Re: Spammer got into my Webmail

[Robin Polak <robin.polak () GMAIL COM>]

What did you put into your header.txt to set the X-Originating-User header?
Would you be at all willing to share those scripts you use to monitor your
e-mail?  Thank You for your help!!

On Tue, Sep 9, 2008 at 10:49, Mark Montague <markmont () umich edu> wrote:

> Our Horde/IMP installation sets the X-Originating-User header in outgoing
> messages that we can use to identify messages in our outbound queue from the
> compromised account.
>
> We have a script that runs periodically that monitors the size of our
> outgoing webmail queues and notifies us when one gets unexpectedly large.
>  Our experience has been that many spammers using compromised accounts will
> attempt to send thousands of messages in a very short period of time, which
> triggers a notification from our script and we can log in and see if there
> is actually a compromised account.
>
> Our experience has also been that spammers using compromised accounts with
> Horde/IMP change the user's signature to contain the spam that they want to
> send.   Horde/IMP automatically fills in each message with the spam via the
> signature.  These spammers set up an additional identity for the user with a
> "From" address that is actually the spammer's address.  So we have a script
> that looks for new identities that get set up with non-local identities and
> emails us the first 100 characters of the signature for that identity --
> this is enough to let us identify accounts that have been compromised,
> sometimes soon enough that we can disable the account before the spammer
> actually starts sending their messages.
>
> Finally, we have a php_include file that we set up for Horde/IMP that
> contains a blacklist of compromised user accounts.  We can use this to block
> a compromised account from using webmail without having to completely
> disable the account across all services.
>
>               Mark Montague
>               ITCS Web/Database Production Team
>               The University of Michigan
>               markmont () umich edu
>
>
>
>
>
> On Tue, Sep 9, 2008 10:16 AM, Dan Oachs <doachs () GAC EDU> wrote:
>
> > We have configured our Horde/IMP installation to use smtp authentication.
> >  Our postfix logs then show who authenticated each message.  We can then use
> > that information to remove messages from our outbound queue.
> >
> > --Dan Oachs
> >  Gustavus Adolphus College
> >
> >
> >
> > Robin Polak wrote:
> >
> > > Hello,
> > >
> > >   One of my webmail users was fooled into revealing his credentials to a
> > > spammer and now I am dealing with the backlash of all this spam having left
> > > our smtp servers as well as much mail still left in the outbound sendmail
> > > queues.  Is there any advice that any of you could provide me as far as
> > > filtering out the spam from my sendmail queues as well as any procedures I
> > > could follow to counteract the effects of blacklisting such as a generally
> > > checked whitelist?  In addition, as a result of this incident I have found a
> > > flaw in the tracking of mail between our webmail (Horde/IMP), Cyrus IMAP,
> > > and Sendmail.  What sort of suggestion could be made as far as effectively
> > > being able to correlate my logs?  Is there a way to put a header into a
> > > message leaving IMP indicating the user-name that was used to login to
> > > Horde?  This would have been quite usefull since in some way the spammer was
> > > able to spoof the From address in the message to be a yahoo.com <
> > > http://yahoo.com>  address.
> > >
> > > --
> > > Robin Polak, Network Manager
> > > College of Mount Saint Vincent
> > > E-Mail: robin.polak () gmail com <mailto:robin.polak () gmail com>
> > > V. 718-405-3293


--
Robin Polak
E-Mail: robin.polak () gmail com
V. 917-494-2080