« Return to Thread: Webmail hole?
Re: Webmail hole?
by Rocco Scappatura-3
::
Rate this Message:
Hi
> -----Original Message-----
> From: Thijs Kinkhorst [mailto:kink@...]
> Sent: Thursday, June 04, 2009 12:00 PM
> To: Squirrelmail Developers Mailing List
> Subject: Re: [SM-DEVEL] Webmail hole?
>
> Hi Rocco,
>
> On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:
>
> > Received: from 80.237.152.53 (proxying for unknown)
> > (SquirrelMail authenticated user <imap_user>)
> > by webmail.mydomain.tld with HTTP; Wed, 3 Jun 2009 01:33:39 +0200
> (CEST)
> > Message-ID:
> <49689.80.237.152.53.1243985619.squirrel@...>
> >
> >
> > Could I know how it is possible to use SM as a source of SPAM andhow
> to
> > prevent that this happens?
> >
> > Is it only a matter of weakness of credential of IMAP user
> <imap_user> or
> > the authentication is workarounded at all?
>
> This is more of a question for the squirrelmail-user list and I
suggest
> that you redirect future questions about SquirrelMail usage there.
>
> Several explanations are possible. The simplest is indeed that the
> password of the IMAP account of that user got compromised. You can
> check
> if you indeed see logins from that user in your mail server log at
that
> time. If that's the case, they were indeed logged in. Then you can ask
> your user if 80.237.152.53 is his normal IP address he connects from
or
> not; if not then it's the address of the attacker. This kind of attack
> where passwords are just brute forced happens often and is not really
> preventable when users pick weak passwords.
>
> It's also possible that e-mail was sent via a XSS or CSRF attack on
> that
> user when the user was already logged in. I see you are using a very
> old
> version of 1.4.6; a number of security issues have been fixed since
> then,
> so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
> announcements list to receive notifications of future security
> releases.
Thanks for your quick answer. I'm sorry for have asked to this
mailing-list.
Anyway - If you could answer for this time :-) - I can't see any access
from <imap_user>:
mail4:/var/log # zcat /var/log/imapd-* | grep <imap_user>
May 2 23:38:09 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
ip=[::ffff:80.74.176.149]
May 24 13:08:06 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
ip=[::ffff:80.74.176.149]
So what it could be happened?
PS: I'm just upgrading to the latest version of SM 1.4.. :-)
rocsca
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
> -----Original Message-----
> From: Thijs Kinkhorst [mailto:kink@...]
> Sent: Thursday, June 04, 2009 12:00 PM
> To: Squirrelmail Developers Mailing List
> Subject: Re: [SM-DEVEL] Webmail hole?
>
> Hi Rocco,
>
> On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:
>
> > Received: from 80.237.152.53 (proxying for unknown)
> > (SquirrelMail authenticated user <imap_user>)
> > by webmail.mydomain.tld with HTTP; Wed, 3 Jun 2009 01:33:39 +0200
> (CEST)
> > Message-ID:
> <49689.80.237.152.53.1243985619.squirrel@...>
> >
> >
> > Could I know how it is possible to use SM as a source of SPAM and
> to
> > prevent that this happens?
> >
> > Is it only a matter of weakness of credential of IMAP user
> <imap_user> or
> > the authentication is workarounded at all?
>
> This is more of a question for the squirrelmail-user list and I
suggest
> that you redirect future questions about SquirrelMail usage there.
>
> Several explanations are possible. The simplest is indeed that the
> password of the IMAP account of that user got compromised. You can
> check
> if you indeed see logins from that user in your mail server log at
that
> time. If that's the case, they were indeed logged in. Then you can ask
> your user if 80.237.152.53 is his normal IP address he connects from
or
> not; if not then it's the address of the attacker. This kind of attack
> where passwords are just brute forced happens often and is not really
> preventable when users pick weak passwords.
>
> It's also possible that e-mail was sent via a XSS or CSRF attack on
> that
> user when the user was already logged in. I see you are using a very
> old
> version of 1.4.6; a number of security issues have been fixed since
> then,
> so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
> announcements list to receive notifications of future security
> releases.
Thanks for your quick answer. I'm sorry for have asked to this
mailing-list.
Anyway - If you could answer for this time :-) - I can't see any access
from <imap_user>:
mail4:/var/log # zcat /var/log/imapd-* | grep <imap_user>
May 2 23:38:09 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
ip=[::ffff:80.74.176.149]
May 24 13:08:06 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
ip=[::ffff:80.74.176.149]
So what it could be happened?
PS: I'm just upgrading to the latest version of SM 1.4.. :-)
rocsca
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
« Return to Thread: Webmail hole?
| Free embeddable forum powered by Nabble | Forum Help |
