[unisog] Nigerian scam via squirrelmail

Steven VanDevender stevev at uoregon.edu
Tue Oct 27 17:16:31 GMT 2009


Mike Patterson writes:
 > -----BEGIN PGP SIGNED MESSAGE-----
 > Hash: SHA1
 > 
 > On 25/10/09 10:42 PM, Mark Montague wrote:
 > > We have a variety of monitoring tools in place to help us detect the  
 > > type of activity the spammers engage in with stolen usernames and  
 > > passwords, and we disable most of those accounts not long after the  
 > > spammer starts abusing them.
 > 
 > Our experience has been the same; this has been an issue for us on both
 > Horde and Squirrelmail (long story) installations since at least April
 > 2008.  At one point I think we had a few hundred compromised accounts,
 > but our tools for automatically shutting such down have improved.  :P
 > 
 > Mike

With this type of spear-phishing it is generally the case that account
credentials are stolen rather than your webmail system directly
compromised.  We don't use Squirrelmail or Horde, and there's no
indication that our webmail system has been compromised, but we
frequently find that the compromised users replied to a spear-phishing
message (and can often find the replies in saved sent mail).

We found this project to be immensely helpful in providing better
detection of phished accounts, often before the phisher starts abusing
them:

http://code.google.com/p/anti-phishing-email-reply/

The maintainers, largely people from .edu sites around the world,
maintain a list of observed phishing reply addresses and form links.
Here we use this to both block incoming and outgoing mail to phishing
addresses, and I also daily use one of the included scripts to scan the
previous few days worth of mail logs for replies that may have occurred
before an address was listed.

Warning: Accounts from your site may be in the phishing_reply_addresses
list.  The maintainers are quite amenable to removing addresses when
contacted by site admins to confirm that the accounts have been
resecured.

Use of anti-phishing-email-reply combined with our other spam-filtering
measures has made successful phishing only an occasional problem for us
(maybe one account a month or so has to be disabled for giving up
credentials to a phisher, often before the phisher has a chance to
exploit the account).

 > - -- 
 > Never test for an error condition you don't know how to handle.
 > - - Steinbach
 > -----BEGIN PGP SIGNATURE-----
 > Version: GnuPG v1.4.10 (Darwin)
 > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 > 
 > iEYEARECAAYFAkrmAsEACgkQrqw9H9F0mCQD9gCgmLDcLMjq76afBtjlECUy60ds
 > IDMAnjLxMFkQBILyRG0eWsy783wsMdAE
 > =sjym
 > -----END PGP SIGNATURE-----


More information about the unisog mailing list