[Dshield] eBay/PayPal Scams & Squirrel Mail
jayjwa at atr2.ath.cx
Sat Aug 6 20:36:35 GMT 2005
This is to make people/sites that run Squirrel Mail aware of something I'm
seeing recently. It looked importanted to me, but YMMV...
I'm seeing ALOT of hacked sites hosting eBay/PayPal scams, and all of them
I've reported this week seem to be running older, exploitable versions of
Squirrel Mail. From the Squirrel Mail site:
SECURITY: several XSS issues discovered and fixed
Jun 15, 2005 by Thijs Kinkhorst
Several cross site scripting (XSS) vulnerabilties have been discovered
in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
patch. We advise all our users to apply this patch.
Earlier versions had other troubles.
An example of such a site:
Enterprise Software Logo
SquirrelMail version 1.4.4
By the SquirrelMail Development Team
Enterprise Software Login
[ Login ]
That server is hosting an eBay Scam at (URL wraps):
Given the structure of the directories, this seems to be like the pre-made
kits that I've heard about (but never confirmed the existance of myself).
eBay takes forwarded (not replied to, just forwarded with no extra text in
the email but only the scam spam itself) scams to: spoof at ebay.com if it is
an eBay scam spam. Must include full email w/headers.
PayPal takes replied to (display headers & reply, changing the address to
PayPal's) scams to: spoof at paypal.com if it is a PayPal scam. Make sure to
send full headers.
I have had alot of luck getting these shutdown by sending to the abuse
contact of the spamming site, the scam hosting site, and the appropriate
spoof address above using a pre-made form with boxes to check off,
depending on the scenerio, and attaching the original scam spam at the
The above site show here was reported on the 6th with this method as
More information about the list