Re: [SM-USERS] Spamming Through Squirrelmail

[Zack Odell]

Yes I am certain that the email originated from a compromised user and sent out 
through Squirrelmail.

See below for a sample email.

Received: from 83.229.67.26
        (SquirrelMail authenticated user auser)
        by mail.domain.net with HTTP;
        Fri, 9 Nov 2007 11:30:29 -0600 (CST)
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 9 Nov 2007 11:30:29 -0600 (CST)
Subject: Cash Grant/Donation For Novenber 2007!!!!!!!!!!!
From: "SIR JERRY WILLIAMS FINANCIAL INVESTMENT" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Bcc: [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
***many more***
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal


SIR JERRY WILLIAMS FINANCIAL INVESTMENT
26 York Street, London
W1U 6PZ. United Kingdom.
E-mai:[EMAIL PROTECTED]
Tel: +44-701-113-7778

Good day,
I am Sir Jerry Williams, a private investor I give out unsecured guarantee
loans to Business Men and women who are into Business
transaction,automobile purchase, house purchase loan and other personal
loans E.T.C. I give out long term loan for five to fifty years maximum
with 4% interest rate in this you can as well tell me the amount you need
so that i will send to you the terms and condition that is if you are
really interested in getting a loan from me, Loans are given out in Great
British Pounds and United States Dollar the maximum I give is 10,000,000
both in pounds and $USD and the minimum 5,000 pounds and USD$.

I also render Collateral And Non- Collateral Loans For Your Business Start
up, If you are interested in this offer please kindly fill out the
application details below so that i can start the processing of your loan
sum.

APPLICATION DETAILS

Full Name:..........................................
Contact Address:.............................
Phone:...................................................
Purpose of your loan.......................
Amount Needed as Loan:...............
Loan Duration:...................................
Annual Income:.................................
Gross monthly income....................
Occupation:........................................
Sex.............................
Date of Birth............................
Marital Status........................

In acknowledgement to these details, I will send you a well calculated
Terms and Condition which will include the agreement.
Furthermore be informed that you will also need a form of Identification
which can be either a Driver's Licence or your working Identity card.

Regards
Sir Jerry Williams
Financial Controller/ Operation Manager
Tel: +44-701-113-7778.






-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Brazina
Sent: Wednesday, November 14, 2007 10:49 AM
To: Squirrelmail User Support Mailing List
Cc: Squirrelmail User Support Mailing List
Subject: Re: [SM-USERS] Spamming Through Squirrelmail

Have you looked in the INBOX.Sent to verify that they are logging in and
sending the mail via SquirrelMail?  I ask this since I do occasionally get
rejects from mail I didn't send out but someone is trying to spoof my mail
server.  In fact, the mail shows as being sent from an account I don't
have on my server, and relaying is turned off.  I know it is just a hoax.

Hopefully it will help.

Philip


>>Can you provide more information on how SquirrelMail is being used?
> We use squirrelmail, courier-imap, postfix and apache.  We had a
> squirrelmail implementation with sendmail for years, but never experienced
> this issue.  If you need more/different info, let me know.
>
>>What version of SquirrelMail? PHP?
> SquirrelMail Version: 1.4.10a
> PHP 5
>
>
>> Have you investigated how the accounts were compromised?
> As far as the user accounts, we are reviewing logs to determine if they
> bruteforced the accounts or if they just "knew" the passwds.  My first
> thought was a virus/spyware/keylogger on a certain users host, but it
> spread to a total of three users over the course of several days.  We have
> asked the user to bring their PC into us so that we can take a look at
> them, but no such luck.  I have been
>
> I ended up routing their IP block to null in my gateway router.  Here is
> the IP range in case anyone else experiences this.
>
> 83.229.0.0 - 83.229.255.255
>
> Zack
>
>
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jon
> Angliss
> Sent: Tuesday, November 13, 2007 8:57 PM
> To: Squirrelmail User Support Mailing List
> Subject: Re: [SM-USERS] Spamming Through Squirrelmail
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Zack
>
>> Greetings:
>
>> We have seen quite a bit of user accounts that have been targeted
>> by spammers.  That is to say I think our users passwds have been
>> compromised and the spammers are then sending out 100's of messages
>> through Squirrelmail and Postfix.  Since we can't keep Squirrelmail
>> from sending out messages for our legit email I didn't know if
>> there was a way to only allow "fubar.net" emails to be sent out and deny
>> "uglyasspammers.net".
>
> Can you provide more information on how SquirrelMail is being used?
> What version of SquirrelMail? PHP? Have you investigated how the
> accounts were compromised?
>
> - --
> Jon Angliss
> <[EMAIL PROTECTED]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
>
> iD8DBQFHOmQJK4PoFPj9H3MRAiGAAKDbQ7ayMbpC1b9Pg+4/Zo+tt6V41gCcDIEr
> Sj/jPbuWYAOf3mO2us0zoVk=
> =er19
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@lists.sourceforge.net
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@lists.sourceforge.net
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users