my server generates spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: my server generates spam

Ralf Hildebrandt
* Jozsef Kadlecsik <[hidden email]>:

> I dunno. We had the newest squirrelmail (1.4.22) and still two times user
> sessions were hijacked and used for spamming. The users could not recall
> what they exactly did, unfortunately.

Only thing one can do against this is two-factor auth (assuming nobody
can circumvent the authorization)
--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: my server generates spam

mouss-4
In reply to this post by John Allen
Le 10/05/2012 19:09, john a écrit :
> Off topic, but related to this thread.
>
> I/we use Squirrelmail and while we have not had any problems with it I
> wonder (and as this is this list seems to be the home of email gurus) if
> there are any recommendations as to a better solution, particularly one
> that would work in a postfix/dovecote environment.
>

(please don't top post. put your replies after the text you reply too.
google for "top posting" if this isn't clear).


- enforce ssl (https). don't allow plain http:// urls.
        => don't configre automated redirects.
        your real users must know where it is
(rationale: given the number of sites available via plain http,
miscreantes don't seem to have enoug incentives to attack ssl based ones).

- you can use geo controls: in general, posts from Nigeria or the like
are suspicious and can be "quarantined" or passed to a strict filter...
here, you can have a whitelist, a blacklist, a greylist, etc... (for
travelling users, you can setup special procedures...).


- ensure traceability: you should be able to find which account was used
to post which message.


- if using passwords, establish a password policy. (I am not
recommending anything here: just define what you accept and know it! the
idea is that your password policy will indicate what you should check etc).
=> with phishing, password strength isn't enough...


- at MTA level, detect "anomalies" (too much mail from an account, too
much reected mail, ...) and block webmail if bad things happen (ie fail
on the safe side).

- don't use "common" urls such as
        http[s]://vhost/squirrelmail/
        http[s]://vhost/roundcube/
        http[s]://vhost/rc/
        ...
(rationale: avoid noise and get rid of blind robots)

... etc.
Reply | Threaded
Open this post in threaded view
|

Re: my server generates spam

John Allen
Sorry about the top post, but i wanted to give anybody who looked the
earliest opportunity to skip as I was off topic.
Perhaps I should have started a new thread.

John A

Reply | Threaded
Open this post in threaded view
|

Re: my server generates spam

Kadlecsik József
In reply to this post by Ralf Hildebrandt
On Thu, 10 May 2012, Ralf Hildebrandt wrote:

> * Jozsef Kadlecsik <[hidden email]>:
>
> > I dunno. We had the newest squirrelmail (1.4.22) and still two times user
> > sessions were hijacked and used for spamming. The users could not recall
> > what they exactly did, unfortunately.
>
> Only thing one can do against this is two-factor auth (assuming nobody
> can circumvent the authorization)

The passwords were not stolen but the authenticated https sessions of the
users.

Best regards,
Jozsef
-
E-mail  : [hidden email], [hidden email]
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
Reply | Threaded
Open this post in threaded view
|

Re: my server generates spam

Robert Schetterer
In reply to this post by Kadlecsik József
Am 10.05.2012 21:28, schrieb Jozsef Kadlecsik:

> On Thu, 10 May 2012, Robert Schetterer wrote:
>
>> Am 10.05.2012 19:09, schrieb john:
>>>
>>> I/we use Squirrelmail and while we have not had any problems with it I
>>> wonder (and as this is this list seems to be the home of email gurus) if
>>> there are any recommendations as to a better solution, particularly one
>>> that would work in a postfix/dovecote environment.
>>
>> everything is ok with squirrelmail
>
> I dunno. We had the newest squirrelmail (1.4.22) and still two times user
> sessions were hijacked and used for spamming. The users could not recall
> what they exactly did, unfortunately.
>
> Best regards,
> Jozsef

hi Jozsef
No Problems here so far, did you use php-suhosin and ssl ?
however there may be unknown bugs with squirrelmail
but there will always be bug in other webmailers too, no code is perfect
but i think you allready know this *g

> -
> E-mail  : [hidden email], [hidden email]
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: my server generates spam

Giuseppe Perna
In reply to this post by Reindl Harald-2
HELLO, I'm sorry, I did not understand how to check and see where the
logs of who accesses the webmail.
I HAVE seen in the log the ip that is bothering me, I stop sending this ip?

thanks


2012/5/10 Reindl Harald <[hidden email]>:

>
>
> Am 10.05.2012 14:10, schrieb Giuseppe Perna:
>> thanks for repaly,
>> this is log foe webmail:
>>
>> 176.61.140.133 - - [08/May/2012:08:18:41 +0200] "GET
>> /src/compose.php?mail_sent=yes HTTP/1.1" 200 556825
>> "https://webmail.esempio.it/src/compose.php" "Opera/9.80 (Windows NT
>> 6.1; U; en) Presto/2.10.229 Version/11.61"
>> 176.61.140.133 - - [08/May/2012:08:18:43 +0200] "POST /src/compose.php
>> HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"
>> "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61"
>> 176.61.140.133 - - [08/May/2012:08:18:45 +0200] "POST /src/compose.php
>> HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"
>> "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61"
>> 176.61.140.133 - - [08/May/2012:08:18:47 +0200] "POST /src/compose.php
>> HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"
>> "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61"
>> 176.61.140.133 - - [08/May/2012:08:18:50 +0200] "POST /src/compose.php
>> HTTP/1.1" 302 5 "https://webmail.esempio.it/src/compose.php"
>> "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.61"
>>
>> how can I find the account used to send spam?
>
> only by compare timestamp since your webmail has no useful log
> roundcube logs as you can see below the postfix queue-id
> _______________
>
> [root@arrakis:~]$ cat /var/log/roundcubemail/sendmail  | grep reindl
> [05-Mar-2012 12:53:24 +0100]: User [hidden email] [**.0.0.99]; Message for [hidden email]; 250:
> 2.0.0 Ok: queued as 3666DA3
>
>
>
12