Re: Spammer got into my Webmail

[Robin Polak <robin.polak () GMAIL COM>]

That is really helpful.  We are also using Mimedefang.  How is that you got
it to make that comparison and log the results?

On Tue, Sep 9, 2008 at 11:26, Joel Rosenblatt <joel () columbia edu> wrote:

> As to the IMP question:
>
> To insert the sender in IMP, see imp/config/header.php.  Our code
> is one line:
>
> $_header['X-CubMail-Sender'] = $GLOBALS['imp']['uniquser'];
>
> CubMail is the name of our IMP installation, so change that :-)
>
>
> We use a very flexible sendmail milter called Mimedefang, and we
> instruct it to compare the user in the X-CubMail-Sender line to the
> address in the From line, and log them and the number of recipients
> if they don't match.  No alarm is sent since messages like this are
> usually OK.  But if we have an abuse report, even with incomplete
> headers, we can figure out what account was used.
>
> Thanks,
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel <http://www.columbia.edu/%7Ejoel>
>
>
>
> --On Tuesday, September 09, 2008 11:01 AM -0400 Robin Polak <
> robin.polak () GMAIL COM> wrote:
>
>  What did you put into your header.txt to set the X-Originating-User
> > header?
> > Would you be at all willing to share those scripts you use to monitor your
> > e-mail?  Thank You for your help!!
> >
> > On Tue, Sep 9, 2008 at 10:49, Mark Montague <markmont () umich edu> wrote:
> >
> >  Our Horde/IMP installation sets the X-Originating-User header in outgoing
> > > messages that we can use to identify messages in our outbound queue from
> > > the
> > > compromised account.
> > >
> > > We have a script that runs periodically that monitors the size of our
> > > outgoing webmail queues and notifies us when one gets unexpectedly large.
> > >  Our experience has been that many spammers using compromised accounts
> > > will
> > > attempt to send thousands of messages in a very short period of time,
> > > which
> > > triggers a notification from our script and we can log in and see if
> > > there
> > > is actually a compromised account.
> > >
> > > Our experience has also been that spammers using compromised accounts
> > > with
> > > Horde/IMP change the user's signature to contain the spam that they want
> > > to
> > > send.   Horde/IMP automatically fills in each message with the spam via
> > > the
> > > signature.  These spammers set up an additional identity for the user
> > > with a
> > > "From" address that is actually the spammer's address.  So we have a
> > > script
> > > that looks for new identities that get set up with non-local identities
> > > and
> > > emails us the first 100 characters of the signature for that identity --
> > > this is enough to let us identify accounts that have been compromised,
> > > sometimes soon enough that we can disable the account before the spammer
> > > actually starts sending their messages.
> > >
> > > Finally, we have a php_include file that we set up for Horde/IMP that
> > > contains a blacklist of compromised user accounts.  We can use this to
> > > block
> > > a compromised account from using webmail without having to completely
> > > disable the account across all services.
> > >
> > >              Mark Montague
> > >              ITCS Web/Database Production Team
> > >              The University of Michigan
> > >              markmont () umich edu
> > >
> > >
> > >
> > >
> > >
> > > On Tue, Sep 9, 2008 10:16 AM, Dan Oachs <doachs () GAC EDU> wrote:
> > >
> > >  We have configured our Horde/IMP installation to use smtp
> > > > authentication.
> > > >  Our postfix logs then show who authenticated each message.  We can then
> > > > use
> > > > that information to remove messages from our outbound queue.
> > > >
> > > > --Dan Oachs
> > > >  Gustavus Adolphus College
> > > >
> > > >
> > > >
> > > > Robin Polak wrote:
> > > >
> > > >  Hello,
> > > > >  One of my webmail users was fooled into revealing his credentials to a
> > > > > spammer and now I am dealing with the backlash of all this spam having
> > > > > left
> > > > > our smtp servers as well as much mail still left in the outbound
> > > > > sendmail
> > > > > queues.  Is there any advice that any of you could provide me as far as
> > > > > filtering out the spam from my sendmail queues as well as any
> > > > > procedures I
> > > > > could follow to counteract the effects of blacklisting such as a
> > > > > generally
> > > > > checked whitelist?  In addition, as a result of this incident I have
> > > > > found a
> > > > > flaw in the tracking of mail between our webmail (Horde/IMP), Cyrus
> > > > > IMAP,
> > > > > and Sendmail.  What sort of suggestion could be made as far as
> > > > > effectively
> > > > > being able to correlate my logs?  Is there a way to put a header into a
> > > > > message leaving IMP indicating the user-name that was used to login to
> > > > > Horde?  This would have been quite usefull since in some way the
> > > > > spammer was
> > > > > able to spoof the From address in the message to be a yahoo.com <
> > > > > http://yahoo.com>  address.
> > > > >
> > > > > --
> > > > > Robin Polak, Network Manager
> > > > > College of Mount Saint Vincent
> > > > > E-Mail: robin.polak () gmail com <mailto:robin.polak () gmail com>
> > > > > V. 718-405-3293
> >
> > --
> > Robin Polak
> > E-Mail: robin.polak () gmail com
> > V. 917-494-2080
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel <http://www.columbia.edu/%7Ejoel>


--
Robin Polak
E-Mail: robin.polak () gmail com
V. 917-494-2080