From: Rob W. <deb...@po...> - 2008-07-16 14:44:29
|
Greetings, I know this topic has been beaten to death but I'm asking for a review of some spam complaints we've received from AOL. We got a slew of these last Summer, installed the CAPTCHA plugin and killed them dead. Now we're getting them again and I just want to be sure that I'm reading right and that these are coming from our Squirrelmail install via stolen or phished passwords. We had a run of phishing attempts last week, now this week we're getting spam complaints, I'm sure the two are related. So before I start freaking out thinking something worse has happened than has, can I get someone to just double check this for me? They look like they are indeed coming off my server, but I'd appreciate a more critical eye looking at them. I read the security note on squirrelmail.org about SquirrelMail spam, and while there are some definite similarities, the differences (mainly that the server information is accurate) kind of throws me off. Should I also do something about our the CAPTCHA plugin? Even if the passwords were stolen, I'd have thought the CAPTCHA might have prevented any automated usage of the SM. Headers from AOL feedback loop below my signature. I'm using SquirrelMail 1.5.1 on Debian Etch. Thank you so very much, Rob Wright poncacity.net deb...@po... Headers from email reported by AOL: ---------------------------------------- Return-Path: <jut...@ya...> Received: from rly-me04.mx.aol.com (rly-me04.mail.aol.com [172.20.83.38]) by air-me05.mail.aol.com (v121.5) with ESMTP id MAILINME053-9b1487d1136163; Tue, 15 Jul 2008 17:06:29 -0400 Received: from mail.poncacity.net (mail.poncacity.net [70.254.229.3]) by rly-me04.mx.aol.com (v121.5) with ESMTP id MAILRELAYINME045-9b1487d1136163; Tue, 15 Jul 2008 17:05:58 -0400 Received: (qmail 16150 invoked by uid 33); 15 Jul 2008 21:05:58 -0000 Cc: Received: from 41.219.128.202 (SquirrelMail authenticated user dj...@po...) by mail.poncacity.net with HTTP; Tue, 15 Jul 2008 16:05:58 -0500 (CDT) Message-ID: <121...@ma...> Date: Tue, 15 Jul 2008 16:05:58 -0500 (CDT) Subject: From Brother Jute From: "Jute Okpe" <jut...@ya...> Reply-To: jut...@ya... User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-AOL-IP: 70.254.229.3 X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : + X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : n X-Mailer: Unknown (No Version) Dear loved one in Christ, Calvary greetings in Jesus name. This letter comes far from a brother of the household of faith and I bring you good tiding from my area. Also I thank God for this technology enabling us reach each other in the far places. ----------------------------- |
From: Jeremy M. <je...@bi...> - 2008-07-16 15:46:23
|
Rob Wright wrote: > Greetings, > > I know this topic has been beaten to death but I'm asking for a review of > some > spam complaints we've received from AOL. We got a slew of these last > Summer, > installed the CAPTCHA plugin and killed them dead. Now we're getting them > again and I just want to be sure that I'm reading right and that these are > coming from our Squirrelmail install via stolen or phished passwords. We > had > a run of phishing attempts last week, now this week we're getting spam > complaints, I'm sure the two are related. I wouldn't use CAPTCHA's anymore... see this article: "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..." http://www.computerworld.com.au/index.php/id;489635775;fp;;fpid; -- Jeremy Mann je...@bi... University of Texas Health Science Center Bioinformatics Core Facility http://www.bioinformatics.uthscsa.edu Phone: (210) 567-2672 |
From: MrC <lis...@ca...> - 2008-07-16 15:58:43
|
Rob Wright wrote: > Greetings, > > I know this topic has been beaten to death but I'm asking for a review of some > spam complaints we've received from AOL. We got a slew of these last Summer, > installed the CAPTCHA plugin and killed them dead. Now we're getting them > again and I just want to be sure that I'm reading right and that these are > coming from our Squirrelmail install via stolen or phished passwords. We had Correlate these headers with your log entries to determine if they come from your server. Your logs tell you all, and should be your primary source of confirmation. If the message is not in your mail log, you should be confident it didn't go through your server. > a run of phishing attempts last week, now this week we're getting spam > complaints, I'm sure the two are related. > > So before I start freaking out thinking something worse has happened than has, > can I get someone to just double check this for me? They look like they are > indeed coming off my server, but I'd appreciate a more critical eye looking You really need to be intimately familiar with what your mail server headers will look like. This helps you quickly identify these as either from your server, or joe jobs. > at them. I read the security note on squirrelmail.org about SquirrelMail > spam, and while there are some definite similarities, the differences (mainly > that the server information is accurate) kind of throws me off. > > > Headers from AOL feedback loop below my signature. I'm using SquirrelMail > 1.5.1 on Debian Etch. > > Thank you so very much, > > Rob Wright > > Headers from email reported by AOL: > ---------------------------------------- > Return-Path: <jut...