[imp] Unusual outgoing messages
Stephen A. Cochran Lists
stephen.a.cochran.lists at cahir.net
Fri Oct 6 10:21:51 PDT 2006
After some more digging I'm sure now that compose.php is being called
without authenticating:
Seeing the following in the log files:
Oct 06 13:12:23 HORDE [info] [imp] 80.89.179.109 Message sent to
frankandpk at freeuk.com
...
frankbeal at aol.com from Aaron D. Solnit [on line 1063 of "/var/www/
html/mail/horde/imp/compose.php"]
But there was no login from Aaron D. Solnit, who is a valid member of
our system. Anyone seen this problem or have any suggestions on how
to close this? Clearly a bad security problem.
Steve Cochran
Dartmouth College
Note: Second strange thing is despite setting the log file location
in the admin setup web page to be /var/log/httpd/horde.log, some info
is still being written to /tmp/horde.log and some is being written
to /var/log/httpd/horde.log. Also changed the log level to info from
debug, but both files still show debug output lines. Very strange.
On Oct 5, 2006, at 4:26 PM, Stephen A. Cochran Lists wrote:
>
> I was looking around our IMP server for the cause of some runaway
> apache processes, and I found some strange messages in the mail
> queue. We don't allow servers or identities to be set by the user.
>
> H??Received: from 80.89.179.109 ([80.89.179.109]) by
> webmail.dartmouth.edu
> (Horde MIME library) with HTTP; Thu, 5 Oct 2006 15:53:12
> -0400
>
> But these messages have a forged from header and are spam. I'm
> wondering how the header might have been forged unless someone is
> posting directly to the compose.php without authenticating first.
> Running Horde 3.1.1 and IMP 4.1.1 (last big security update).
More information about the imp
mailing list