[imp] possible bug? or a determined script kiddie?
Joseph Brennan
brennan at columbia.edu
Tue May 22 12:48:28 UTC 2007
--On Monday, May 21, 2007 23:09 -0500 "Joseph W. Breu" <breu at cfu.net> wrote:
> Over the past week, we have noticed that several of the email accounts
> on our system have been compromised via webmail.
We had one account stolen, probably by a keylogger or shouldersurfing
at a public terminal. A spammer used the user and password about a
week ago to send to 50,000 recipients via IMP in one day, mostly to
100 or 150 at a time. Evidently there is now software that can
interact with IMP to log in and send compose form data. The messages
were a lottery scam supposedly from Great Britain.
Working from that, we checked lottery spam our users had reported in
the most recent few days. We found similar messages, sent not with
IMP but sent with Squirrelmail and with Bellsouth's web mail (check
for an X-Mailer: header containing 'Openwave WebEngine'). So, there
is now a spam software package that works with webmail installations.
But this does not seem in any way to be an IMP bug. We talked briefly
about adding a capcha to the login page, but since it was precisely
one account involved, the trouble did not seem worthwhile.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
More information about the imp
mailing list