The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Squirrelmail being used to mass SPAM

Discussion in 'E-mail Discussions' started by Solokron, Jan 6, 2007.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    This is interesting. We have a spammer on the server. We have imposed limits, added header information etc. Provided below is header information from one of the SPAMs.

    Subject: MAIL ORDER !!!!!!!!!!!!!!!!!!!!!!!!
    From: "ANGEL MARIO" <companysupervisers@yahoo.com>
    Reply-To: companysupervisers@yahoo.com

    User-Agent: SquirrelMail/1.4.9a
    MIME-Version: 1.0
    Content-Type: text/plain;charset=iso-8859-1
    Content-Transfer-Encoding: 8bit
    X-Priority: 3 (Normal)
    Importance: Normal
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - xxx.xxx.xxxx.
    X-AntiAbuse: Original Domain - notvalid
    X-AntiAbuse: Originator/Caller UID/GID - [32398 659] / [47 12]
    X-AntiAbuse: Sender Address Domain - yahoo.com
    X-Source: /usr/local/cpanel/3rdparty/bin/php
    X-Source-Args: /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php
    X-Source-Dir: :/base/3rdparty/squirrelmail/src
    X-Virus-Scanned: ClamAV 0.88.7/2415/Fri Jan 5 19:59:24 2007 on net.bluemoon.net
    X-Virus-Status: Clean
    X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on net.bluemoon.net
    X-Spam-Status: No, score=4.8 required=6.0 tests=DNS_FROM_RFC_ABUSE,
    DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,FORGED_YAHOO_RCVD,PLING_PLING,
    RCVD_BY_IP,SUBJ_ALL_CAPS autolearn=no version=3.0.3
    X-Spam-Level: ****


    So they are spamming through squirrelmail.

    exim_mainlog shows:

    2007-01-05 18:57:12 1H2zs0-00030c-68 <= companysupervisers@yahoo.com U=faanenet P=local S=817 id=2065.196.1.176.181.1168045032.squirrel@xx.xx.xx.xx T="dgvsdsgddffdhfd"
    2007-01-05 18:57:17 1H2zs4-00031A-Re == companysupervisers@yahoo.com R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host


    Is there any better way to track this individual down besides disabling squirrelmail?
     
    #1 Solokron, Jan 6, 2007
    Last edited: Jan 6, 2007
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, from the exim log information, the account that has been comrpomised/being abused, on your server is faanenet
     
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Ack! I can't believe I missed thank. As always, thanks Chirpy!

     
  4. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    I dont undestend (i have the same problem) what is "faanenet" ?
     
  5. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Ops, i see now

    Thanks
     
  6. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    You also have :

    That tells you the user id : 32398
     
  7. ilbin

    ilbin Member

    Joined:
    Apr 12, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Does anyone have information regarding restricting the from address in squirrelmail?

    In the case that started this thread, the sender was listed as yahoo. I've seen this before as well, and I was wondering if anyone had information to force the from to be ONLY from domains local to the server.
     
  8. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    I guess you could edit the templates from squirrel mail, to get the current location, and use a grep function to isolate the domain. Also you could make the field non-editable.

    PS. Another idea. Edit templates. use the explode function from php to isolate the domains. And use an intermediary script to post the messages that would verify the $_REQUEST variable that would send the domain.
     
    #8 bin_asc, Sep 17, 2007
    Last edited: Sep 17, 2007
  9. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    This is caused by brute force attacks on the squirrelmail log in page.
    Cpanel does not force the use of secure passwords when email accounts are set up or when domain accounts are set up by resellers.
    This results in insecure passwords being used.

    We use LFD to reduce the risk of attacks on the main cpanel passwords, but if we turn this on for email customers go mad because if they log in incorrectly more than three times they get locked out.
    Sometimes they have several accounts or a machine with a bad password on it that is auto checking and locking them out permanently.

    50% of the spam I receive is coming from compromised squirrel mail accounts.
    The developers need to introduce captcha into the squirrelmail log in page and force secure passwords for email accounts and domain accounts set up through WHM.

    We even face the prospect that random character passwords will not be secure in the future:
    http://news.bbc.co.uk/1/low/technology/7118997.stm

    We will all need to move to RSA keys.
    Our business bank have already done this and most of the domain registries now use RSA key generators for log ins.
     
Loading...

Share This Page