[imp] IMP Abuse (was Howto remove client IP-Address)

Kevin Konowalec webadmin at ualberta.ca
Tue Dec 18 15:20:58 UTC 2007 

This is exactly what we did.  Since you can change your "from" and  
"reply-to" fields in your identities it became necessary to embed the  
user's actual login ID in an X-header so that we can identify the  
source of spam.  We also took it one step further and added a bit of  
code that keeps a running total of the number of recipients a user  
has sent to in a given session (stored in the memcache session  
variable itself).  Then we've set limits so that if a message has  
more than 50 recipients per message it will refuse to send it (we  
display a message saying that it's much more appropriate to use a  
mailman list for messages of that size).   Plus if the cumulative  
total recipients per session is over 200 it will no longer allow the  
user to send mail (until they log in again with a clean session).   
We've nailed a whole bunch of spammers with this functionality with  
the added bonus of getting people who maintain large mailing lists to  
use the list server rather than Imp, which is better for all concerned.




On 18-Dec-07, at 7:23 AM, Joseph Brennan wrote:

>
> Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>
>> . . .  Be sure to add some tracking informations if you want to be  
>> able
>> to find out e.g. who spammed through your webmail (we've had some  
>> nigerian
>> spammers hacking accounts and spamming last month)
>
> This is an important topic for IMP users.
>
> We've had IMP abuse as well, for what purports to be a British Lotto,
> and we've been on the receiving end of the same kind of spam from  
> other
> IMP and Squirrelmail installations.
>
> They send a lot of mail very fast.  Clearly it is not hand-typed.  The
> spam gang must have software that can submit the necessary form  
> data to
> popular webmail software to log in and send mail.  They need an  
> account
> and password to do it.  We suspect the source is keyboard loggers
> installed in places like Internet cafes.
>
> Since IMP requires a successful login before it will send mail, IMP is
> not at fault.  However it is important to have IMP record what user
> sent each message, in order to track down what account has been
> compromised and stop further abuse.  We have chosen to insert the user
> into an X- header, and to write the user to syslog.  This makes it
> simple for our security team to cut off the account that was used.
> If you don't do this, your IMP installation will be abused at some
> point.  By "a lot of mail" I mean more than 100,000 messages.
>
> Joseph Brennan
> Lead Email Systems Engineer
> Columbia University Information Technology
>
> -- 
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>

More information about the imp mailing list