Mailing List CGatePro@mail.stalker.com Message #92579
From: Pascal Robert <probert@os.ca>
Subject: Re: Speaking of CGP and Spam....
Date: Wed, 12 Sep 2007 08:18:42 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.752.3)

Le 07-09-11 à 17:25, John Rudd a écrit :

Stefan Seiz wrote:
On 11.09.2007 19:28 Uhr, John Rudd <jrudd@ucsc.edu> wrote:
In the last month or two we've had 3 cases of independent sites in
Africa compromising 3 different accounts (3 total, not 9 total ... 1 per
site) and using them to send spam.  All of the reported messages came
through webmail, but I'm sure if I just limited their webmail access
they'd start using SMTP-Auth.
I'd guess if you don't require Webmailsessions to come from the SAME IP,
then it might be not too hard to hijack a webmail-session and thus maybe
effectively take ofer an account...
That is a general problem with session ids in URLs or even cookies...

Actually, in all 3 cases, it stopped as soon as the password for the account was changed.  So I think it's simple password cracking.  For the first one, it was a french professor who had a simple french word as his password (likely to be in a french dictionary file).  And the African country that cracked it was ... primarily french speaking.

In our case, we had a POP3 attack a couple of months ago.  How did we found out ?  We have an IMAP account where we store mail coming from systems (cron results, etc.) and Mail.app was starting to notice people to reenter the password for this account.

Turns out that in Settings -> Obscure -> Login Security, we were suspending account who had 15 failed logins within one minute, so the attacker was trying different passwords for this account and it was locked.  I found his IP and I locked him in the firewall.

So I strongly suggest that you check your Login Security settings, it  helps to block those POP3 attacks.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster