You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ram <ra...@netcore.co.in> on 2008/08/05 12:18:06 UTC
Spammer trying to hijack more accounts
In the past we have had cases where spammers used our customers weak
password accounts and started sending spams , but now the spammer is
sending mails asking users to give them their username/passwords
https://ecm.netcore.co.in/tmp/spam3.txt
I am sure there are many naive customers who would send their username
passwords back
I need to write a SA rule to score mails asking for username / passwords
inside the mail
Thanks
Ram
Re: Spammer trying to hijack more accounts
Posted by Matt <lm...@gmail.com>.
>> Another angle we used when we saw a similiar issue. Use rate-limit to
>> limit the number of recipients an IP can send to per hour. Use a
>> plugin for Squirrel Mail to limit the number of recipients per message
>> and the number of messages per day. Spammers must send out thousands
>> of messages to make it worth there while. At least this worked for us
>> using Exim and Squirrel Mail.
>>
>
> Where is the squirrelmail plugin to ratelimit recipients
http://www.squirrelmail.org/plugin_view.php?id=213
Matt
Re: Spammer trying to hijack more accounts
Posted by Matt <lm...@gmail.com>.
> In the past we have had cases where spammers used our customers weak
> password accounts and started sending spams , but now the spammer is
> sending mails asking users to give them their username/passwords
>
>
> https://ecm.netcore.co.in/tmp/spam3.txt
>
>
> I am sure there are many naive customers who would send their username
> passwords back
> I need to write a SA rule to score mails asking for username / passwords
> inside the mail
Another angle we used when we saw a similiar issue. Use rate-limit to
limit the number of recipients an IP can send to per hour. Use a
plugin for Squirrel Mail to limit the number of recipients per message
and the number of messages per day. Spammers must send out thousands
of messages to make it worth there while. At least this worked for us
using Exim and Squirrel Mail.
Matt
Re: Spammer trying to hijack more accounts
Posted by Richard Frovarp <ri...@sendit.nodak.edu>.
Sahil Tandon wrote:
> Do all the emails ask users to reply to hlpdesk39@gmail.com? I notice
> you're using Postfix, so it's worth setting up a quick access map that
> intercepts all messages to that address and redirects them to postmaster.
> You'll then have to contact those users and ask them to change their
> passwords immediately.
>
>
They rotate through the reply-to's. It's darn near impossible to stay
ahead of the game. Stronger passwords don't help as the users are giving
them out. ClamAV does help some in catching the messages coming in.
The worst part is my organization tries to make sure everything we send
out to our users is well edited. These messages are all horrible when it
comes to the content and grammar. You would think they should be able to
tell the difference.
Richard
Re: Spammer trying to hijack more accounts
Posted by Sahil Tandon <sa...@tandon.net>.
ram <ra...@netcore.co.in> wrote:
> In the past we have had cases where spammers used our customers weak
> password accounts and started sending spams , but now the spammer is
> sending mails asking users to give them their username/passwords
Enforce stronger passwords! :) And as impossible/futile as it may seems
with regard to educating users, some tips here:
http://isc.sans.org/presentations/phishthat.pdf
> https://ecm.netcore.co.in/tmp/spam3.txt
Do all the emails ask users to reply to hlpdesk39@gmail.com? I notice
you're using Postfix, so it's worth setting up a quick access map that
intercepts all messages to that address and redirects them to postmaster.
You'll then have to contact those users and ask them to change their
passwords immediately.
--
Sahil Tandon <sa...@tandon.net>