[horde] How to find the author?

Andrew Morgan morgan at orst.edu
Wed Aug 20 21:42:53 UTC 2008 

On Wed, 20 Aug 2008, Luis Zarrabeitia wrote:

> <short story>
> I have an email (spam) that I must trace back to it's author. The email was
> sent through one of my horde/imp installations, and I'm certain that it was
> not tampered with after it was sent (I grabbed it out of the mailqueue), so
> the headers are intact. The spammer, however, seems to have changed the
> address, so the From: and Return-path: are faked. Is there any log file where
> I can find the original sender? (i.e, SquirrelMail leaves a header on the
> message saying who was the original sender). If there is no log by default,
> is there a way to turn it on?
> </short story>
>
> <long story>
> I act as a provider for a few faculties at my university. I don't have direct
> control over those Horde/IMP installations, but upon request, I can access
> the servers to audit them. I do control the mail gateway they all use (MX and
> smarthost).
>
> It seems that a few days ago, a spammer guessed the password of some of the
> users, changed their identities, and began using their accounts to send spam.
> I can notify the affected users that their password has been compromised (and
> temporarily disable them), if I can learn their identities (usernames). It
> happened with Horde/IMP and SquirrelMail users, there is a header on
> squirrelmail generated emails with the real username, but with horde/imp, I
> haven't managed to find them. So far, my only options are to either block
> access to the webmails from the internet, or to deny access to the mail rely
> to the whole faculty.
> </long story>
>
> Any help you can give me would be very appreciated (even hints about how can I
> configure my postfix to prevent this from happenning... perhaps per user/per
> hour quotas?)

Look at the oldest Received header.  Here is what mine looks like:

Received: from protagonist.ucs.orst.edu (protagonist.ucs.orst.edu
 	[10.192.128.94]) by webmail.oregonstate.edu (Horde MIME library) with HTTP;
 	Wed, 20 Aug 2008 14:37:43 -0700

Then, go dig in the Horde logs to see who logged in from that IP address.

The latest version of Horde includes settings for message rate limiting, 
which would be very useful to prevent this kind of abuse.

 	Andy

More information about the horde mailing list