Webmail used for spamming

[sparek-3]

Lately we have been having a lot of problems with spam being sent out from our cPanel webmail systems. Specifically it seems to be Squirrelmail, although I have seen one instance where Horde was used. Is anyone else having this problem?

I really don't know how they are getting in. I won't rule out insecure passwords, but we have seen 5 incidents within the past week, all with cPanel webmail.

If nobody else is experiencing a similar problem, then I will go ahead and assume that its just insecure passwords and that spammers are somehow gaining access to these passwords. I would like to think that our servers are secure and that there is nothing else wrong with the server, but I suppose it is possible that I have missed something somewhere. However, the spamming incidents are spanning across our servers, 5 incidents on 4 different servers.

I am a release behind with cPanel, running 11.11.0-RELEASE_16983. I suppose upgrading all servers to the latest Release is the next logical step, but has anything changed between these two versions that might be affecting this? Was Squirrelmail upgraded between versions?

I would just like to know if other users are experiencing this problem or is it just me?

Any suggestions for stopping this?

Thanks

 

[sarhosting]

Do the email addresses get a bounce back message at all? If so this could be called "spoofing" this can be done through TelNet - fraid there is nothing that can be done.

 

[sparek-3]

No, its actual webmail based spamming. From the looks of it, they are logging into Squirrelmail, setting a signature, and then sending out empty messages to thousands of addresses. The addresses get the message in the form of the signature, any any subsequent message that the user sends via webmail also has the signature appended to it.

I usually catch the messages as they are in the mail queue and stop them, but a few do get sent and I don't always catch them in a timely manner (I'd prefer to just flat out prevent them). The headers always show that the messages were sent via Squirrelmail as user [email protected]. It lists the IP address. I can then search the cPanel access_log and sure enough, that IP did log in as that user around that time.

I have noticed that a lot of these messages are being sent from a specific range of IPs. I have blocked that range of IPs, I will see where that gets me. But this doesn't really prevent someone from another range of IPs from accessing the servers in this way.

If this were just one incident, I wouldn't have a problem attributing it to an insecure password. But because there are multiple incidents and they span multiple servers, its got me thinking that maybe there is a security problem within cPanel that has yet to be disclosed. I'm not saying that it is a security problem with cPanel, if it were I would think that there would be a lot of other people facing this same problem.

I don't know, I'm really at a loss. I'll see what the IP blocking gets me. If nobody else is having this problem, then I'll just assume it is my own problem and deal with it accordingly. But if other hosting companies are having the same problem, this will at least ease my mind some.

 

[mrprez]

I had just the exact same thing happen on Monday of this week. Just like you describe. Fortunately, only a few of the messages got sent out as CSF locked it down. Just had to delete the messages in the queue. Still don't know how they got in to that account though. I did change the CPanel and Email account passwords immediately.

 

[sparek-3]

Thanks for the reply, it helps to know I'm not the only one that's having this problem.

Interesting though, I don't see where the cpanel access_log is showing any failed login attempts to this webmail account from this IP address. So I'm not really sure if the password was "guessed" or brute forced. It's as if the spammer already knew the password to the account.

I did notice that CSF uses /usr/local/cpanel/logs/login_log to determine cPanel login failures. Unfortunately that file has already been overwritten, so I can't go back and see if this particular incident had login failures listed in that file. I might try decreasing my failure limits in CSF and see if that helps. Thanks for that advice.

 

[neutro]

I got one last week. The intruder managed to create two email accounts on two separate domains and sent spam thru squirrelmail. After further investigation, i found copies of phpshell scripts in the directory. I believe the intruder used the script to create additional email accounts to send spam.

My advise, sweep the entire directory and look for suspicious scripts.

 

[manokiss]

Same problem here, but the problem is not any script, they are using horde to send spam, the odd thing is they are being able to edit 'Reply to' and the 'from' addresses to receive the emails if someone reply to the spam email, could be this an exploit in horde, please note id did find the spam email in the .Sent forlder in they account.

Probably a hole in horde?

 

[Curious Too]

I've had it happen on accounts that were compromised because of outdated php software. Once they get into the account they create email accounts in cpanel and begin spamming from them. Once the accounts were cleaned up, the passwords changed and the email accounts deleted, the problem stopped.