[unisog] FYI - dictionary attack on Squirrelmail

Andrew Daviel advax at triumf.ca
Mon Mar 1 23:01:12 GMT 2010

OK, not really a dictionary attack in the normal sense - the attackers 
knew the usernames.

We just had an incident where someone tried guessing (I presume) 
username=password against about 150 accounts via Squirrelmail over 

It so happened that someone had set up a couple of multi-user role 
accounts with, yes, username=password, so that the attacker was able to 
send a bunch of spam out on the weekend before we noticed.

In previous Squirrelmail attacks it seemed a user had fallen for a phish 
and sent them a password, which the attackers leveraged to send more 
phish messages. This time it looks like guessing.

A run of John the Ripper found a couple more u=p accounts which we 

Carelessness on my part, I guess, and not thinking users could be so 
daft. (well, OK, some years back we did have a public workstation with 
guest=guest and remote login enabled)

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

More information about the unisog mailing list