SquirrelMail exploits?

Hi All,

I have recently noticed a steady stream of email leaving my server that appears to be from my Squirrel Mail users.  I upgraded from 1.4.10 to 1.4.15 in an effort to fix the issue.  It went away for a couple of days, but is back now.

I have some wireshark captures if anyone else is interested.  I will have some more (for the v1.4.15 attacks soon as well).

My Server is:

Fedora Core v5
Php v4.3.9
UWIMAP 2004G

I have access to the webmail disabled from the outside right now (we were already in the process of migrating away from SM when this happened.

I’m open to suggestions, comments, flames, etc.  I read in the archives about mailto.php, but it wasn’t made clear to me how to fix it, etc.

I look forward to your responses!

Thanks!
~Brant Wells, Network Administrator
Tocco Falls College

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Tue, June 24, 2008 4:32 pm, Brant Wells wrote:
> Hi All,
>
> I have recently noticed a steady stream of email leaving my server that
appears to be from my Squirrel Mail users.  I upgraded from 1.4.10 to
1.4.15 in an effort to fix the issue.  It went away for a couple of
days, but is back now.
>
> I have some wireshark captures if anyone else is interested.  I will
have some more (for the v1.4.15 attacks soon as well).

I doubt it's a SM prob, since it doesn't send mail.  Check into your MTA
setup and make sure it's not acting as an open relay, etc...




-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Jun 24, 2008, at 3:32 PM, Brant Wells wrote:

> Hi All,
>
> I have recently noticed a steady stream of email leaving my server  
> that appears to be from my Squirrel Mail users.  I upgraded from  
> 1.4.10 to 1.4.15 in an effort to fix the issue.  It went away for a  
> couple of days, but is back now.
>

Are you certain that these are not victims of phishing attempts? We've  
seen attacks specifically targeting Squirrelmail users (and remote SM  
users as evidenced in the spam we're blocking from the Internet with  
SM message id's) to compromise their accounts and generate spam from  
them.

http://sourceforge.net/mailarchive/message.php?msg_id=A7B0A9F02975A74A845FE85D0B95B8FA0A599A74%40misex01.ena.com


--
Marc


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

hey, and how will that be possible what they say in this thread:

always via SM (no other SMTP/ASMTP based attempts are logged)

SM is no mta, so it can not send email ...



michel




****************************************************
Tecnologia Internet Matik http://info.matik.com.br
Sistemas Wireless para o Provedor Banda Larga
Hospedagem e Email personalizado - e claro, no Brasil.
****************************************************


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

Michel wrote:
SM is an email client 'MUA', and it sends mail only through an MTA, so
you should have logs in your MTA that tell you what's going on.

We are seeing a lot of phishing lately too, and have had a customer
account compromised and used to send spam. Squirrelmail is easy to find
via google I suppose, so it's an easy target. That doesn't mean there is
a vuln in SM.

Ken




--
Ken Anderson
Pacific.Net


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Jul 1, 2008, at 12:17 PM, Michel wrote:
> hey, and how will that be possible what they say in this thread:
>
> always via SM (no other SMTP/ASMTP based attempts are logged)
>
> SM is no mta, so it can not send email ...
>


I never said it was.  I have a dedicated MTA for Squirrelmail and all  
other SMTP clients use different MTA's making it easy to distinguish  
between mail sent from each.

--
Marc


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Tue, Jul 1, 2008 at 7:39 PM, Res <res@...> wrote:
> On Tue, 24 Jun 2008, Brant Wells wrote:
>
>> Hi All,
>>
>> I have recently noticed a steady stream of email leaving my server that appears to be from
>> my Squirrel Mail users.  I upgraded from 1.4.10 to 1.4.15 in an effort to fix the issue.  It
>> went away for a couple of days, but is back now.
>
> I wont go over what others have said about it not being an MTA etc, as its

<snip>

And, as always, there are plugins that can help you identify when you
have an account on your server that has been compromised and is being
used to send spam.  The best tools for this are your own server logs,
possibly augmented by the "Squirrel Logger" plugin, but if you could
also check out the "Restrict Senders" plugin and if you are trying to
be proactive against password attacks, etc., you can try the "CAPTCHA"
and "Lockout" plugins too.

