[horde] How to find the author?
Gilles Buisson
gilles.buisson at namebay.com
Tue Aug 26 09:17:44 UTC 2008
To know the real mail sender identity (eg. toto at domain.com) edit the
headers.php file located in ../horde/imp/config and add this line
$_header['X-AuthUser'] = Auth::getAuth();
It add a header like 'X-AuthUser: toto at domain.com' in the mail even if the
user uses a different address sending.
Regards
-----Message d'origine-----
De : horde-bounces at lists.horde.org [mailto:horde-bounces at lists.horde.org] De
la part de MailingListe
Envoyé : mardi 26 août 2008 09:40
À : horde at lists.horde.org
Objet : Re: [horde] How to find the author?
Zitat von Luis Zarrabeitia <kyrie at uh.cu>:
>
> <short story>
> I have an email (spam) that I must trace back to it's author. The email
was
> sent through one of my horde/imp installations, and I'm certain that it
was
> not tampered with after it was sent (I grabbed it out of the mailqueue),
so
> the headers are intact. The spammer, however, seems to have changed the
> address, so the From: and Return-path: are faked. Is there any log file
where
> I can find the original sender? (i.e, SquirrelMail leaves a header on the
> message saying who was the original sender). If there is no log by
default,
> is there a way to turn it on?
> </short story>
>
> <long story>
> I act as a provider for a few faculties at my university. I don't have
direct
> control over those Horde/IMP installations, but upon request, I can access
> the servers to audit them. I do control the mail gateway they all use (MX
and
> smarthost).
>
> It seems that a few days ago, a spammer guessed the password of some of
the
> users, changed their identities, and began using their accounts to send
spam.
> I can notify the affected users that their password has been compromised
(and
> temporarily disable them), if I can learn their identities (usernames). It
> happened with Horde/IMP and SquirrelMail users, there is a header on
> squirrelmail generated emails with the real username, but with horde/imp,
I
> haven't managed to find them. So far, my only options are to either block
> access to the webmails from the internet, or to deny access to the mail
rely
> to the whole faculty.
> </long story>
>
> Any help you can give me would be very appreciated (even hints about
> how can I
> configure my postfix to prevent this from happenning... perhaps per
user/per
> hour quotas?)
Rate-Limiting is *not* a solution to prevent outgoing spam. For
Horde/IMP you should first alter the default setting to prevent your
potentially untrusted users to choose every mailadress they like as
sender. Have a look at horde/config/prefs.php how to do it. We have
altered our configuration so that the users are only able to choose
from addresses which are defined as aliases in the MTA routing DB.
If you really want to do it right you should additionally feed output
e-mail through some content-filter and put it on hold if a certain
threshold of spam-score is reached.
Regards
Andreas
--
All your trash belong to us ;-) www.spamschlucker.org
To: stephan at spamschlucker.org
--
Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe at lists.horde.org
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3387 (20080826) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3387 (20080826) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the horde
mailing list