Holes in the security of the mail.ru web interface

You,%% username, surely trust your private mail to Google. But for those of us who are sitting on mail.ru (as, alas, I), this message may encourage us to move.

Last year I already stumbled upon the problems with the security of mail.ru - there in the letter they sent a tricky link with the execution of the java script of the malefactors through a redirect to the spell checking service on the mail.ru servers. Since then, I did not check whether the hole was closed, but I wrote to the support.

Yesterday I came across another problem in the security of the web interface. Now the mail.ru team is actively improving usability, honor and praise them, but very bad deficiencies crawl through.
')
I received another spam from these guys: h.visaconcord.ru is a regular colorful letter with advertising for tours or something else.
Virus Trojans do not seem to be at this address.

Spammers got too cleverly cleverly, and included some active code in the script for the letter that the mail-ru interface executed, and as a result ALL the links on the mail.ru page were changed to links to this site, and the links became like h.visaconcord.ru / msglist? 204003361 & f = 2 - i.e. only the domain has changed.

This letter quickly disappeared from the box itself, I did not have time to save it. What is also not clear - Mail.ru engines allows himself to delete letters from the box after the user has seen and received it.


In this regard, the question is, habrovchane - what kind of hardware and software do you need in order to set up a normal mail on your own server and send a leaky public interface? Preferably with a web interface (better squirrels or roundcube), with antispam. What kind of piece of hardware do you need? Will it work fast on a home channel? (30 megabits).

I hope this post will warn and encourage to increase personal security.

UPD. In the comments indicated a possible version: In the HTML letter in the head section, the tag hangs base href = "h.visaconcord.ru", which attaches to all links without a domain (i.e. a href = "/ some / path.html") At the beginning of this same domain, which is registered in base href = "". No Javascript, and as a result, a kind of XSS vulnerability :)