suitable webmail
in [Postfix]
|
From: LuKreme on 9 Feb 2010 13:17 On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote: > > 100% of the servers I have access to, have, > at least once in the last year, been scanned by a bot (or person, who > knows) for /roundcoube or similar And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure. How many servers have you had be compromised by roundcube installs? (I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough.
From: Jose Ildefonso Camargo Tolosa on 9 Feb 2010 15:18 Hi! On Tue, Feb 9, 2010 at 1:47 PM, LuKreme <kremels(a)kreme.com> wrote: > On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote: >> >> 100% of the servers I have access to, have, >> at least once in the last year, been scanned by a bot (or person, who >> knows) for /roundcoube or similar > > And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure. SSH bots are "brute force" attempts. It means nothing about the security of ssh itself. > > How many servers have you had be compromised by roundcube installs? I don't use roundcube. So: No. > > (I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough. Usual cause: lack of updates, the question is, sometimes: the response time to get the issues solved. The thing is: I'm currently avoiding roundcube, for the same reason why I used to avoid bind: bad security history. It looks like a really promising project, and if they "keep up the good work", they will become a really, really good webmail system, and not just "nice", but also secure.
From: Stan Hoeppner on 12 Feb 2010 10:48 Thijssen put forth on 2/9/2010 4:19 AM: > - If they like flashy GUI bullshit like HTML-mail and WYSIWYG > formatted emails and spam and commerce, then don't use Squirrelmail. > - If they focuss on actual text content and plaintext emails (the way > it should be), then squirrelmail is your Number One choice, far > outweighing all others. > > It's rock stable and top-secure. Tell me about this "top-secure" aspect of Squirrelmail again. ;) Received: from mail.afranet.com (mail.afranet.com [80.75.0.13]) by greer.hardwarefreak.com (Postfix) with ESMTP id 1F0AC6C2B9 for <stan(a)hardwarefreak.com>; Thu, 11 Feb 2010 07:02:04 -0600 (CST) .... Received: from 78.138.3.237 (SquirrelMail authenticated user test) by mail.afranet.com with HTTP; .... User-Agent: SquirrelMail/1.4.15 .... To: undisclosed-recipients:; .... :::YEAR 2010 E-MAIL AWARDS::: Dear Winner, .... CONTACT HIM WITH YOUR DETAILS, FILL Details BELOW; *** Your Full Name *** Your Address *** Your Country *** Your Phone number *** Your Age(Date of birth) *** Your Gender(Male or Female) *** Your present Occupation *** Your Micros ID .... I get phish and 419 from compromised Sqirrelmail servers at least once or twice a month. I've yet to receive one from a compromised Roundcube, Horde, or SOGo server. Now, in fairness to SM, this probably has as much to do with widespread implementation and poor administration as it does insecure code. It appears the phish sent from the SM server in the example above utilized a test account with a weak or non-existent password. Regarding Jose's comments about his web servers constantly being scanned for Roundcube directories, I see no one else reporting this. I run a Roundcube server and see nothing of the sort. Additionally, scans != compromise or high potential for compromise. I see thousands of scans and login attempts on my ssh and ftp ports monthly. Does that mean that Proftpd and sshd are automatically vulnerable? Because people are scanning them? You made a pretty weak argument against Roundcube with that example. -- Stan
From: LuKreme on 12 Feb 2010 11:08 On 12-Feb-2010, at 08:48, Stan Hoeppner wrote: > > Tell me about this "top-secure" aspect of Squirrelmail again. ;) The fact that some spammers are able to get into email accounts and send spam via squirrelmail has nothing to do with the security of squirrelmail itself. In nerely all, if not all, of these cases the account is being compromised due to having a password like "password1" or "12345678" -- TAR IS NOT A PLAYTHING Bart chalkboard Ep. 7F02
From: Ben Winslow on 12 Feb 2010 11:12
On 02/12/2010 10:48 AM, Stan Hoeppner wrote: > Tell me about this "top-secure" aspect of Squirrelmail again. ;) > User-Agent: SquirrelMail/1.4.15 Spammers regularly phish for ISP account information and then use those credentials to send spam via webmail and SMTP auth. We see this frequently, and it's not directly related to the webmail software in use. -- Ben Winslow <winslowb(a)pa.net> |