SquirrelMail  
Donations
News
About
Support
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties



SquirrelMail User's Manual: Security Next Previous Contents

3. Security

3.1 SquirrelMail spam

Help, why am I getting this mail?

Chances are you have been directed here for one of the following reasons.

  • You are receiving mail that has a header that looks like it was from SquirrelMail.
  • You are receiving MAILER-DAEMON errors reporting users don't exist, quoting headers showing SquirrelMail.
  • You are an ISP investigating spam levels.

If either of the above applies, chances are you have been caught in the latest attempts at spam to fool anti-spam measures. A lot of spam has forged headers. This means that they take pretend values, and substitute them to ill effect. For example, replacing the from address with your email address (or a made up address). This can also apply to the other headers as well. This is leading to cases of SquirrelMail being accused of sending spam, or our servers being hacked. Rest assured -- our servers are safe. In actual fact, we don't run any servers at SquirrelMail.org. We do not even run mail services here, just supplying our own software on a hosted service from SourceForge.

So you may be wondering why all this mail is coming from us? Well to be honest it isn't. Some people have developed software that pretends to be our software, and is producing a lot of noise on the Internet containing such information. This is leading people to think our software is unsafe, or is acting as a spam service.

So why am I getting these emails?

Well the truth of the matter is that somebody guessed your email. This isn't uncommon if you have email addresses like bob@example.com. The spammers just randomly pick domains, and randomly generate emails from that domain to send mail from. All we can suggest is you delete them, or contact the correct authorities (usually your service provider should be able to help).

So what are you doing to stop this?

Unfortunately there isn't much we can do. Because spam is such a problem on the Internet, the best thing we can do is educate people into the real facts. Below are some basic ideas on how to detect where these forged emails are coming from. While this isn't easy for most people, it gets easier with practice. There is always your service provider, they should be able to help you.

Okay, so what is the secret? How do I find out who is doing this?

Honestly, you cannot find out the exact person that is sending it, but you can find out what the address (IP Address), and what service provider the mail was sent via. Below is an example of the headers from a forged email:

Return-path: <bob@example.com>
Received: from [123.123.123.123] (helo=randomdomainname.com)
   by example.com with smtp (Exim 3.36 #5)
   id 1D13zJ-0003mr-00
   for steve@example.net; Tue, 15 Feb 2005 14:47:42 +0000
Received: from 5.6.7.8
   (SquirrelMail authenticated user bob@example.com); by
   randomdomainname.com with HTTP; Tue, 15 Feb 2005 14:47:49 +0000
Message-Id: <6pr9Lv.squirrel@5.6.7.8>
Date: Tue, 15 Feb 2005 14:47:49 +0000
Subject: New software from Adobe available.
From: "Terence" <bob@example.com>
To: steve@example.net
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal

This looks like the headers of some ordinary email, even down to the SquirrelMail versions. However there are a couple of mistakes. The first being it really wasn't sent from SquirrelMail by a user bob@example.com. To trace the source of an email, you start at the bottom Received: line, and work upwards. In this case, it says the email was sent from the IP 5.6.7.8 using the SquirrelMail account bob@example.com on the domain randomdomainname.com. When SquirrelMail really writes these headers, the randomdomainname.com is the actual web server address. The first thing to do is verify if this is in fact a real SquirrelMail email. The quickest way is to validate the domain name. Using InterNic it is possible to lookup domain name information. In this case, randomdomainname.com doesn't exist, so we already know that this line could be faked.

Assuming that line is faked, we move to the next one. This shows the IP address 123.123.123.123 connecting to example.com. For the sakes of example, example.com is the actual address of the mail server for our domain. This shows that the IP address 123.123.123.123 connected to our mail server to deliver the mail. This is the most important line. Using GeekTools, we can find out where the IP address belongs, which service provider is the owner of the IP, and in most cases, who to contact in case of abuse. In this example, we'll say the owner is homeagainisp.com, and they have an abuse contact email. At which point, you can forward your email as an attachment to the listed email address for the abuse contact. For clarity, and to save them the confusion of what you went through, reference this URL too, so they can have a clue what is really going on.

For another clue on the message being forged, view the Message-Id: header. In this case it is <6pr9Lv.squirrel@5.6.7.8>. This is not a valid SquirrelMail Message-Id. A valid Message-Id header looks something like this:

1123.145.23.250.17.squirrel@webserveraddress

This is another easy way to spot a forged message.

We do hope to stop this barrage of spam, unfortunately it is difficult to do, and miss-identification doesn't help. This page was created in the hopes of educating everybody into the background of this spam issue, and we hope it helps.

There are mistakes, or I have suggestions, where can I send them?

The SquirrelMail users mailing list is often the best place to submit this kind of information/requests.

3.2 Why are pictures in my HTML e-mails replaced with ugly warning signs?

"This image has been removed for security reasons."

There are two kinds of images that come with your HTML e-mail: the ones that come attached with the e-mail itself, and others that link to remote sites. Images that are linked to remote sites are considered "unsafe" for the following reasons:

  • Spammers can abuse this to validate your e-mail address
  • The sender can know instantly if you have read their e-mail or not (privacy concern)
  • Finding out information about your browser, operating system, and your mailserver (security concern).

Let's look at these issues in more detail:

Validating your e-mail address

Spammers can (and do) include specially-crafted image tags that include a "web bug" (usually a 1 pixel transparant image) used to validate that your e-mail address is a live one and that you actually read e-mail sent to this address. When such image is loaded, a request is sent to the spammer's server and it notes in its database of e-mail addresses that you have, in fact, received and read the spam e-mail they sent. Such addresses are re-sold to other spammers and the amount of spam you will receive is going to grow exponentially.

Verifying that you have read your e-mail

This issue is a privacy concern - if there are images in the e-mail that link to the sender's website, they will know instantly when you have opened and read the e-mail they sent. This can be used against you if for some reason you decide to deny ever receiving that e-mail from the sender - they will have proof that you have received, opened, and read that e-mail.

Finding out information about you

Every time an image is loaded off the remote server, it leaves a "log" message about what type of system you are using, including the version of your browser, your internet IP address, as well as information about your mail server and the software running on it. This information can be used to carry out attacks on your computer or the server where SquirrelMail runs.

Malicious tags

Images in email can also be used to auto-execute cross-site scripting code in a attempt to trick your browser into revealing your account information to crackers with malicious intent.

Conclusion

For these reasons SquirrelMail does not display these "unsafe" images by default, but instead shows you a warning sign. A link is provided to show the images for that particular mail. If you know that the e-mail came from a trustworthy source, you can use the Unsafe Image Rules plugin to always images from that source.


Next Previous Contents
© 1999-2010 by The SquirrelMail Project Team