[horde] spammers targeting horde/imp as spamming tool

Thu May 1 12:05:43 UTC 2008

Hi Robert,

I see why you need to comb through the accounts.  We don't allow users to
register themselves (accounts are set up from the Student system) so
this helps to
eliminate that type of account abuse.  This is why I was confused
about the search
for keywords.

If you have netblocks which are known as spammers, perhaps they could be
put into a "deny from" list in your apache config?  That would keep them
right out of webmail.  I currently use this against a handful of
individual addresses
which have been caught spamming.

Yesterday our outbound email was being delayed because the recent spam had
lowered the reputation of our outbound SMTP server
(Senderbase/Ironport service).
The quickest solution was to set up another SMTP on a fresh IP.  I'm
thinking that
until Horde Webmail 1.1 is out, I'll set up a special SMTP (postfix)
just for webmail, and
then if the reputation is soured by more spam, it will only impact webmail.
It will also allow me to put restrictions on the number of recipients
at a unique
level just for webmail.

--Donald

On Wed, Apr 30, 2008 at 4:54 PM, robert sand <rsand at d.umn.edu> wrote:
>
>  Donald,
>
>  I can only tell you about the script I wrote.  Another admin works on mail
> delivery.  First a little on our setup.
>
>  We are running the Debian Etch distribution of Horde/Imp and others so we
> are at Horde 3.1.x and Imp 4.1.x.  Our preference database is on another
> server as are our email inboxes.  Some of these spammers are setting up the
> default identity or other identities and usually using the signature to
> contain the body of their message.  Some set the from and replyto addresses
> to wherever they want their responses to go back to (an example follows).
> The keywords I look for are words that normally would not show up in an
> identity like "UNITED NATIONS".  I've attached a copy of the php script I
> run on the database server that has our horde preferences database.
>
>  I believe that when the message is delivered to our outgoing email server
> it goes through a number of checks before it is delivered.  These checks
> include:
>
>         envelope sender
>         From header
>         Reply-to header (if exists)
>         Return-Path header (if exists)
>
>         then 14 netblocks (/16 addrs)
>
>         miscellaneous (e.g., 'From' containing 'compensationunit')
>
>  If you would like more information on how the checks above are done I can
> get that to you as well.  We are now checking the X-Originating-IP against
> the netblocks and checking the authorized user id against what the envelope
> says.
>
>
>
>
> s:9:"sig_first";i:1;s:10:"sig_dashes";i:1;s:14:"save_sent_mail";i:1;s:16:"sent_mail_folder";s:9:"sent-mail";s:16:"default_identity";s:1:"0";}i:1;a:14:{s:16:"default_identity";s:1:"0";s:2:"id";s:14:"United
> Nations";s:8:"fullname";s:14:"United
> Nations";s:9:"from_addr";s:26:"koffi.un at unitednations.com";s:12:"replyto_addr";s:22:"mrjimovia2000 at yahoo.it";s:10:"alias_addr";a:0:{}s:10:"tieto_addr";a:0:{}s:8:"bcc_addr";a:0:{}s:8:"mail_hdr";s:0:"";s:9:"signature";s:1539:"Attention:
>
>  How are you today? Hope all is well with you and family?,You may not
>  understand why this mail came to you.
>
>  We have been having a meeting for the passed 7 months which ended 2
>  days ago with the then secretary to the UNITED NATIONS.
>
>  This email is to all the people that have been scammed in any part of
>  the world, the UNITED NATIONS have agreed to compensate them with the
>  sum of US$ 500,000. This includes every foriegn contractors that may
>  have not received their contract sum, and people that have had an
>  unfinished transaction or international businesses that failed due to
>  Government probelms etc.
>
>  We found your name in our list and that is why we are contacting you,
>  this have been agreed upon and have been signed.
>  You are advised to contact Mr. Jim Ovia of ZENITH BANK PLC, as
>  he is our representative in Nigeria, contact him immediately for your
>  Cheque/ International Bank Draft of USD$500,000. This funds are in a
>  Bank Draft for security purpose ok? so he will send it to you and you
>  can clear it in any bank of your choice.
>
>  Therefore, you should send him your full Name and telephone number/your
>  correct mailing address where you want him to send the Draft to you.
>
>  Contact Mr. Jim Ovia immediately for your Cheque:
>  Person to Contact Mr. Jim Ovia
>  Email: mrjimovia2000 at yahoo.it
>
>  Thanks and God bless you and your family.Hoping to hear from you as
>  soon as you cash your Bank Draft.
>  Making the world a better place
>  Regards,
>
>  Mr. Kofi Annan
>  Former Secretary (UNITED NATIONS)
>
>
> ";s:10:"sig_dashes";i:0;s:9:"sig_first";i:0;s:14:"save_sent_mail";i:1;s:16:"sent_mail_folder";s:9:"sent-mail";}}
>
>
>
>
>  D G Teed wrote:
>
> > Hi,
> >
> > Perhaps you could expand on the details a little and we can all
> > learn some strategies?  I don't understand what keywords you
> > would search for which could be indicative of spammer or a compromised
> account.
> >
> > Also, where or how do you sent up this rule to control the abuse of
> envelope
> > and header values?
> >
> > --Donald
> >
> >
>
>
>  --
>
>  Robert Sand.
>  mailto:rsand at d.umn.edu
>  1028 Kirby Drive
>  366 K Plz
>  Duluth, MN 55812-3095
>  218-726-6122        fax 218-726-7674
>
>  "Walk behind me I may not lead, Walk in front of me I may not follow,
>  Walk beside me and we walk together"  UTE Tribal proverb.
>
> pref_uid; $query = "select pref_value from horde_prefs where
> pref_name='identities' and pref_uid='".$uid."'";
> $result1=mysql_query($query); $row1=mysql_fetch_object($result1);
> $sig=$row1->pref_value; echo "User ID $uid is possibly compromised.
> Signature matches keyword and contains:\n $sig\n\n"; } ?>
>