Sorry to hear that you are moving away from SM.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

> On Tue, 24 Jun 2008, Brant Wells wrote:
>

>
>> Fedora Core v5
> scary - old, outdated, unsupported. - try Slackware 12.1, or if you MUST
> use a simple RPM pray system, use CentOS 5.2.
>


I think that is not the point, even with older OS any mta abuse is based on
misconfiguration of THE MTA not the OS, mostly relay related issues

>
> It is possible your php has been exploited, this is not SM's fault nor
> its problem.
>

even so the problem always comes back to ta configuration issues, with php exploit
or not because php on it own can not send email


>> UWIMAP 2004G
>
> Thats ok, not my choice for speed or peformance but it wont be the
> problem.
>

same thing


michel




****************************************************
Tecnologia Internet Matik http://info.matik.com.br
Sistemas Wireless para o Provedor Banda Larga
Hospedagem e Email personalizado - e claro, no Brasil.
****************************************************


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

even if you are right it does not help so much since the MTA should be configured
to mail correctly so it does not matter if some else use the account because the
spam origin comes back in first place to the relaying mta not to the user

so it does not matter if you have users trying to send spam or not so long as your
mta is "vacinated" against such attemps - so doen't matter if it is a legitimate
user or not. I mean you try bringing the cow down with it's tail when trying to
fight passwd attempts, on mta level you get it by it's horns


I guess most attempts faking sm origin are not coming from the sm instalation
itself but they are faked by relay attempts so with proper relay protection of your
MTA all this goes away

a good and easy protection is the greeting relay in first place and rate limit in
second and then recepient limit count as third and so most spam/relay attempts are
gone then

michel




****************************************************
Tecnologia Internet Matik http://info.matik.com.br
Sistemas Wireless para o Provedor Banda Larga
Hospedagem e Email personalizado - e claro, no Brasil.
****************************************************


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Wed, Jul 2, 2008 at 3:39 AM, Michel <Michel@...> wrote:
You already made your point.  I am pointing out other tools that can
be used to identify problems like compromised accounts.

> so it does not matter if you have users trying to send spam or not so long as your
> mta is "vacinated" against such attemps - so doen't matter if it is a legitimate
> user or not. I mean you try bringing the cow down with it's tail when trying to
> fight passwd attempts, on mta level you get it by it's horns

The README files of the necessary plugins already note that better
solutions exist at the MTA level.  It is NOT a bad thing to apply
rules to the SM login page to reduce password guessing attacks, etc.

> I guess most attempts faking sm origin are not coming from the sm instalation
> itself but they are faked by relay attempts so with proper relay protection of your
> MTA all this goes away

Stop already.  There IS in fact such thing as a compromised SM account
being used to send spam.  You make it sound like this can never
happen.  Wrong.

> a good and easy protection is the greeting relay in first place and rate limit in
> second and then recepient limit count as third and so most spam/relay attempts are
> gone then

Sure, of course.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

> On Wed, 2 Jul 2008, Michel wrote:
>
...
>>
>>
>> even if you are right it does not help so much since the MTA should be configured
>> to mail correctly so it does not matter if some else use the account because the
>
>
> do you actually know what you are saying?
>

oh yes!

> how the hell is the MTA to know what is genuine Email and what is not,

that's the point, it does not and does not need to as well as SM does not need to
check if a correct user/password given is typed by the client or by any other
individual


> when they both posted from the same machine and its told to realy for

that is the other point, the exploiter will probably NOT post from the same
computer and that is where the correct MTA config hooks in: NOT allowing mail relay




michel




****************************************************
Tecnologia Internet Matik http://info.matik.com.br
Sistemas Wireless para o Provedor Banda Larga
Hospedagem e Email personalizado - e claro, no Brasil.
****************************************************


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

On Thu, Jul 3, 2008 at 5:06 PM, Res <res@...> wrote:
Some systems, however, are intentionally built to offer SMTP access
for other clients (Thunderbird, Outlook, etc.), wherein the username
and password are going to be the same and so a compromised account
could be used for nefarious purposes using any unknown email client.
Usually the interface/port number will be different, though, so you
can distinguish the two and treat them differently as needed.

SM can be configured to send authentication credentials when talking
SMTP, which can be sitewide or per-user, so it is in fact possible to
send the MTA enough information to apply per-user rate limiting.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users