The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spams sent through squirrelmail !

Discussion in 'E-mail Discussions' started by Novisoft, Feb 19, 2010.

  1. Novisoft

    Novisoft Active Member

    Joined:
    Jun 6, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Algiers, Algeria.
    Hi all,

    I just noticed that squirrelmail is sending spams using an existing email account.

    Below a summary of the header of one of those emails :

    ===============
    Received: from 78.138.3.237 ([78.138.3.237])
    (SquirrelMail authenticated user test@cnrpah.org)
    by CNRPAH with HTTP;
    Fri, 19 Feb 2010 15:42:28 +0100
    Message-ID: <b7a2487944ca93e295bdc7810892947f.squirrel@www.cnrpah.org>
    Date: Fri, 19 Feb 2010 15:42:28 +0100
    Subject:
    From: "TRUST FUND FINANCE" <info@mail.com>
    ....
    User-Agent: SquirrelMail/1.4.19
    MIME-Version: 1.0
    Content-Type: text/plain;charset=iso-8859-1
    Content-Transfer-Encoding: 8bit
    X-Priority: 3 (Normal)
    Importance: Normal
    ===========================

    As you can see, emails are sent by the SquirrelMail authenticated user test@cnrpah.org.

    Can someone help me to fix that please ?

    Many thanks
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    You should first verify that these emails are indeed being sent through SquirrelMail. Given the nature of spam, it is highly likely that the message headers have been forged.

    If you think this may originate from your server, take a recent relevant message, find the message ID and check your Exim logs to verify that it was indeed sent from your server.

    The message ID will be in the Message-Id header, such as:

    Code:
    Message-Id: <[B]E1NiaPs-0006fC-1y[/B]@hostname.example.com>
    Check your Exim logs as follows:

    Code:
    cat /var/log/exim_mainlog | grep E1NiaPs-0006fC-1y
    This will give you a better idea of whether the mail is originating from your server, which is a good place to start.
     
  3. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    I have same problem and it's from squirrel mail for sure.

    In this case IP of sender could be forged as it comes back as being from Nobis Technology Group.

    Received: from 174.34.156.235 ([174.34.156.235]) (proxying for
    174.34.156.235)
    (SquirrelMail authenticated user

    Leaving out the rest as to not show the email address.

    Checked the users folders and many emails in sent folder all from some scam artist.

    Subject: UNITED NATIONS 2009/2010 SCAM VICTIMS COMPENSATIONS PAYMENTS.
    From: "United Nations" <diplomat@un.org>
    Reply-To: delbert.holgate@yahoo.com.hk


    Changed the email password but am now suspecting we have a security problem with this email app.

    Vincent G.
     
  4. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    I have had 2 x squirrelmail hacks today on seperate servers
     
Loading...

Share This Page