[horde] How to find the author?

MailingListe lst_hoe02 at kwsoft.de
Tue Aug 26 07:39:57 UTC 2008


Zitat von Luis Zarrabeitia <kyrie at uh.cu>:

>
> <short story>
> I have an email (spam) that I must trace back to it's author. The email was
> sent through one of my horde/imp installations, and I'm certain that it was
> not tampered with after it was sent (I grabbed it out of the mailqueue), so
> the headers are intact. The spammer, however, seems to have changed the
> address, so the From: and Return-path: are faked. Is there any log file where
> I can find the original sender? (i.e, SquirrelMail leaves a header on the
> message saying who was the original sender). If there is no log by default,
> is there a way to turn it on?
> </short story>
>
> <long story>
> I act as a provider for a few faculties at my university. I don't have direct
> control over those Horde/IMP installations, but upon request, I can access
> the servers to audit them. I do control the mail gateway they all use (MX and
> smarthost).
>
> It seems that a few days ago, a spammer guessed the password of some of the
> users, changed their identities, and began using their accounts to send spam.
> I can notify the affected users that their password has been compromised (and
> temporarily disable them), if I can learn their identities (usernames). It
> happened with Horde/IMP and SquirrelMail users, there is a header on
> squirrelmail generated emails with the real username, but with horde/imp, I
> haven't managed to find them. So far, my only options are to either block
> access to the webmails from the internet, or to deny access to the mail rely
> to the whole faculty.
> </long story>
>
> Any help you can give me would be very appreciated (even hints about  
>  how can I
> configure my postfix to prevent this from happenning... perhaps per user/per
> hour quotas?)

Rate-Limiting is *not* a solution to prevent outgoing spam. For  
Horde/IMP you should first alter the default setting to prevent your  
potentially untrusted users to choose every mailadress they like as  
sender. Have a look at horde/config/prefs.php how to do it. We have  
altered our configuration so that the users are only able to choose  
from addresses which are defined as aliases in the MTA routing DB.
If you really want to do it right you should additionally feed output  
e-mail through some content-filter and put it on hold if a certain  
threshold of spam-score is reached.

Regards

Andreas



-- 
All your trash belong to us ;-)  www.spamschlucker.org
To: stephan at spamschlucker.org




More information about the horde mailing list