« Return to Thread: Webmail hole?
Re: Webmail hole?
by Paul Lesniewski
::
Rate this Message:
On 6/4/09, Rocco Scappatura <Rocco.Scappatura@...> wrote:
> Hi
>
>> -----Original Message-----
>> From: Thijs Kinkhorst [mailto:kink@...]
>> Sent: Thursday, June 04, 2009 12:00 PM
>> To: Squirrelmail Developers Mailing List
>> Subject: Re: [SM-DEVEL] Webmail hole?
>>
>> Hi Rocco,
>>
>> On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:
>>
>> > Received: from 80.237.152.53 (proxying for unknown)
>> > (SquirrelMail authenticated user <imap_user>)
>> > by webmail.mydomain.tld with HTTP; Wed, 3 Jun 2009 01:33:39 +0200
>> (CEST)
>> > Message-ID:
>> <49689.80.237.152.53.1243985619.squirrel@...>
>> >
>> >
>> > Could I know how it is possible to use SM as a source of SPAM and
> how
>> to
>> > prevent that this happens?
>> >
>> > Is it only a matter of weakness of credential of IMAP user
>> <imap_user> or
>> > the authentication is workarounded at all?
>>
>> This is more of a question for the squirrelmail-user list and I
> suggest
>> that you redirect future questions about SquirrelMail usage there.
>>
>> Several explanations are possible. The simplest is indeed that the
>> password of the IMAP account of that user got compromised. You can
>> check
>> if you indeed see logins from that user in your mail server log at
> that
>> time. If that's the case, they were indeed logged in. Then you can ask
>> your user if 80.237.152.53 is his normal IP address he connects from
> or
>> not; if not then it's the address of the attacker. This kind of attack
>> where passwords are just brute forced happens often and is not really
>> preventable when users pick weak passwords.
>>
>> It's also possible that e-mail was sent via a XSS or CSRF attack on
>> that
>> user when the user was already logged in. I see you are using a very
>> old
>> version of 1.4.6; a number of security issues have been fixed since
>> then,
>> so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
>> announcements list to receive notifications of future security
>> releases.
>
> Thanks for your quick answer. I'm sorry for have asked to this
> mailing-list.
>
> Anyway - If you could answer for this time :-) - I can't see any access
> from <imap_user>:
>
> mail4:/var/log # zcat /var/log/imapd-* | grep <imap_user>
> May 2 23:38:09 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
> ip=[::ffff:80.74.176.149]
> May 24 13:08:06 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
> ip=[::ffff:80.74.176.149]
>
> So what it could be happened?
Logs already rotated?
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
> Hi
>
>> -----Original Message-----
>> From: Thijs Kinkhorst [mailto:kink@...]
>> Sent: Thursday, June 04, 2009 12:00 PM
>> To: Squirrelmail Developers Mailing List
>> Subject: Re: [SM-DEVEL] Webmail hole?
>>
>> Hi Rocco,
>>
>> On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:
>>
>> > Received: from 80.237.152.53 (proxying for unknown)
>> > (SquirrelMail authenticated user <imap_user>)
>> > by webmail.mydomain.tld with HTTP; Wed, 3 Jun 2009 01:33:39 +0200
>> (CEST)
>> > Message-ID:
>> <49689.80.237.152.53.1243985619.squirrel@...>
>> >
>> >
>> > Could I know how it is possible to use SM as a source of SPAM and
> how
>> to
>> > prevent that this happens?
>> >
>> > Is it only a matter of weakness of credential of IMAP user
>> <imap_user> or
>> > the authentication is workarounded at all?
>>
>> This is more of a question for the squirrelmail-user list and I
> suggest
>> that you redirect future questions about SquirrelMail usage there.
>>
>> Several explanations are possible. The simplest is indeed that the
>> password of the IMAP account of that user got compromised. You can
>> check
>> if you indeed see logins from that user in your mail server log at
> that
>> time. If that's the case, they were indeed logged in. Then you can ask
>> your user if 80.237.152.53 is his normal IP address he connects from
> or
>> not; if not then it's the address of the attacker. This kind of attack
>> where passwords are just brute forced happens often and is not really
>> preventable when users pick weak passwords.
>>
>> It's also possible that e-mail was sent via a XSS or CSRF attack on
>> that
>> user when the user was already logged in. I see you are using a very
>> old
>> version of 1.4.6; a number of security issues have been fixed since
>> then,
>> so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
>> announcements list to receive notifications of future security
>> releases.
>
> Thanks for your quick answer. I'm sorry for have asked to this
> mailing-list.
>
> Anyway - If you could answer for this time :-) - I can't see any access
> from <imap_user>:
>
> mail4:/var/log # zcat /var/log/imapd-* | grep <imap_user>
> May 2 23:38:09 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
> ip=[::ffff:80.74.176.149]
> May 24 13:08:06 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
> ip=[::ffff:80.74.176.149]
>
> So what it could be happened?
Logs already rotated?
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
« Return to Thread: Webmail hole?
| Free embeddable forum powered by Nabble | Forum Help |
