[unisog] FYI - dictionary attack on Squirrelmail
pete at shadows.uottawa.ca
Tue Mar 2 20:47:43 GMT 2010
On Tue, Mar 02, 2010 at 04:48:01PM +1300, Steve Shipway wrote:
> > It so happened that someone had set up a couple of multi-user role
> > accounts with, yes, username=password, so that the attacker was able to
> > send a bunch of spam out on the weekend before we noticed.
> In order to catch this sort of thing, we have a periodic (every 15mins) script on the webmail host which eats the log and identifies any accounts which have sent an excessive number of messages, or messages to an excessive number of recipients, in the last hour. If any are found, it uses NSCA to send an alert into Nagios (of course, you could send alerts to whatever monitoring package you use, or even just send an email).
> It doesn't stop people having their accounts compromised, but it catches spammers much faster and helps prevent out mail servers from being listed on the various internet mail blacklists.
In the case of SquirrelMail there is a triplet (I beleive) which can
be set which limits the amount and frequency. It took a bit of tuning,
but has been quite effective.
Pete Hickey I love cats!
The University of Ottawa (but I can't
Ottawa, Ontario eat a whole one)
More information about the unisog