[horde] How to find the author?
Luis Zarrabeitia
kyrie at uh.cu
Fri Aug 22 15:20:18 UTC 2008
[This is weird... I saw Andy's the reply on the web (nabble), but it never got
to my inbox. Sorry for breaking the thread.]
------ Andrew Morgan wrote: ----------
> Look at the oldest Received header. Here is what mine looks like:
(snip)
> Then, go dig in the Horde logs to see who logged in from that IP address.
I think I may have just hit a bug in horde/imp.
[My setup: the webmails are being accessed from the internet via a reverse
proxy. Most users use forward proxies as well]
It seems that IMP logs the full 'X-Forwarded-for' chain for failed logins ("
FAILED LOGIN <my-easy-to-guess-IP> (forwarded for [192.168.1.223,
201.220.192.210, 201.220.215.11])" - this one seems to be from the spammer), but
for successful logins, it only stores the previous hop ("Login success for
<my-user> [<my-easy-to-guess-IP>]") so I cannot distinguish the legit logins
from the faked ones.
The "Received:" header skips the first hop instead, and seems to be logging only
the second ("Received: from 192.168.1.123 (192.168.1.123 [192.168.1.123])"). I'd
say something is not right there...
Before I submit a bug report and/or try to write patches, is this the intended
behavior?
(at the end, I had to grep their sent-mail folders for the addresses being
spammed. I used the log to find who had logged in from the outside during those
days and grep only them)
> The latest version of Horde includes settings for message rate limiting,
> which would be very useful to prevent this kind of abuse.
That would be helpful, indeed.
I think I'll also have to run an spamassassin on the outgoing email to prevent
stuff like this in the future.
Cheers, and thanks!
--
Luis Zarrabeitia
Facultad de Matemática y Computación, UH
http://profesores.matcom.uh.cu/~kyrie
More information about the horde
mailing list