From: LuKreme on
On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote:
>
> 100% of the servers I have access to, have,
> at least once in the last year, been scanned by a bot (or person, who
> knows) for /roundcoube or similar

And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure.

How many servers have you had be compromised by roundcube installs?

(I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough.

From: Jose Ildefonso Camargo Tolosa on
Hi!

On Tue, Feb 9, 2010 at 1:47 PM, LuKreme <kremels(a)kreme.com> wrote:
> On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote:
>>
>> 100% of the servers I have access to, have,
>> at least once in the last year, been scanned by a bot (or person, who
>> knows) for /roundcoube or similar
>
> And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure.

SSH bots are "brute force" attempts. It means nothing about the
security of ssh itself.

>
> How many servers have you had be compromised by roundcube installs?

I don't use roundcube. So: No.

>
> (I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough.

Usual cause: lack of updates, the question is, sometimes: the response
time to get the issues solved. The thing is: I'm currently avoiding
roundcube, for the same reason why I used to avoid bind: bad security
history. It looks like a really promising project, and if they "keep
up the good work", they will become a really, really good webmail
system, and not just "nice", but also secure.

From: Stan Hoeppner on
Thijssen put forth on 2/9/2010 4:19 AM:

> - If they like flashy GUI bullshit like HTML-mail and WYSIWYG
> formatted emails and spam and commerce, then don't use Squirrelmail.
> - If they focuss on actual text content and plaintext emails (the way
> it should be), then squirrelmail is your Number One choice, far
> outweighing all others.
>
> It's rock stable and top-secure.

Tell me about this "top-secure" aspect of Squirrelmail again. ;)

Received: from mail.afranet.com (mail.afranet.com [80.75.0.13])
by greer.hardwarefreak.com (Postfix) with ESMTP id 1F0AC6C2B9
for <stan(a)hardwarefreak.com>; Thu, 11 Feb 2010 07:02:04 -0600 (CST)
....
Received: from 78.138.3.237
(SquirrelMail authenticated user test)
by mail.afranet.com with HTTP;
....
User-Agent: SquirrelMail/1.4.15
....
To: undisclosed-recipients:;
....
:::YEAR 2010 E-MAIL AWARDS:::
Dear Winner,
....
CONTACT HIM WITH YOUR DETAILS, FILL Details BELOW;
*** Your Full Name
*** Your Address
*** Your Country
*** Your Phone number
*** Your Age(Date of birth)
*** Your Gender(Male or Female)
*** Your present Occupation
*** Your Micros ID
....

I get phish and 419 from compromised Sqirrelmail servers at least once or twice
a month. I've yet to receive one from a compromised Roundcube, Horde, or SOGo
server. Now, in fairness to SM, this probably has as much to do with widespread
implementation and poor administration as it does insecure code. It appears the
phish sent from the SM server in the example above utilized a test account with
a weak or non-existent password.

Regarding Jose's comments about his web servers constantly being scanned for
Roundcube directories, I see no one else reporting this. I run a Roundcube
server and see nothing of the sort. Additionally, scans != compromise or high
potential for compromise. I see thousands of scans and login attempts on my ssh
and ftp ports monthly. Does that mean that Proftpd and sshd are automatically
vulnerable? Because people are scanning them? You made a pretty weak argument
against Roundcube with that example.

--
Stan

From: LuKreme on
On 12-Feb-2010, at 08:48, Stan Hoeppner wrote:
>
> Tell me about this "top-secure" aspect of Squirrelmail again. ;)

The fact that some spammers are able to get into email accounts and send spam via squirrelmail has nothing to do with the security of squirrelmail itself. In nerely all, if not all, of these cases the account is being compromised due to having a password like "password1" or "12345678"

--
TAR IS NOT A PLAYTHING
Bart chalkboard Ep. 7F02

From: Ben Winslow on
On 02/12/2010 10:48 AM, Stan Hoeppner wrote:
> Tell me about this "top-secure" aspect of Squirrelmail again. ;)

> User-Agent: SquirrelMail/1.4.15

Spammers regularly phish for ISP account information and then use those
credentials to send spam via webmail and SMTP auth. We see this
frequently, and it's not directly related to the webmail software in use.

--
Ben Winslow <winslowb(a)pa.net>