Educause Security Discussion mailing list archives
Re: Spammer got into my Webmail
From: Robin Polak <robin.polak () GMAIL COM>
Date: Tue, 9 Sep 2008 11:01:05 -0400
What did you put into your header.txt to set the X-Originating-User header? Would you be at all willing to share those scripts you use to monitor your e-mail? Thank You for your help!! On Tue, Sep 9, 2008 at 10:49, Mark Montague <markmont () umich edu> wrote:
Our Horde/IMP installation sets the X-Originating-User header in outgoing messages that we can use to identify messages in our outbound queue from the compromised account. We have a script that runs periodically that monitors the size of our outgoing webmail queues and notifies us when one gets unexpectedly large. Our experience has been that many spammers using compromised accounts will attempt to send thousands of messages in a very short period of time, which triggers a notification from our script and we can log in and see if there is actually a compromised account. Our experience has also been that spammers using compromised accounts with Horde/IMP change the user's signature to contain the spam that they want to send. Horde/IMP automatically fills in each message with the spam via the signature. These spammers set up an additional identity for the user with a "From" address that is actually the spammer's address. So we have a script that looks for new identities that get set up with non-local identities and emails us the first 100 characters of the signature for that identity -- this is enough to let us identify accounts that have been compromised, sometimes soon enough that we can disable the account before the spammer actually starts sending their messages. Finally, we have a php_include file that we set up for Horde/IMP that contains a blacklist of compromised user accounts. We can use this to block a compromised account from using webmail without having to completely disable the account across all services. Mark Montague ITCS Web/Database Production Team The University of Michigan markmont () umich edu On Tue, Sep 9, 2008 10:16 AM, Dan Oachs <doachs () GAC EDU> wrote:We have configured our Horde/IMP installation to use smtp authentication. Our postfix logs then show who authenticated each message. We can then use that information to remove messages from our outbound queue. --Dan Oachs Gustavus Adolphus College Robin Polak wrote:Hello, One of my webmail users was fooled into revealing his credentials to a spammer and now I am dealing with the backlash of all this spam having left our smtp servers as well as much mail still left in the outbound sendmail queues. Is there any advice that any of you could provide me as far as filtering out the spam from my sendmail queues as well as any procedures I could follow to counteract the effects of blacklisting such as a generally checked whitelist? In addition, as a result of this incident I have found a flaw in the tracking of mail between our webmail (Horde/IMP), Cyrus IMAP, and Sendmail. What sort of suggestion could be made as far as effectively being able to correlate my logs? Is there a way to put a header into a message leaving IMP indicating the user-name that was used to login to Horde? This would have been quite usefull since in some way the spammer was able to spoof the From address in the message to be a yahoo.com < http://yahoo.com> address. -- Robin Polak, Network Manager College of Mount Saint Vincent E-Mail: robin.polak () gmail com <mailto:robin.polak () gmail com> V. 718-405-3293
-- Robin Polak E-Mail: robin.polak () gmail com V. 917-494-2080
Current thread:
- Spammer got into my Webmail Robin Polak (Sep 09)
- <Possible follow-ups>
- Re: Spammer got into my Webmail Dan Oachs (Sep 09)
- Re: Spammer got into my Webmail Mark Montague (Sep 09)
- Re: Spammer got into my Webmail Robin Polak (Sep 09)
- Re: Spammer got into my Webmail Joel Rosenblatt (Sep 09)
- Re: Spammer got into my Webmail Robin Polak (Sep 09)
- Re: Spammer got into my Webmail Robin Polak (Sep 09)
- Re: Spammer got into my Webmail Ben Spencer (Sep 10)
- Re: Spammer got into my Webmail Robin Polak (Sep 10)