[imp] IMP Abuse (was Howto remove client IP-Address)

Kevin Konowalec webadmin at ualberta.ca
Tue Dec 18 15:28:31 UTC 2007

On 18-Dec-07, at 8:20 AM, Liam Hoekenga wrote:

>> We've had IMP abuse as well, for what purports to be a British Lotto,
>> and we've been on the receiving end of the same kind of spam from  
>> other
>> IMP and Squirrelmail installations.
> I'm glad to know we're not the only ones seeing this.
> We've had a dramatic increase of spam coming from compromised accounts
> in our own Horde / IMP installation since this summer.. which has
> resulted in our some of our webmail servers being placed on blacklists
> by yahoo, excite, etc.  Very annoying.  Checking the IP addresses  
> of the
> people sending the spam, we're actually being used by Nigerian
> spammers.  It's so cliche.

We had exactly the same problem from the exact same culprits.

>> They send a lot of mail very fast.  Clearly it is not hand-typed.   
>> The
>> spam gang must have software that can submit the necessary form  
>> data to
>> popular webmail software to log in and send mail.  They need an  
>> account
>> and password to do it.  We suspect the source is keyboard loggers
>> installed in places like Internet cafes.
> What we've noticed in our compromised accounts is that spammers
> generally set up alternate identities, placing the text of the spam in
> the signature for each identity.  We've got a cron job that check the
> size of our mail queue on each of the webmail servers and it  
> contacts us
> if we've crossed our "acceptable" threshold.  That at least allows  
> us to
> clean it up.. but it would be good to catch it before it gets queued.

That's more or less what we do as well.  In our case we're using  
syslog-ng to filter the horde logs and maillogs and compiling graphs  
in near-real time which shows us load averages and mail queue sizes  
on each machine in our cluster.  If something weird starts going on  
we know about it instantly.  Also, further to the last message I just  
posted, when a user exceeds their max recipients threshold the admin  
is emailed immediately.   We also wrote a small script that will  
scrape mail out of the outgoing queue that matches the spammer.

> Is anyone running antispam checks on their outgoing mail?

Not yet but we've been tossing around the idea.

>> Since IMP requires a successful login before it will send mail,  
>> IMP is
>> not at fault.  However it is important to have IMP record what user
>> sent each message, in order to track down what account has been
>> compromised and stop further abuse.  We have chosen to insert the  
>> user
>> into an X- header, and to write the user to syslog.  This makes it
>> simple for our security team to cut off the account that was used.
>> If you don't do this, your IMP installation will be abused at some
>> point.  By "a lot of mail" I mean more than 100,000 messages
> We insert the user and user agent into our headers.
> What I'd really like is an apache directive that's the opposite of
> "Require user".  We could use "Deny from env=badusers" if SetEnvIf
> actually worked reliably with Remote_User.
> Short of auto_prepending a file that checked a bad user list and  
> denied
> access, does anyone have any suggestions?

We just went the simple route - if we find a spammer, we disable the  
ID.  We can look to see the account information and can tell with  
pretty much 100% accuracy if the user passes the smell test.  99% of  
the time the IP address comes from Nigeria (though we have seen a few  
others... Russia... Egypt... etc).  If it turns out to be a legit ID  
that has been compromised (we've had that happen as well) the user  
simply comes in and sees our abuse team and ID administrator to get  
it reinstated.

More information about the imp mailing list