[unisog] FYI - dictionary attack on Squirrelmail

Adam Mooz adam.mooz at gmail.com
Tue Mar 2 20:45:02 GMT 2010


On 2010-03-01, at 10:48 PM, Steve Shipway wrote:

>> It so happened that someone had set up a couple of multi-user role
>> accounts with, yes, username=password, so that the attacker was able to
>> send a bunch of spam out on the weekend before we noticed.
> 
> In order to catch this sort of thing, we have a periodic (every 15mins) script on the webmail host which eats the log and identifies any accounts which have sent an excessive number of messages, or messages to an excessive number of recipients, in the last hour. If any are found, it uses NSCA to send an alert into Nagios (of course, you could send alerts to whatever monitoring package you use, or even just send an email).
> 
> It doesn't stop people having their accounts compromised, but it catches spammers much faster and helps prevent out mail servers from being listed on the various internet mail blacklists.
> 
> Steve
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

Why not setup something to look at outbound emails as well.  Have Spamassassin or an appliance like Untangle monitoring your outbound emails as well as inbound to catch the outbound spam before it ever hits the tubes?

-----------------------------------------------------------------
Adam Mooz
Adam.Mooz at gmail.com
http://www.AdamMooz.com


More information about the unisog mailing list