From: Dave McMurtrie <dave64@an...> - 2012-06-11 16:58:24
On 06/11/2012 11:30 AM, Bumo wrote:
> Hi, I have a frontend server on a DMZ running RH ES 3 up3 and squirrelmail 1.4.8. php 4.3.2
> Thousand of email were sent in two occasions and the only evidence of the abuse was on the access_log (squirrel_logger) an entry from the ip which was sending the messages.
> There was no evidence of brute force attack. Infact there weren't many entry in access_log of failed logging. Well I don't know if this is enough to say that I wasn't under a brute force attack.
One or more of your users probably had their credentials phished. It's
> However now I'm asking myself if a spammer, getting the login credential in squirrelmail (IMAP auth toward the local imap server) can send thousand of email in an automatic way.
Yes, there are automated tools that will use Squirrelmail to send
essentially as many messages out as possible as fast as your
infrastructure will allow. Look at the browser string from your
webserver logs. I've seen a couple different ones.
> Temporarily I blocked the original ip range at firewall level but I think this can only delay the next attack.
You're probably right.
> I'm working on lockout plugin and captcha, but before going on, I should know if in this case squirrel is the weakest part of this puzzle.
It was probably the easiest thing for a spammer to exploit this time.
Once you make that more difficult to exploit, the spammer will look for
some other way to relay spam through your domain.
> Any suggestion?
Implement rate-limiting at the MTA layer.
From: Paul Lesniewski <paul@sq...> - 2012-06-11 19:12:28
>> Any suggestion?
> Implement rate-limiting at the MTA layer.
While rate limiting in the MTA is the better solution, you can also
rate limit in SquirrelMail by using the Restrict Senders plugin. That
plugin (as well as Squirrel Logger) can also be configured to send you
alert emails so you know when an attack is taking place.
Please support Open Source Software by donating to SquirrelMail!