On Sat, 18 Jul 2009, Damian Myerscough wrote:
Hello,
Just out of curiosity how do you let your users change their passwords?
There's a few routes, since vpopmail basically stores everything in a
database:
-a squirrelmail plugin
-a standalone php page
-Freeside's account management page
-"passwd" on the shell server (which is hooked-in to the vpopmail db via
pam_mysql)
Charles
2009/7/18 Charles Sprickman <[email protected]>:
On Sat, 18 Jul 2009, ram wrote:
We run smtp services for our clients using smtp-auth. And nowadays we
also enforce a strong password (minimum alphanumeric)
But still people's passwords get compromised. Even a relatively strong
password. To save our postfix servers I have implemented rate-limits ,
and outgoing spam scanning.
[...]
How do spammers get these passwords ??
I see our users hit with phishing attempts every few months, and the pattern
seems to be that once one phishing attempt hits, there's a few more in the
same week. Usually shortly thereafter we find at least one account that is
being abused either at the smtp or webmail level to spew spam.
Oddly enough, the "quality" of the phish does not seem to change the numbers
- the truly ridiculous ones that are written in broken english and have
quite farcical return addresses seem to work as well as the more carefully
forged ones. Each time we block the reply address(es) and send a warning
message stating again that we "will never ask you for your password". Yet
each time someone falls for it...
Charles
Thanks
Ram
--
Regards,
Damian Myerscough
