Hi all,
I don't know what exactly to look for in the forum, I hope someone can point me to a known issue for this. I had to erase recently a old installation of roundcube (sadly, didn't annotate the version in the rush) because of massive spam being sent from my server. After some troubleshooting I could find the root cause of the issue to be a compromised or vulnerable roundcube installation, my server was being hit continuously of POSTs of the form
"ecoenergiza.com.mx:80 189.211.118.61 - - [12/Jun/2018:03:10:55 +0000] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 795 "
http://www.ecoenergiza.com.mx/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctif%3D0&_uid=1715&_mbox=Elementos+enviados&_search=3aad067b6e71fc3df4df79455a08e0de&_action=show" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
"
I really don't know which kind of problem is generating this, but I can confirm that after the deletion of the roundcube folder the spam suddenly stopped, after installing the last version of the software I'm not experiencing any more trouble.
Any hint of which kind of vulnerability this was would be really appreciate, I need to prove I mitigate the issue but I can't provide clear references for example at this page
https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html.
Thanks
Simone