Squirrelmail being used to mass SPAM

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
This is interesting. We have a spammer on the server. We have imposed limits, added header information etc. Provided below is header information from one of the SPAMs.

Subject: MAIL ORDER !!!!!!!!!!!!!!!!!!!!!!!!
From: "ANGEL MARIO" <[email protected]>
Reply-To: [email protected]

User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - xxx.xxx.xxxx.
X-AntiAbuse: Original Domain - notvalid
X-AntiAbuse: Originator/Caller UID/GID - [32398 659] / [47 12]
X-AntiAbuse: Sender Address Domain - yahoo.com
X-Source: /usr/local/cpanel/3rdparty/bin/php
X-Source-Args: /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/3rdparty/squirrelmail/src/compose.php
X-Source-Dir: :/base/3rdparty/squirrelmail/src
X-Virus-Scanned: ClamAV 0.88.7/2415/Fri Jan 5 19:59:24 2007 on net.bluemoon.net
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on net.bluemoon.net
X-Spam-Status: No, score=4.8 required=6.0 tests=DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,FORGED_YAHOO_RCVD,PLING_PLING,
RCVD_BY_IP,SUBJ_ALL_CAPS autolearn=no version=3.0.3
X-Spam-Level: ****


So they are spamming through squirrelmail.

exim_mainlog shows:

2007-01-05 18:57:12 1H2zs0-00030c-68 <= [email protected] U=faanenet P=local S=817 [email protected] T="dgvsdsgddffdhfd"
2007-01-05 18:57:17 1H2zs4-00031A-Re == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host


Is there any better way to track this individual down besides disabling squirrelmail?
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Well, from the exim log information, the account that has been comrpomised/being abused, on your server is faanenet
 

Solokron

Well-Known Member
Aug 8, 2003
852
2
168
Seattle
cPanel Access Level
DataCenter Provider
Ack! I can't believe I missed thank. As always, thanks Chirpy!

Well, from the exim log information, the account that has been comrpomised/being abused, on your server is faanenet
 

duranduran

Well-Known Member
Apr 30, 2004
198
0
166

ilbin

Member
Apr 12, 2004
14
0
151
Does anyone have information regarding restricting the from address in squirrelmail?

In the case that started this thread, the sender was listed as yahoo. I've seen this before as well, and I was wondering if anyone had information to force the from to be ONLY from domains local to the server.
 

bin_asc

Well-Known Member
Jul 18, 2005
280
0
166
I guess you could edit the templates from squirrel mail, to get the current location, and use a grep function to isolate the domain. Also you could make the field non-editable.

PS. Another idea. Edit templates. use the explode function from php to isolate the domains. And use an intermediary script to post the messages that would verify the $_REQUEST variable that would send the domain.
 
Last edited:

GordonH

Well-Known Member
Sep 6, 2001
104
0
316
This is caused by brute force attacks on the squirrelmail log in page.
Cpanel does not force the use of secure passwords when email accounts are set up or when domain accounts are set up by resellers.
This results in insecure passwords being used.

We use LFD to reduce the risk of attacks on the main cpanel passwords, but if we turn this on for email customers go mad because if they log in incorrectly more than three times they get locked out.
Sometimes they have several accounts or a machine with a bad password on it that is auto checking and locking them out permanently.

50% of the spam I receive is coming from compromised squirrel mail accounts.
The developers need to introduce captcha into the squirrelmail log in page and force secure passwords for email accounts and domain accounts set up through WHM.

We even face the prospect that random character passwords will not be secure in the future:
http://news.bbc.co.uk/1/low/technology/7118997.stm

We will all need to move to RSA keys.
Our business bank have already done this and most of the domain registries now use RSA key generators for log ins.