David Severance | 1 Apr 06:58 2008
Picon

additional authentication challenge capabilities

Perhaps this is a plugin question, not sure since I want to know if this 
is even possible first. Can SquirrelMail present a challenge page after 
login or in conjunction with the login page. The challenge would be 
something like randomly generated characters or better yet, an image 
that the user would have to identify in a input field. I ask because of 
recent spam scripting attacks against our webmail machines running 
SquirrelMail. It would seem that this capability could at least throw a 
monkey wrench in the works for the scripts. My bank uses the image 
technique for an additional level of 'security". If there are suitable 
hooks present then it should be possible to code something like this. 
Are there hooks available to accomplish something like this?

thanks,
David

--

-- 
David Severance
Network and Academic Computing Services
(949) 824-7552
sev <at> uci.edu

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
(Continue reading)

Fredrik Jervfors | 1 Apr 07:29 2008

Re: additional authentication challenge capabilities

> Perhaps this is a plugin question, not sure since I want to know if this
> is even possible first. Can SquirrelMail present a challenge page after
> login or in conjunction with the login page. The challenge would be
> something like randomly generated characters or better yet, an image that
> the user would have to identify in a input field. I ask because of recent
> spam scripting attacks against our webmail machines running SquirrelMail.
> It would seem that this capability could at least throw a
> monkey wrench in the works for the scripts. My bank uses the image
> technique for an additional level of 'security". If there are suitable
> hooks present then it should be possible to code something like this. Are
> there hooks available to accomplish something like this?

Sounds like the CAPTCHA plugin
(<http://squirrelmail.org/plugin_view.php?id=263>).

Sincerely,
Fredrik

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

(Continue reading)

Paul Lesniewski | 1 Apr 07:37 2008

Re: additional authentication challenge capabilities

On Mon, Mar 31, 2008 at 10:29 PM, Fredrik Jervfors
<jervfors <at> squirrelmail.org> wrote:
> > Perhaps this is a plugin question, not sure since I want to know if this
>  > is even possible first. Can SquirrelMail present a challenge page after
>  > login or in conjunction with the login page. The challenge would be
>  > something like randomly generated characters or better yet, an image that
>  > the user would have to identify in a input field. I ask because of recent
>  > spam scripting attacks against our webmail machines running SquirrelMail.
>  > It would seem that this capability could at least throw a
>  > monkey wrench in the works for the scripts. My bank uses the image
>  > technique for an additional level of 'security". If there are suitable
>  > hooks present then it should be possible to code something like this. Are
>  > there hooks available to accomplish something like this?
>
>  Sounds like the CAPTCHA plugin
>  (<http://squirrelmail.org/plugin_view.php?id=263>).

Additionally, to better stop the attacks you are experiencing, see the
Lockout plugin.  If attackers actually got in, the Restrict Senders
plugin can help (or appropriate SMTP controls).

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
(Continue reading)

David Severance | 1 Apr 07:47 2008
Picon

Re: additional authentication challenge capabilities

>
> >  Sounds like the CAPTCHA plugin
> >  (<http://squirrelmail.org/plugin_view.php?id=263>).
The description sounds appropriate, I'll give it a test.
> Additionally, to better stop the attacks you are experiencing, see the
> Lockout plugin.  If attackers actually got in, the Restrict Senders
> plugin can help (or appropriate SMTP controls).
>
>   
I have found the squirrel_logger plugin very useful too. I had an older 
version but upgraded to get the better logging for sent mail and mass 
mailing notifications. That has been helpful as well since the scripts 
seemed to send to a large number of recipients per sent message.

thanks,
David
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> -----
> squirrelmail-devel mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-devel <at> lists.sourceforge.net
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
>
>   

(Continue reading)

Terry Carmen | 1 Apr 14:43 2008

Re: additional authentication challenge capabilities

David Severance wrote:
> Perhaps this is a plugin question, not sure since I want to know if this 
> is even possible first. Can SquirrelMail present a challenge page after 
> login or in conjunction with the login page. The challenge would be 
> something like randomly generated characters or better yet, an image 
> that the user would have to identify in a input field. I ask because of 
> recent spam scripting attacks against our webmail machines running 
> SquirrelMail. It would seem that this capability could at least throw a 
> monkey wrench in the works for the scripts. My bank uses the image 
>
>   

If you're talking about someone using a brute-force attack on the 
logins, you can use fail2ban or denyhosts to watch for failed logins and 
then block via hosts.deny the IP if there are too many.

Terry

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

(Continue reading)

Paul Lesniewski | 1 Apr 19:16 2008

Re: additional authentication challenge capabilities

>  > Perhaps this is a plugin question, not sure since I want to know if this
>  > is even possible first. Can SquirrelMail present a challenge page after
>  > login or in conjunction with the login page. The challenge would be
>  > something like randomly generated characters or better yet, an image
>  > that the user would have to identify in a input field. I ask because of
>  > recent spam scripting attacks against our webmail machines running
>  > SquirrelMail. It would seem that this capability could at least throw a
>  > monkey wrench in the works for the scripts. My bank uses the image
>
>  If you're talking about someone using a brute-force attack on the
>  logins, you can use fail2ban or denyhosts to watch for failed logins and
>  then block via hosts.deny the IP if there are too many.

