[Dshield] eBay/PayPal Scams & Squirrel Mail

jayjwa jayjwa at atr2.ath.cx
Sat Aug 6 20:36:35 GMT 2005

This is to make people/sites that run Squirrel Mail aware of something I'm 
seeing recently. It looked importanted to me, but YMMV...

I'm seeing ALOT of hacked sites hosting eBay/PayPal scams, and all of them 
I've reported this week seem to be running older, exploitable versions of 
Squirrel Mail. From the Squirrel Mail site:

SECURITY: several XSS issues discovered and fixed
Jun 15, 2005 by Thijs Kinkhorst

Several cross site scripting (XSS) vulnerabilties have been discovered
in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
patch. We advise all our users to apply this patch.

Earlier versions had other troubles.

An example of such a site:

                             Enterprise Software Logo
                            SquirrelMail version 1.4.4
                       By the SquirrelMail Development Team

                            Enterprise Software Login
                                 Name: _____________________
                             Password: _____________________
                                    [ Login ]

That server is hosting an eBay Scam at (URL wraps):

Given the structure of the directories, this seems to be like the pre-made 
kits that I've heard about (but never confirmed the existance of myself).

eBay takes forwarded (not replied to, just forwarded with no extra text in 
the email but only the scam spam itself) scams to: spoof at ebay.com if it is 
an eBay scam spam. Must include full email w/headers.

PayPal takes replied to (display headers & reply, changing the address to 
PayPal's) scams to: spoof at paypal.com if it is a PayPal scam. Make sure to 
send full headers.

I have had alot of luck getting these shutdown by sending to the abuse 
contact of the spamming site, the scam hosting site, and the appropriate 
spoof address above using a pre-made form with boxes to check off, 
depending on the scenerio, and attaching the original scam spam at the 

The above site show here was reported on the 6th with this method as 
described above.


More information about the list mailing list