On Jul 17, 2009, at 9:23 AM, Gary Coleman wrote:
> Is there a squirrelmail tool that will help me administer our frequent
> compromised squirrelmail user accounts?
You could use the Squirrelmail_logger plugin to notify you when these
accounts send out a mass mail. The people doing this typically send
out to several hundred recipients at a time.
> I am finding a lot of accounts that get their signature changed so
> as to
> contain the body of the spam.
These users were likely conned into providing their usernames and
passwords. You can probably find that in their Sent mail sometime in
the last few months. K12 and Higher Ed have been seeing this kind of
behavior for the past couple of years. The phishing e-mails are highly
targeted, often claiming to be your support or helpdesk saying that
due to 'account compromises' or 'system maintenance', the account
holder must confirm their username and password or it will be closed.
The perpetrators seem to target systems using Squirrelmail because
it's something they're familiar with and the ability to change reply-
to and .sig are usually permitted.
> I am also looking for a method to identify the compromised account:
You could do some simple find/greps for --
- .sig's that are unusually large. Most are typically under 300
bytes; anything larger than that should be a red flag; adjust as
necessary for your type of users.
- .sigs's with specific keywords that you determine from the spam
being sent out.
- .prefs with a reply-to set that is outside our domain
You could also -
- don't allow changing of reply-to (Don't allow editing of Identity
in conf.pl). Less incentive for them to (ab)use your systems.
- Install better software on the incoming server to catch the
phishing attempts. Julian Hein (of MailScanner fame), provides a
dynamic list and ruleset for Spamassassin for these.
http://www.jules.fm/Logbook/files/anti-spear-phishing.html
Google for 'anti spear phishing'for others.
- Install software on your outgoing mail server to catch the
responses to the phishing attempts. I've heard good things about Kochi
on the spam-l and hied-emailadmin lists -- http://oss.lboro.ac.uk/kochi1.html
- Educate your users that you will never ask for their password by e-
mail.
Good Luck!
--
Marc
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [email protected]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options):
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