Right.  And if you're not sure how to set that up, check the Squirrel
Logger plugin for tips on how to do so.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel

Thierry Godefroy | 4 Apr 09:39 2008
Picon

Save as .eml patch for SquirrelMail

Greetings,

In its current (SVN devel) version, Squirrelmail saves RFC822 messages as a
"*.msg" file (for example when saving from the message_details plugin).

Yet, when you attach later on such a saved "*.msg" file, it does not recognize
the attachment as a RFC822 message but rather as octet/stream data.

Plus, the format of the saved file is in fact compatible with "*.eml" files and
such files are successfully recognized as RFC822 attachments by SQM.

So, here is a tiny patch which changes the file suffix for saved messages from
'.msg' to '.eml'. It applies cleanly to the SVN devel branch but should work as
well with older SQM versions.

Regards,

Thierry Godefroy.

      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
(Continue reading)

Jon Angliss | 5 Apr 01:35 2008

Re: Save as .eml patch for SquirrelMail

Thierry Godefroy wrote:
> In its current (SVN devel) version, Squirrelmail saves RFC822 messages as a
> "*.msg" file (for example when saving from the message_details plugin).
> 
> Yet, when you attach later on such a saved "*.msg" file, it does not recognize
> the attachment as a RFC822 message but rather as octet/stream data.

This is most likely caused by your browser.  We depend on PHP to tell us 
the type of the file attachment.  I believe PHP gets the type from the 
browser as part of the post, and as such, if you browser sends it as 
application/octet-stream, then that's what we'll attach it as.  You can 
see details about that on the PHP documentation for file uploads... 
http://php.net/features.file-upload

> Plus, the format of the saved file is in fact compatible with "*.eml" files and
> such files are successfully recognized as RFC822 attachments by SQM.
> 
> So, here is a tiny patch which changes the file suffix for saved messages from
> '.msg' to '.eml'. It applies cleanly to the SVN devel branch but should work as
> well with older SQM versions.

Not sure on the patch, I'm indifferent on deploying it because some 
cases eml might not be applicable either.  I've several apps that 
understand that .msg is a message/rfc822 format.

--

-- 
Jon Angliss
<jon <at> squirrelmail.org>

-------------------------------------------------------------------------
(Continue reading)

Paul Lesniewski | 5 Apr 10:08 2008

Re: Save as .eml patch for SquirrelMail

On Fri, Apr 4, 2008 at 4:35 PM, Jon Angliss <jon <at> squirrelmail.org> wrote:
> Thierry Godefroy wrote:
>  > In its current (SVN devel) version, Squirrelmail saves RFC822 messages as a
>  > "*.msg" file (for example when saving from the message_details plugin).
>  >
>  > Yet, when you attach later on such a saved "*.msg" file, it does not recognize
>  > the attachment as a RFC822 message but rather as octet/stream data.
>
>  This is most likely caused by your browser.  We depend on PHP to tell us
>  the type of the file attachment.  I believe PHP gets the type from the
>  browser as part of the post, and as such, if you browser sends it as
>  application/octet-stream, then that's what we'll attach it as.  You can
>  see details about that on the PHP documentation for file uploads...
>  http://php.net/features.file-upload
>
>
>  > Plus, the format of the saved file is in fact compatible with "*.eml" files and
>  > such files are successfully recognized as RFC822 attachments by SQM.
>  >
>  > So, here is a tiny patch which changes the file suffix for saved messages from
>  > '.msg' to '.eml'. It applies cleanly to the SVN devel branch but should work as
>  > well with older SQM versions.
>
>  Not sure on the patch, I'm indifferent on deploying it because some
>  cases eml might not be applicable either.  I've several apps that
>  understand that .msg is a message/rfc822 format.

I'm indifferent too, but browsing around, looks to me like .msg is
more closely aligned with Microsoft, and references to message/rfc822
MIME type references seem to be a touch more common when reading about
(Continue reading)

Eugene | 5 Apr 10:15 2008
Picon

Re: Save as .eml patch for SquirrelMail

Hi People,

From: "Paul Lesniewski" <paul <at> squirrelmail.org>
> I'm indifferent too, but browsing around, looks to me like .msg is
> more closely aligned with Microsoft, and references to message/rfc822
> MIME type references seem to be a touch more common when reading about
> .eml.  Thunderbird also chooses to use .eml.......

Among the clients I have seen, Outlook Express uses .eml and TheBat uses 
.msg.
Maybe .msg is recognized as message when something has registered this 
extension in the system?

Eugene 

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Register now and save $200. Hurry, offer ends at 11:59 p.m., 
Monday, April 7! Use priority code J8TLD2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel <at> lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel


Gmane