothing* to protect against this form > of phishing (spear phishing). It is widely used because it can be highly > effective against gullible users and undetected by base configurations of > Mailscanner and spam assassin. If you think that Mailscanner is detecting > or blocking this then you're going to continue to have this happen. > Mailscanner's phishing detection is for a completely different type of > phishing. > > I use Mailscanner, SA, Squirrelmail (and other software) to host 40,000+ > accounts (teachers). I see this kind of attack all the time. You can do > things with SA to look for keywords in the body and flag or delete as > appropriate but some will get through and only by educating your users can > you really prevent it. This might also be helpful - > http://www.scamnailer.info/ > > -- > Marc > Dear Marc, Thanks for you reply. Im sorry to bother you once again I have been using MailScanner (4.76.25) , SpamAssassin version 3.2.5 I just would like to know if i can install scamnailer Thanks and regards simon apprecite your help > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squ...@li... > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): > https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Michelle K. <lin...@ta...> - 2010-02-14 14:36:33
|
Hello Marc and *, Am 2010-02-13 09:33:38, schrieb Marc Powell: > Why do you think Mailscanner protects you from the following -- <snip> Sorry Marc, but such messages are already catched by spamassassin... > The answer is that Mailscanner does *nothing* to protect against this > form of phishing (spear phishing). It is widely used because it can be > highly effective against gullible users and undetected by base > configurations of Mailscanner and spam assassin. If you think that > Mailscanner is detecting or blocking this then you're going to > continue to have this happen. Mailscanner's phishing detection is for > a completely different type of phishing. > > I use Mailscanner, SA, Squirrelmail (and other software) to host > 40,000+ accounts (teachers). I see this kind of attack all the time. > You can do things with SA to look for keywords in the body and flag or > delete as appropriate but some will get through and only by educating > your users can you really prevent it. This might also be helpful - > http://www.scamnailer.info/ Any good provider have already implemented rules to catch such messages. I am ISP too, and my customers expect, that I catch this crap... Messages marked as spam by users go to a special account for (if neccesary) manual stuff and analysis. I have to adapt spamassassin rules daily and curently there are arround 11 million spams trashed per day Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### <http://www.tamay-dogan.net/> Michelle Konzack <http://www.can4linux.org/> Apt. 917 <http://www.flexray4linux.org/> 50, rue de Soultz Jabber lin...@ja... 67100 Strabourg/France IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886 Tel. FR: +33 6 61925193 |
From: Marc P. <ma...@en...> - 2010-02-14 16:29:18
|
On Feb 14, 2010, at 8:36 AM, Michelle Konzack wrote: > Hello Marc and *, > > Am 2010-02-13 09:33:38, schrieb Marc Powell: >> Why do you think Mailscanner protects you from the following -- > > <snip> > > Sorry Marc, but such messages are already catched by spamassassin... This wasn't directed at you unless you're Benedict simon by another name. If you are, why are you posting under different names? -- Marc |
From: Michelle K. <lin...@ta...> - 2010-02-14 23:39:11
|
Hello, Am 2010-02-14 10:29:06, schrieb Marc Powell: > On Feb 14, 2010, at 8:36 AM, Michelle Konzack wrote: > > Sorry Marc, but such messages are already catched by spamassassin... > This wasn't directed at you unless you're Benedict simon by another > name. If you are, why are you posting under different names? I prefer to be a different person... ;-) If your "spamassassin" is up-to-date, then "spamassassin" already catch such phishing attempts, except, if you have disabled it in your global /etc/spamassassin/local.cf or in your private ~/.spamassassin/user_prefs Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### <http://www.tamay-dogan.net/> Michelle Konzack <http://www.can4linux.org/> Apt. 917 <http://www.flexray4linux.org/> 50, rue de Soultz Jabber lin...@ja... 67100 Strabourg/France IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886 Tel. FR: +33 6 61925193 |