Re: [SM-USERS] spam from my mail server

[Paul Lesniewski]

2010/2/12  <si...@kmun.gov.kw>:
> Dear All,
>
> I Have the following setup running for a couple of years without any problem.
>
> Centos 5
> sendmail-8.13.8-2.el5
> httpd-2.2.3-11.el5_1
> squirrelmail-1.4.17
> MailScanner 4.76.25
> Mailwatch 1.04
>
> Just yesterday I found a huge spam being originated from my Mail Server
> and my mqueue had over 800 emails
>
> here is some infomation I got from mailwatch

Did you check your web server access log to confirm that these
messages were sent using webmail?  Your maillog is also a good source
of information.  You should read those and confirm you know how and
where the attacker used your system.

> ----
> Received: from webmail.baladia.gov.kw (kmdns1.kmun.gov.kw [xx.xx.xx.xx])
>     by kmdns1.kmun.gov.kw (8.13.8/8.13.8) with ESMTP id o1CIKBGo015425;
>     Fri, 12 Feb 2010 21:20:11 +0300
> Received: from 41.138.178.41
> (SquirrelMail authenticated user kkharafi)
> by webmail.baladia.gov.kw with HTTP;
> Fri, 12 Feb 2010 21:21:56 +0300 (AST)
> Message-ID:
> <60fa0f24708364e202bfa32c4a41083a.squir...@webmail.baladia.gov.kw>
> Date: Fri, 12 Feb 2010 21:21:56 +0300 (AST)
> Subject: BUSINESS PROPOSAL !
> From: "SGT. HENRY PETER" <sgthenrypeter1...@yahoo.com.hk>
> Reply-To: sgthenrypet...@yahoo.com.hk
> User-Agent: SquirrelMail/1.4.17
> MIME-Version: 1.0
> Content-Type: text/plain;charset=windows1256
> Content-Transfer-Encoding: 8bit
> X-Priority: 3 (Normal)
> Importance: Normal
> From: sgthenrypeter1...@yahoo.com.hk [Add to Whitelist | Add to Blacklist]
>
> To: emitch...@gemj.com
> co...@gene.com
> chris.gar...@gems3.gov.bc.ca
> don...@geleasing.net
> d...@generaldistributors.com
> capri...@gem.net.pk
> ellen.rich...@gecapital.com
> cont...@gen6.org
> dawn.mil...@generalcasualty.com
> hardw...@gemsi.com
> chip...@gemsi.com
> g...@genekernis.com
> brobe...@gemcor.com
> boyan...@gene.com
> cristinamerc...@geminis.cl
> ftortor...@generac.com
> das...@gelbconsulting.com
> gof...@gene.ucl.ac.be
> gf...@gene.com
> dsa...@generalknox.com
> di...@gearup.com
> czu...@geisinger.edu
> diama...@gearwrist.com
> gla...@geekcorps.org
> carol...@geefamily.freeserve.co.uk
> donna.bar...@gems2.gov.bc.ca
> gcalabr...@gecsab.com
> fstro...@gendroninc.com
> ------------------------------------------------
>
>
> (SquirrelMail authenticated user kkharafi)
> by webmail.baladia.gov.kw with HTTP;
> Fri, 12 Feb 2010 21:21:56 +0300 (AST)
>
> please note that kkharafi is my local mail user
> I have about 200 mail users and all the users have a shell as nologin as a
> additional security

"additional security" would be creating a system where your mail users
don't have local accounts at all.

> ----------------
>
> On further investigations i found about 10 users whos Folders==> Personal
> Information has been modified .
>
> here i just paste the .pref file of one user
> show_html_default=0
> javascript_on=1
> hililist=a:0:{}
> archivefilenames=6
> archiveattachments=1
> archivetype=0
> archiveent=1
> spamcop_method=web_form
> todo_first_login=0
> email_address=kkhar...@kmun.gov.kw
> identities=3
> full_name1=Oceanic Bank Nigeria Plc
> email_address1=i...@atm.com
> reply_to1=atmcard.dep...@yahoo.com.hk
> full_name2=SGT. HENRY  PETER
> email_address2=sgthenrypeter1...@yahoo.com.hk
> reply_to2=sgthenrypet...@yahoo.com.hk
>
> --------
>
>
> no all the 10 users have personal information under folders being changed
> with different information
>
> I have just changed the password of my local user kkharafi and will wait
> to see any instance of spam again.
>
> I do can understand if one user had his password being cracked or probably
> a virus on his PC could have changed his personal information squirrel
> mail.
>
> But its about 10 different local email users who had their personal
> Information being changed in squirrel mail
>
> so im confused and wondering how it could happen

Poor user password selection?  The fact that you are running an
outdated version of SquirrelMail?  You tell us, please.

> I do apprecite if someone could help me out and advice me as to what could
> be done so as to avoid such issues.

Use plugins like Lockout and/or CAPTCHA as well as Restrict Senders
and Squirrel Logger.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users