@ya...> > Received: from rly-me04.mx.aol.com (rly-me04.mail.aol.com [172.20.83.38]) by > air-me05.mail.aol.com (v121.5) with ESMTP id MAILINME053-9b1487d1136163; Tue, > 15 Jul 2008 17:06:29 -0400 > Received: from mail.poncacity.net (mail.poncacity.net [70.254.229.3]) by > rly-me04.mx.aol.com (v121.5) with ESMTP id MAILRELAYINME045-9b1487d1136163; > Tue, 15 Jul 2008 17:05:58 -0400 > Received: (qmail 16150 invoked by uid 33); 15 Jul 2008 21:05:58 -0000 > Cc: > Received: from 41.219.128.202 > (SquirrelMail authenticated user dj...@po...) > by mail.poncacity.net with HTTP; > Tue, 15 Jul 2008 16:05:58 -0500 (CDT) > Message-ID: <121...@ma...> ... |
From: Paul L. <pa...@sq...> - 2008-07-22 08:17:41
|
On Wed, Jul 16, 2008 at 7:46 AM, Rob Wright <deb...@po...> wrote: > Greetings, > > I know this topic has been beaten to death but I'm asking for a review of some > spam complaints we've received from AOL. We got a slew of these last Summer, > installed the CAPTCHA plugin and killed them dead. Now we're getting them > again and I just want to be sure that I'm reading right and that these are > coming from our Squirrelmail install via stolen or phished passwords. We had > a run of phishing attempts last week, now this week we're getting spam > complaints, I'm sure the two are related. > > So before I start freaking out thinking something worse has happened than has, > can I get someone to just double check this for me? They look like they are > indeed coming off my server, but I'd appreciate a more critical eye looking > at them. I read the security note on squirrelmail.org about SquirrelMail > spam, and while there are some definite similarities, the differences (mainly > that the server information is accurate) kind of throws me off. The received information shows that the AOL server got the mail from yours. The IP address is accurate, so it does look like you are correct. That information is not likely forged. > Should I also do something about our the CAPTCHA plugin? Even if the passwords > were stolen, I'd have thought the CAPTCHA might have prevented any automated > usage of the SM. CAPTCHAs are not foolproof. They are hackable, some more than others. You can try changing the mechanism you've chosen. But you should also consider using the Lockout plugin to help eliminate password guessing attacks, and the Restrict Senders plugin to catch accounts that have already been compromised and are being used to send spam. That plugin can lock down such accounts based on thresholds you define in its configuration file. You can also monitor such problems and do extensive logging of events like sent messages and logins/logouts using the Squirrel Logger plugin. > Headers from AOL feedback loop below my signature. I'm using SquirrelMail > 1.5.1 on Debian Etch. > > Thank you so very much, > > Rob Wright > poncacity.net > deb...@po... > > Headers from email reported by AOL: > ---------------------------------------- > Return-Path: <jut...@ya...> > Received: from rly-me04.mx.aol.com (rly-me04.mail.aol.com [172.20.83.38]) by > air-me05.mail.aol.com (v121.5) with ESMTP id MAILINME053-9b1487d1136163; Tue, > 15 Jul 2008 17:06:29 -0400 > Received: from mail.poncacity.net (mail.poncacity.net [70.254.229.3]) by > rly-me04.mx.aol.com (v121.5) with ESMTP id MAILRELAYINME045-9b1487d1136163; > Tue, 15 Jul 2008 17:05:58 -0400 > Received: (qmail 16150 invoked by uid 33); 15 Jul 2008 21:05:58 -0000 > Cc: > Received: from 41.219.128.202 > (SquirrelMail authenticated user dj...@po...) > by mail.poncacity.net with HTTP; > Tue, 15 Jul 2008 16:05:58 -0500 (CDT) > Message-ID: <121...@ma...> > Date: Tue, 15 Jul 2008 16:05:58 -0500 (CDT) > Subject: From Brother Jute > From: "Jute Okpe" <jut...@ya...> > Reply-To: jut...@ya... > User-Agent: SquirrelMail/1.5.1 > MIME-Version: 1.0 > Content-Type: text/plain;charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > X-AOL-IP: 70.254.229.3 > X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : + > X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : n > X-Mailer: Unknown (No Version) |
From: <dw...@do...> - 2008-07-22 13:50:08
|
I know that this may be a little bit outside this forum, but with all of the experience in here, I hope that someone can help me. I have gotten qmail/courier IMAP/sendmail working just fine with either vchkpw or checkpassword. All I want to do is configure it to authenticate users (username / password only) against an existing Sun One LDAP Directory Server running on a different server. I am not looking for detailed instructions - just some general steps to help me get going. Nothing I have found in this forum, mailing lists, life with qmail, life with qmail - ldap, or the rest of the Internet via Google has helped me solve this yet. Thanks Very Much! Derek |