[imp] possible bug? or a determined script kiddie?

Michael M Slusarz slusarz at horde.org
Tue May 22 08:59:14 UTC 2007


Quoting "Joseph W. Breu" <breu at cfu.net>:

> We have seen the attacker login to a compromised account and use IMP
> to send a ton of spam.  I haven't been able to track down the attack
> vector and would appreciate any help the community could offer.  If
> this is off-topic, then please delete.
>
> We have seen this in the access_log:
> 81.199.179.7 - - [17/May/2007:07:49:26 -0500] "POST
> /imp/compose.php?uniq=3gtq9scybhic HTTP/1.0" 200 888
> "http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
> 81.199.179.7 - - [17/May/2007:07:50:01 -0500] "POST
> /imp/compose.php?uniq=3zsby4nwfug HTTP/1.0" 200 888
> "http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
> 81.199.179.7 - - [17/May/2007:07:50:47 -0500] "GET /imp/compose.php
> HTTP/1.0" 200 8359
> "http://webmail.cfu.net/imp/compose.php?uniq=3zsby4nwfug" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
> 81.199.179.7 - - [17/May/2007:07:50:54 -0500] "GET /imp/compose.php
> HTTP/1.0" 200 8361
> "http://webmail.cfu.net/imp/compose.php?uniq=3gtq9scybhic"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser
> 2.0.1)"
> 81.199.179.7 - - [17/May/2007:07:51:25 -0500] "GET /imp/expand.php
> HTTP/1.0" 200 243 "http://webmail.cfu.net/imp/compose.php"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser
> 2.0.1)"
> 81.199.179.7 - - [17/May/2007:07:51:51 -0500] "POST
> /imp/compose.php?uniq=wk57zrr0edw HTTP/1.0" 200 8362
> "http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"
> 81.199.179.7 - - [17/May/2007:07:52:13 -0500] "POST
> /imp/compose.php?uniq=wk57zrr0edw HTTP/1.0" 200 888
> "http://webmail.cfu.net/imp/compose.php" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.0; Crazy Browser 2.0.1)"

Why don't you just disable those accounts that have been compromised  
then?  The attack vector is nothing more than 1. login to IMP, 2. send  
messages via compose screen.  Nothing too complicated there.  you can  
try to rate limit, although it is only available in IMP 4.2.

michael



More information about the imp mailing list