[unisog] Nigerian scam via squirrelmail

Joseph Brennan brennan at columbia.edu
Mon Oct 26 13:00:15 GMT 2009

--On Friday, October 23, 2009 19:07 -0700 Andrew Daviel <advax at triumf.ca> 

> Has anyone heard of an active squirrelmail exploit ?
> We had an incident that I don't quite understand - a spammer (RIPE says
> the ip is in Nigeria - honest!) got into a couple of our accounts and
> sent a bunch of "you have won $$" mail. In one case, they edited the
> Squirrelmail profile so that the signature was the message and the
> sending-address was changed (to a bad address, so I got a lot of
> postmaster DSN mail)

First, you know about the hack in Squirrelmail's distribution,
announced in July, right?   http://squirrelmail.org/index.php

But in general, loading the message into the sig and changing the
sender address is totally routine for the Nigerian spam gangs.  That's
been going on with Squirrelmail and IMP systems for a year and a half.
Usually they phish the credentials, although your case does sound
different from that.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

More information about the unisog mailing list