[horde] spammers targeting horde/imp as spamming tool

[D G Teed]

On Wed, Apr 30, 2008 at 5:16 PM, robert sand <rsand at d.umn.edu> wrote:

> The attached script didn't get attached so here it is (replace
> "USERID","PASSWORD","HORDE_PREF_DATABASE_NAME" for your installation.)
>
> <?php
>
>   @ $db = mysql_pconnect("localhost","USERID","PASSWORD");
>
>   mysql_select_db("HORDE_PREF_DATABASE_NAME");
>
>   $query = "select pref_uid from horde_prefs where pref_name='identities'
> and (pref_value like '%dear%' or pref_value like '%united nation%' or
> pref_value like '%winner %' or pref_value like '%simon%wong%' or pref_value
> like 'bank' or pref_value like 'funds' or pref_value like 'password')";
>
>   $result=mysql_query($query);
>   $first = 0;
>
>   while($row=mysql_fetch_object($result)){
>     if ($first < 1){
>        echo "Keyword list = 'dear','united nation','winner
> ','simon%wong','bank','funds','password'\n\n";
>        $first = 1;
>     }
>      $uid=$row->pref_uid;
>      $query = "select pref_value from horde_prefs where
> pref_name='identities'
> and pref_uid='".$uid."'";
>      $result1=mysql_query($query);
>      $row1=mysql_fetch_object($result1);
>      $sig=$row1->pref_value;
>      echo "User ID $uid is possibly compromised.  Signature matches keyword
> and contains:\n $sig\n\n";
>   }
>
> ?>
>
>
> Thanks for sharing that script.

This script did identify "spammed up" profiles of the 2 user accounts we
know
were compromised.  To run it within a browser, change the echo \n newlines
into <br>
html code, and I suggest surrounding the "User ID $uid is possibly
compromised."
with some highlight to make it easy to see.  I used:
<font color=red>User ID $uid is possibly compromised.</font>

--Donald