Spammer trying to hijack more accounts - SpamAssassin

This is a discussion on Spammer trying to hijack more accounts - SpamAssassin ; In the past we have had cases where spammers used our customers weak password accounts and started sending spams , but now the spammer is sending mails asking users to give them their username/passwords https://ecm.netcore.co.in/tmp/spam3.txt I am sure there are ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Spammer trying to hijack more accounts

  1. Spammer trying to hijack more accounts

    In the past we have had cases where spammers used our customers weak
    password accounts and started sending spams , but now the spammer is
    sending mails asking users to give them their username/passwords


    https://ecm.netcore.co.in/tmp/spam3.txt


    I am sure there are many naive customers who would send their username
    passwords back
    I need to write a SA rule to score mails asking for username / passwords
    inside the mail


    Thanks
    Ram


  2. Re: Spammer trying to hijack more accounts

    > In the past we have had cases where spammers used our customers weak
    > password accounts and started sending spams , but now the spammer is
    > sending mails asking users to give them their username/passwords
    >
    >
    > https://ecm.netcore.co.in/tmp/spam3.txt
    >
    >
    > I am sure there are many naive customers who would send their username
    > passwords back
    > I need to write a SA rule to score mails asking for username / passwords
    > inside the mail


    Another angle we used when we saw a similiar issue. Use rate-limit to
    limit the number of recipients an IP can send to per hour. Use a
    plugin for Squirrel Mail to limit the number of recipients per message
    and the number of messages per day. Spammers must send out thousands
    of messages to make it worth there while. At least this worked for us
    using Exim and Squirrel Mail.

    Matt


  3. Re: Spammer trying to hijack more accounts

    ram wrote:

    > In the past we have had cases where spammers used our customers weak
    > password accounts and started sending spams , but now the spammer is
    > sending mails asking users to give them their username/passwords


    Enforce stronger passwords! And as impossible/futile as it may seems
    with regard to educating users, some tips here:

    http://isc.sans.org/presentations/phishthat.pdf

    > https://ecm.netcore.co.in/tmp/spam3.txt


    Do all the emails ask users to reply to hlpdesk39@gmail.com? I notice
    you're using Postfix, so it's worth setting up a quick access map that
    intercepts all messages to that address and redirects them to postmaster.
    You'll then have to contact those users and ask them to change their
    passwords immediately.

    --
    Sahil Tandon


  4. Re: Spammer trying to hijack more accounts

    Sahil Tandon wrote:
    > Do all the emails ask users to reply to hlpdesk39@gmail.com? I notice
    > you're using Postfix, so it's worth setting up a quick access map that
    > intercepts all messages to that address and redirects them to postmaster.
    > You'll then have to contact those users and ask them to change their
    > passwords immediately.
    >
    >

    They rotate through the reply-to's. It's darn near impossible to stay
    ahead of the game. Stronger passwords don't help as the users are giving
    them out. ClamAV does help some in catching the messages coming in.

    The worst part is my organization tries to make sure everything we send
    out to our users is well edited. These messages are all horrible when it
    comes to the content and grammar. You would think they should be able to
    tell the difference.

    Richard


  5. Re: Spammer trying to hijack more accounts

    >> Another angle we used when we saw a similiar issue. Use rate-limit to
    >> limit the number of recipients an IP can send to per hour. Use a
    >> plugin for Squirrel Mail to limit the number of recipients per message
    >> and the number of messages per day. Spammers must send out thousands
    >> of messages to make it worth there while. At least this worked for us
    >> using Exim and Squirrel Mail.
    >>

    >
    > Where is the squirrelmail plugin to ratelimit recipients


    http://www.squirrelmail.org/plugin_view.php?id=213

    Matt


+ Reply to Thread