[horde] Tracing what user had an SMTP error

D G Teed donald.teed at gmail.com
Sun May 18 02:27:33 UTC 2008 

On Sat, May 17, 2008 at 6:28 PM, Jan Schneider <jan at horde.org> wrote:

> Zitat von D G Teed <donald.teed at gmail.com>:
>
> > Hi,
> >
> > In light of the phishing and compromised accounts used
> > to send spam from webmail, we have a dedicated smtp
> > server to limit the number of recipients and put restrictions
> > on the sender address/domain.
> >
> > Generally the spammers use a different Sender than
> > our domain.
> >
> > When the SMTP server rejects the message due to one
> > of these rules, there is an Access denied message
> > sent back to the webmail client.  That works well.
> > I don't have outbound spam, just a bunch of NOQUEUE
> > messages in maillog.
> >
> > However, I don't have an easy trace on which accounts are
> > likely being compromised. Before, the "Message sent"
> > trace would include the horde user's account name.
> > But this does not appear in the horde log when
> > there is an SMTP error.  e.g.:
> >
> > May 13 17:20:24 HORDE [error] [imp] Failed to add recipient:
> > macjon190 at yahoo.com [SMTP: Invalid response code received from server
> (code:
> > 554, response: 5.7.1 <millerdave at hotmail.com.com>: Sender address
> rejected:
> > Access denied)] [on line 1054 of
> > "/usr/local/www/horde/horde-webmail-1.0.1/imp/compose.php"]
> >
> > Is there a change I can make to the code to flush out the user account
> > (or maybe their logged in source IP) in SMTP errors logged at
> > horde.log?
>
> The log message contains the exact file and line of the place where
> this message is logged. Change the code to log any information you
> like. You get the user name with Auth::getAuth().
>
>
Thanks.  That is the kind of thing I was expecting, but I've
just found it tricky to locate the variables or in this case the call.

The current error which is missing the account name looks like this:

  Horde::logMessage($res->getMessage(), __FILE__, __LINE__, PEAR_LOG_ERR);
  $notification->push(sprintf(_("There was an error sending your message:
%s"), $res->getMessage()), 'horde.error');

I see a line of code referenced in a log message which does display the user
name
around here in the code:

    $entry = sprintf("%s Message sent to %s from %s",
$_SERVER['REMOTE_ADDR'], $recipients, $imp['user']);
    Horde::logMessage($entry, __FILE__, __LINE__, PEAR_LOG_INFO);

I'm not really sure how I could munge in the getMessage() result and
something like $entry above, so I've opted for adding an additional
line in the log right after the error, containing the data on account and
remote IP of webmail client.

This is what my error for SMTP section looks like now in compose.php:

        if (is_a($res, 'PEAR_Error')) {
            /* Unsuccessful send. */
            Horde::logMessage($res->getMessage(), __FILE__, __LINE__,
PEAR_LOG_ERR);

            $entry2 = sprintf("%s Message not sent (spammer?) to %s from
%s", $_SERVER['REMOTE_ADDR'], $recipients, $imp['user']);
            Horde::logMessage($entry2, __FILE__, __LINE__, PEAR_LOG_INFO);
            $notification->push(sprintf(_("There was an error sending your
message: %s"), $res->getMessage()), 'horde.error');
            $get_sig = false;
            break 2;
        }

This seems to work OK for me...

This error reporting combined with SMTP restrictions should allow me
to back track and find which accounts are being compromised.

--Donald

More information about the horde mailing list