[imp] IMP Abuse (was Howto remove client IP-Address)

Joseph Brennan brennan at columbia.edu
Tue Dec 18 14:23:09 UTC 2007


Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:

> . . .  Be sure to add some tracking informations if you want to be able
> to find out e.g. who spammed through your webmail (we've had some nigerian
> spammers hacking accounts and spamming last month)

This is an important topic for IMP users.

We've had IMP abuse as well, for what purports to be a British Lotto,
and we've been on the receiving end of the same kind of spam from other
IMP and Squirrelmail installations.

They send a lot of mail very fast.  Clearly it is not hand-typed.  The
spam gang must have software that can submit the necessary form data to
popular webmail software to log in and send mail.  They need an account
and password to do it.  We suspect the source is keyboard loggers
installed in places like Internet cafes.

Since IMP requires a successful login before it will send mail, IMP is
not at fault.  However it is important to have IMP record what user
sent each message, in order to track down what account has been
compromised and stop further abuse.  We have chosen to insert the user
into an X- header, and to write the user to syslog.  This makes it
simple for our security team to cut off the account that was used.
If you don't do this, your IMP installation will be abused at some
point.  By "a lot of mail" I mean more than 100,000 messages.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology



More information about the imp mailing list