Looks like our work got more folks looking at RoundCube. SANS Storm Center has a posting that shows the exploit being used by attackers against the helpnetsecurity announced vulnerability in “html2text”.
The RoundCube folks have already released patches and done code cleanup to remove this and other known issues, including the msgimport.sh scripts from previous versions.
If you are a RoundCube user, please upgrade. Scans have slowed for this issue, but are still present and active at low levels.
Thanks to everyone who helped on this and to the RoundCube Webmail project team for their friendly, open approach to solving the problems and their rapid attention. It is refreshing to work with developers who are focused on solutions instead of wanting to fight about the source of the problems. Hats off to them!