« Return to Thread: Webmail hole?
Re: Webmail hole?
by Thijs Kinkhorst
::
Rate this Message:
Hi Rocco,
On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:
> Received: from 80.237.152.53 (proxying for unknown)
> (SquirrelMail authenticated user <imap_user>)
> by webmail.mydomain.tld with HTTP; Wed, 3 Jun 2009 01:33:39 +0200 (CEST)
> Message-ID: <49689.80.237.152.53.1243985619.squirrel@...>
>
>
> Could I know how it is possible to use SM as a source of SPAM and how to
> prevent that this happens?
>
> Is it only a matter of weakness of credential of IMAP user <imap_user> or
> the authentication is workarounded at all?
This is more of a question for the squirrelmail-user list and I suggest
that you redirect future questions about SquirrelMail usage there.
Several explanations are possible. The simplest is indeed that the
password of the IMAP account of that user got compromised. You can check
if you indeed see logins from that user in your mail server log at that
time. If that's the case, they were indeed logged in. Then you can ask
your user if 80.237.152.53 is his normal IP address he connects from or
not; if not then it's the address of the attacker. This kind of attack
where passwords are just brute forced happens often and is not really
preventable when users pick weak passwords.
It's also possible that e-mail was sent via a XSS or CSRF attack on that
user when the user was already logged in. I see you are using a very old
version of 1.4.6; a number of security issues have been fixed since then,
so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
announcements list to receive notifications of future security releases.
kind regards,
Thijs
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:
> Received: from 80.237.152.53 (proxying for unknown)
> (SquirrelMail authenticated user <imap_user>)
> by webmail.mydomain.tld with HTTP; Wed, 3 Jun 2009 01:33:39 +0200 (CEST)
> Message-ID: <49689.80.237.152.53.1243985619.squirrel@...>
>
>
> Could I know how it is possible to use SM as a source of SPAM and how to
> prevent that this happens?
>
> Is it only a matter of weakness of credential of IMAP user <imap_user> or
> the authentication is workarounded at all?
This is more of a question for the squirrelmail-user list and I suggest
that you redirect future questions about SquirrelMail usage there.
Several explanations are possible. The simplest is indeed that the
password of the IMAP account of that user got compromised. You can check
if you indeed see logins from that user in your mail server log at that
time. If that's the case, they were indeed logged in. Then you can ask
your user if 80.237.152.53 is his normal IP address he connects from or
not; if not then it's the address of the attacker. This kind of attack
where passwords are just brute forced happens often and is not really
preventable when users pick weak passwords.
It's also possible that e-mail was sent via a XSS or CSRF attack on that
user when the user was already logged in. I see you are using a very old
version of 1.4.6; a number of security issues have been fixed since then,
so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
announcements list to receive notifications of future security releases.
kind regards,
Thijs
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
« Return to Thread: Webmail hole?
| Free embeddable forum powered by Nabble | Forum Help |
