Vulnerability & SPAM

[cxjepa]

Hi all,

I don't know what exactly to look for in the forum, I hope someone can point me to a known issue for this. I had to erase recently a old installation of roundcube (sadly, didn't annotate the version in the rush) because of massive spam being sent from my server. After some troubleshooting I could find the root cause of the issue to be a compromised or vulnerable roundcube installation, my server was being hit continuously of POSTs of the form

"ecoenergiza.com.mx:80 189.211.118.61 - - [12/Jun/2018:03:10:55 +0000] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 795 "http://www.ecoenergiza.com.mx/roundcube/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctif%3D0&_uid=1715&_mbox=Elementos+enviados&_search=3aad067b6e71fc3df4df79455a08e0de&_action=show" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36"
"

I really don't know which kind of problem is generating this, but I can confirm that after the deletion of the roundcube folder the spam suddenly stopped, after installing the last version of the software I'm not experiencing any more trouble.
Any hint of which kind of vulnerability this was would be really appreciate, I need to prove I mitigate the issue but I can't provide clear references for example at this page https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html.

Thanks
Simone

[SKaero]

There isn't anything in that log line that indicates any type of exploits there basically just refreshing the mail list view. To me that just looks like someone who is logged in to Roundcube sitting at the mailing list.