[horde] How to find the author?

D G Teed donald.teed at gmail.com
Fri Aug 22 15:25:33 UTC 2008 

We get compromised accounts from phishing of our users,
so this happens alot.

I limit the number of recipients SMTP will allow on the Postfix side,
so it will trigger an error when spammers try to send the
usual onslaught.

For webmail 1.1.2 I edited imp/lib/Compose.php to produce an error
in horde.log with the user name who tried to send:

diff Compose.php Compose.php-backup
720,721d719
<                 $usersending = Auth::getAuth();
<                 $entry2 = sprintf("%s Message not sent (spammer?) to
%s from %s", $_SERVER['REMOTE_ADDR'], $recipients, $usersending);
723d720
<                 Horde::logMessage($entry2, __FILE__, __LINE__, PEAR_LOG_INFO);


Then I block that user in Postfix from sending.

Hope this helps.

--Donald


On Wed, Aug 20, 2008 at 6:42 PM, Andrew Morgan <morgan at orst.edu> wrote:
> On Wed, 20 Aug 2008, Luis Zarrabeitia wrote:
>
>> <short story>
>> I have an email (spam) that I must trace back to it's author. The email
>> was
>> sent through one of my horde/imp installations, and I'm certain that it
>> was
>> not tampered with after it was sent (I grabbed it out of the mailqueue),
>> so
>> the headers are intact. The spammer, however, seems to have changed the
>> address, so the From: and Return-path: are faked. Is there any log file
>> where
>> I can find the original sender? (i.e, SquirrelMail leaves a header on the
>> message saying who was the original sender). If there is no log by
>> default,
>> is there a way to turn it on?
>> </short story>
>>
>> <long story>
>> I act as a provider for a few faculties at my university. I don't have
>> direct
>> control over those Horde/IMP installations, but upon request, I can access
>> the servers to audit them. I do control the mail gateway they all use (MX
>> and
>> smarthost).
>>
>> It seems that a few days ago, a spammer guessed the password of some of
>> the
>> users, changed their identities, and began using their accounts to send
>> spam.
>> I can notify the affected users that their password has been compromised
>> (and
>> temporarily disable them), if I can learn their identities (usernames). It
>> happened with Horde/IMP and SquirrelMail users, there is a header on
>> squirrelmail generated emails with the real username, but with horde/imp,
>> I
>> haven't managed to find them. So far, my only options are to either block
>> access to the webmails from the internet, or to deny access to the mail
>> rely
>> to the whole faculty.
>> </long story>
>>
>> Any help you can give me would be very appreciated (even hints about how
>> can I
>> configure my postfix to prevent this from happenning... perhaps per
>> user/per
>> hour quotas?)
>
> Look at the oldest Received header.  Here is what mine looks like:
>
> Received: from protagonist.ucs.orst.edu (protagonist.ucs.orst.edu
>        [10.192.128.94]) by webmail.oregonstate.edu (Horde MIME library) with
> HTTP;
>        Wed, 20 Aug 2008 14:37:43 -0700
>
> Then, go dig in the Horde logs to see who logged in from that IP address.
>
> The latest version of Horde includes settings for message rate limiting,
> which would be very useful to prevent this kind of abuse.
>
>        Andy
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>

More information about the horde mailing list