Squirrelmail being used to mass SPAM

[Solokron]

This is interesting. We have a spammer on the server. We have imposed limits, added header information etc. Provided below is header information from one of the SPAMs.

Subject: MAIL ORDER !!!!!!!!!!!!!!!!!!!!!!!!
From: "ANGEL MARIO" <[email protected]>
Reply-To: [email protected]

User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - xxx.xxx.xxxx.
X-AntiAbuse: Original Domain - notvalid
X-AntiAbuse: Originator/Caller UID/GID - [32398 659] / [47 12]
X-AntiAbuse: Sender Address Domain - yahoo.com
X-Source: /usr/local/cpanel/3rdparty/bin/php
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php
X-Source-Dir: :/base/3rdparty/squirrelmail/src
X-Virus-Scanned: ClamAV 0.88.7/2415/Fri Jan 5 19:59:24 2007 on net.bluemoon.net
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on net.bluemoon.net
X-Spam-Status: No, score=4.8 required=6.0 tests=DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,FORGED_YAHOO_RCVD,PLING_PLING,
RCVD_BY_IP,SUBJ_ALL_CAPS autolearn=no version=3.0.3
X-Spam-Level: ****


So they are spamming through squirrelmail.

exim_mainlog shows:

2007-01-05 18:57:12 1H2zs0-00030c-68 <= [email protected] U=faanenet P=local S=817 [email protected] T="dgvsdsgddffdhfd"
2007-01-05 18:57:17 1H2zs4-00031A-Re == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host


Is there any better way to track this individual down besides disabling squirrelmail?

 

[chirpy]

Well, from the exim log information, the account that has been comrpomised/being abused, on your server is faanenet

 

[Solokron]

Ack! I can't believe I missed thank. As always, thanks Chirpy!

Well, from the exim log information, the account that has been comrpomised/being abused, on your server is faanenet

 

[duranduran]

Well, from the exim log information, the account that has been comrpomised/being abused, on your server is faanenet

I dont undestend (i have the same problem) what is "faanenet" ?

 

[duranduran]

I dont undestend (i have the same problem) what is "faanenet" ?

Ops, i see now

2007-01-05 18:57:12 1H2zs0-00030c-68 <= [email protected] U=faanenet P=local S=817 [email protected] .xx T="dgvsdsgddffdhfd"
2007-01-05 18:57:17 1H2zs4-00031A-Re == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host

Thanks

 

[bin_asc]

You also have :

X-AntiAbuse: Originator/Caller UID/GID - [32398 659] / [47 12]

That tells you the user id : 32398

 

[ilbin]

Does anyone have information regarding restricting the from address in squirrelmail?

In the case that started this thread, the sender was listed as yahoo. I've seen this before as well, and I was wondering if anyone had information to force the from to be ONLY from domains local to the server.

 

[bin_asc]

I guess you could edit the templates from squirrel mail, to get the current location, and use a grep function to isolate the domain. Also you could make the field non-editable.

PS. Another idea. Edit templates. use the explode function from php to isolate the domains. And use an intermediary script to post the messages that would verify the $_REQUEST variable that would send the domain.

 

[GordonH]

This is caused by brute force attacks on the squirrelmail log in page.
Cpanel does not force the use of secure passwords when email accounts are set up or when domain accounts are set up by resellers.
This results in insecure passwords being used.

We use LFD to reduce the risk of attacks on the main cpanel passwords, but if we turn this on for email customers go mad because if they log in incorrectly more than three times they get locked out.
Sometimes they have several accounts or a machine with a bad password on it that is auto checking and locking them out permanently.

50% of the spam I receive is coming from compromised squirrel mail accounts.
The developers need to introduce captcha into the squirrelmail log in page and force secure passwords for email accounts and domain accounts set up through WHM.

We even face the prospect that random character passwords will not be secure in the future:
http://news.bbc.co.uk/1/low/technology/7118997.stm

We will all need to move to RSA keys.
Our business bank have already done this and most of the domain registries now use RSA key generators for log ins.