[CentOS] pop3 attack

Wed Dec 10 17:27:02 UTC 2008
Matt <lm7812 at gmail.com>

> I have see quite a few cases where spam is sent from webmail
> accounts (mostly squirrelmail) by crackers who get access via
> weak passwords found by imap/pop probes as you described.
> It's been my experience in the 15 years we have been doing
> support for regional ISPs that well over 50% of their user's
> passwords are easily cracked, and that getting the users to use
> good passwords is difficult to say the least.

Seen that too.  Spammers must send out millions of messages to make
any money.  One good solution is ratelimiting at the MTA.  Exim allows
you to setup limits on the number of recipients a given IP can send
messages to in a given time period.  Squirrelmail has a plugin that
does the same.  That way if they break in to an account but can only
send a few hundred messages a day its not worth there time.  Less
likely to get the server blacklisted as well.  Its also good to
configure Squirrelmail not to allow them to alter the return email
address on the Squirrelmail account.