My roundcube has attacked and user for send thousands of spam

jfsenechal · October 20, 2011, 03:41:48 AM

Hi,

I had on my webserver (PHP 5.3.3-7+squeeze3 debian) round 0.6
And my server sent spam in recent days

I have found that was roundcubemail who sent these spams
( in file log sendmail)

What information can I provide to find the security hole ?

Thanks

rosali · October 20, 2011, 04:57:36 AM

There is no security hole.

Someone was able to login into the webmail system by using existing account credentials and to spam mails from there.

In my plugins bundle (see footer) there are several plugins to prevent sending spam (dnsbl/blockspamsending). In addition you should restrict the number of allowed recipients in ./config/main.inc.php.

jdubois · October 20, 2011, 03:18:46 PM

Quote from: rosali;36992There is no security hole.

Are we sure? I just had the same thing happen to me, almost immediately after I upgraded to 0.6. I backed down to 0.5.4 and it stopped. I went back to 0.6 and it started again.

rosali · October 20, 2011, 03:29:10 PM

Could you check Roundcube's _userlogins_ and _sendmail_ logs?

jdubois · October 20, 2011, 03:48:38 PM

Hopefully jfsenechal can. My provider got grumpy and cancelled my VPS because of the spam, and I've yet to get them to turn it back on.

ABerglund · October 20, 2011, 06:46:37 PM

Quote from: jdubois;37000Are we sure? I just had the same thing happen to me, almost immediately after I upgraded to 0.6. I backed down to 0.5.4 and it stopped. I went back to 0.6 and it started again.

I've been running 0.6 in production for a week, and in testing since it was released. No out-going spam, no security hole.

SKaero · October 20, 2011, 08:59:33 PM

I keep an ear to the ground on the exploit listing websites for anything RoundCube related but I haven't seen anything that effects RC 0.6.

My roundcube has attacked and user for send thousands of spam

jfsenechal

rosali

jdubois

rosali

jdubois

ABerglund

SKaero