Webmail hole?

Hello,

I'm using SM 1.4.6 on a SLES 10 platform with Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8a PHP/5.2.9 (HOSTNAME: annina.mydomain.tld [xxx.yyy.zzz.www]) installed.

On my mail gateway I noted some queued messages that has headers like this:

Received: from localhost (localhost [127.0.0.1])
        by av8.mydomain.tld (Postfix) with ESMTP id 77DB615B679;
        Wed,  3 Jun 2009 01:32:48 +0200 (CEST)
X-Virus-Scanned: amavisd-new at stt.vir
Received: from av8.mydomain.tld ([127.0.0.1])
        by localhost (av8.stt.vir [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id fH8gW7H4kqOH; Wed,  3 Jun 2009 01:32:48 +0200 (CEST)
Received: from webmail.mydomain.tld (annina.mydomain.tld [xxx.yyy.zzz.www])
        by av8.mydomain.tld (Postfix) with ESMTP id EDC0115B678;
        Wed,  3 Jun 2009 01:32:47 +0200 (CEST)
Received: from 80.237.152.53 (proxying for unknown)
        (SquirrelMail authenticated user <imap_user>)
        by webmail.mydomain.tld with HTTP;
        Wed, 3 Jun 2009 01:33:39 +0200 (CEST)
Message-ID: <49689.80.237.152.53.1243985619.squirrel@...>

Could I know how it is possible to use SM as a source of SPAM and how to prevent that this happens?

Is it only a matter of weakness of credential of IMAP user <imap_user> or the authentication is workarounded at all?

Thanks in advance for the exhaustive explanation of this attack.

rocsca


Rocco Scappatura
Assurance & Delivery Sistemi Verona
Infracom Network Application S.p.A.
Attività di direzione e coordinamento Infragruppo S.p.A.
Gruppo Infracom
Via Meucci, 14
37135 Verona
Italia
Telefono        +39 045 9695153
Telefax         +39 045 9690370
Cellulare       +39 335 7276547
Rocco.Scappatura@...
www.infracomna.it
Le informazioni contenute in questo messaggio di posta elettronica sono indirizzate esclusivamente al destinatario. Si prega di non leggere, fare copia, inoltrare a terzi o conservare tale messaggio se non si è il legittimo destinatario dello stesso. Qualora questo messaggio sia stato ricevuto per errore, si prega pertanto di rinviarlo al mittente e di cancellarlo permanentemente dal proprio computer.
The information contained in this message is intended exclusively for the recipient. If you are not the intended recipient you are obliged to not read, copy, disclose, distribute or copy it to any third party. If you erroneously receive this message you are obliged to return it to the sender and eliminate it permanently from your computer


------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Hi Rocco,

On Thu, June 4, 2009 11:34, Rocco Scappatura wrote:

This is more of a question for the squirrelmail-user list and I suggest
that you redirect future questions about SquirrelMail usage there.

Several explanations are possible. The simplest is indeed that the
password of the IMAP account of that user got compromised. You can check
if you indeed see logins from that user in your mail server log at that
time. If that's the case, they were indeed logged in. Then you can ask
your user if 80.237.152.53 is his normal IP address he connects from or
not; if not then it's the address of the attacker. This kind of attack
where passwords are just brute forced happens often and is not really
preventable when users pick weak passwords.

It's also possible that e-mail was sent via a XSS or CSRF attack on that
user when the user was already logged in. I see you are using a very old
version of 1.4.6; a number of security issues have been fixed since then,
so I urge you to upgrade to 1.4.19 in any case. Also subscribe to our
announcements list to receive notifications of future security releases.


kind regards,
Thijs


------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Hi
how
> to
> > prevent that this happens?
> >
> > Is it only a matter of weakness of credential of IMAP user
> <imap_user> or
> > the authentication is workarounded at all?
>
> This is more of a question for the squirrelmail-user list and I
suggest
> that you redirect future questions about SquirrelMail usage there.
>
> Several explanations are possible. The simplest is indeed that the
> password of the IMAP account of that user got compromised. You can
> check
> if you indeed see logins from that user in your mail server log at
that
> time. If that's the case, they were indeed logged in. Then you can ask
> your user if 80.237.152.53 is his normal IP address he connects from
or
Thanks for your quick answer. I'm sorry for have asked to this
mailing-list.

Anyway - If you could answer for this time :-) - I can't see any access
from <imap_user>:

mail4:/var/log # zcat /var/log/imapd-* | grep <imap_user>
May  2 23:38:09 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
ip=[::ffff:80.74.176.149]
May 24 13:08:06 mail4 imapd-ssl: LOGIN FAILED, user=<imap_user>,
ip=[::ffff:80.74.176.149]

So what it could be happened?

PS: I'm just upgrading to the latest version of SM 1.4.. :-)

rocsca

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

On 6/4/09, Rocco Scappatura <Rocco.Scappatura@...> wrote:
Logs already rotated?

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel