[horde] Compromised account/Spammer detection hook

Jan Schneider jan at horde.org
Wed Dec 17 23:18:40 UTC 2008


Looks good to. The only change I personally would do, is to attach a  
complete var_dump/print_r of the identities instead of the signatures  
only.
Can you make this a patch against hooks.php.dist?

Zitat von Kevin Konowalec <webadmin at ualberta.ca>:

> Hey guys,
>
> Something we're constantly fighting with here is people falling prey  
> to Phishing scams.  We're doing our best to educate our users but  
> invariably someone will send their username and password to Nigeria  
> and before you know it we're getting blocked by ISPs for sending  
> spam.  Horde 3.3 helps a lot in this regard by allowing permissions  
> to be set to limit the number of recipients a message can have and  
> the number of messages that can be sent out during a specified time  
> period.  However, where it was falling short for us was the lack of  
> administrator notification when a user had hit that limit.  We want  
> to be able to detect holed accounts as quickly as possible so we can  
> disable and reset them without further damage being done.  Horde out  
> of the box didn't have this functionality so I grabbed a PHP manual  
> and wrote one myself.
>
> I'm putting this out there to the community so that a) other admins  
> can make use of it if they need something like this but also b)  
> because I'm not a native PHP coder nor am I intimately familiar with  
> the inner workings of the horde codebase so I'm hoping someone might  
> spot something I missed or maybe suggest ways to make the code a  
> little more elegant.
>
> Anyway... this hook detects when a user exceeds the max_timelimit  
> setting and then immediately grabs the contents of their (one or  
> more) signatures (since that's where they usually hide the spam  
> text) and packages it up into an email message to whatever your  
> "problems" email is set up to be.  I also threw in a var dump of the  
> 'confirm_email' field as I found a whole bunch of crap stuffed in  
> there too so I just wanted to cover all the bases.
>
> So here's the code.  Any comments/suggestions would be appreciated.
>
> K
>
>
>
> // Kevin's funky _perms_hook_denied function (/horde/config/hooks.php)
>
> if (!function_exists('_perms_hook_denied')) {
>     function _perms_hook_denied($permission)
>     {
>
>         if (($pos = strpos($permission, ':')) === false) {
>             $app = $permission;
>         } else {
>             $app = substr($permission, 0, $pos);
>             $perm = substr($permission, $pos+1,  
> strlen($permission)-strlen($app)-1);
>         }
>
>
>         if ($app=="imp" && $perm=="max_timelimit") {
>
>                 $user = Auth::getAuth();
>                 $old_login =  
> @unserialize($GLOBALS['prefs']->getValue('last_login'));
>                 $lastlogin = sprintf("Last login: %s from %s",  
> strftime('%c', $old_login['time']), $old_login['host']);
>                 $timelimit = IMP::hasPermission('max_timelimit');
>
>                 // Set up message body here
>
>                 $ident =  
> @unserialize($GLOBALS['prefs']->getValue('identities'));
>
>                 foreach ($ident as $key => $val) {
>                         $tmp = sprintf("Identity Sig %d --  
> (%s):\n\n%s\n\n",$key,$val['id'],$val['signature']);
>                         $ident_dump = $ident_dump . $tmp;
>                 }
>
>                 $confirm =  
> @unserialize($GLOBALS['prefs']->getValue('confirm_email'));
>                 $confirm_dump = var_export($confirm,true);
>
>                 $body = sprintf("We have detected a user that has  
> exceeded the threshold for number of messages sent within a 24 hour  
> period.\nThis could be a legitimate user se
> nding a lot of mail, but it could also be a compromised account  
> sending spam.\nMost of the time the spammers stuff the spam text  
> into user signatures for their own convenience s
> o that's the\nfirst place to look.\n\nThe account information  
> follows below:\n\n\nUser ID:  %s\n%s\n\nIdentities  
> Dump:\n================\n\n%s\n\nSometimes you get really weird
> things going on with these guys stuffing spam text into\nthe  
> confirmation email field.  If there's anything there it should  
> appear below.\n\nConfirm_email dump:\n===============
> ===\n\n%s",$user, $lastlogin,$ident_dump,$confirm_dump);
>
>                 require_once 'Horde/MIME/Mail.php';
>
>                 $subject = "Message Limit Exceeded for user $user";
>                 $email = $GLOBALS['conf']['problems']['email'];
>
>                 $mail = new MIME_Mail(_("[Horde Spammer Alert]") . '  
> ' . $subject,
>                         $body, $email, $email,
>                          NLS::getCharset());
>                 $mail->addHeader('Sender', 'horde-alert@' .  
> $conf['problems']['maildomain']);
>
>                 $mail_driver = $conf['mailer']['type'];
>                 $mail_params = $conf['mailer']['params'];
>
>                 $sent = $mail->send($mail_driver, $mail_params);
>
>                 Horde::logMessage(
>                     sprintf("%s Message sent to %s from %s",
>                             $_SERVER['REMOTE_ADDR'],
>                             preg_replace('/^.*<([^>]+)>.*$/', '$1', $email),
>                             preg_replace('/^.*<([^>]+)>.*$/', '$1', $email)),
>                     __FILE__, __LINE__, PEAR_LOG_INFO);
>
>         }
>
>
>         $message = @htmlspecialchars(sprintf(_("You are not allowed  
> to send messages to more than %d recipients within %d hours.  This  
> attempt has been logged and administrators
>  notified."), $timelimit,  
> $GLOBALS['conf']['sentmail']['params']['limit_period']), ENT_COMPAT,  
> NLS::getCharset());
>
>         return $message;
>     }
> }
>
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>



Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the horde mailing list