[imp] spammer taking over horde

Mon Jan 7 14:53:20 UTC 2008

I've got multiple spammers that are relaying through a horde/imp box.  
Port 25 is firewalled out, so it has to be the the horde scripts.  This 
is what I see in the horde log:  Any help would be appreciated.

*<>SNIP

Jan 03 00:15:22 HORDE [notice] [imp] Login success for justin 
[72.251.11.245] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 00:21:07 HORDE [notice] [imp] Login success for justin 
[72.251.12.60] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 02:17:45 HORDE [notice] [imp] Login success for tomrosenbeck 
[64.202.228.220] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 02:19:50 HORDE [notice] [imp] 64.202.228.229 Your Internet 
Address has changed since the beginning of your Mail session. To protect 
your security, you must login again. [on line 42 of 
"/usr/share/horde/imp/login.php"]
Jan 03 02:23:24 HORDE [notice] [imp] Login success for tomrosenbeck 
[64.202.228.229] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 02:28:43 HORDE [notice] [imp] Login success for tomrosenbeck 
[64.202.229.129] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 02:30:26 HORDE [notice] [imp] 64.202.228.16 Your Internet Address 
has changed since the beginning of your Mail session. To protect your 
security, you must login again. [on line 42 of 
"/usr/share/horde/imp/login.php"]
Jan 03 02:30:48 HORDE [notice] [imp] Login success for tomrosenbeck 
[64.202.227.32] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 03:31:57 HORDE [notice] [imp] Login success for parsons4813 
[213.185.118.210] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 03:39:19 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 03:42:00 HORDE [notice] [imp] Login success for parsons4813 
[213.185.118.210] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 03:44:14 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 03:45:45 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 03:46:12 HORDE [notice] [imp] Login success for parsons4813 
[213.185.118.210] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 03:46:25 HORDE [notice] [imp] Login success for parsons4813 
[213.185.118.210] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 03:47:32 HORDE [notice] [imp] Login success for parsons4813 
[213.185.118.210] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 03:58:16 HORDE [error] [imp] FAILED LOGIN 81.199.53.20 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:00:32 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as ns4813 at argontech.net 
[on line 258 of "/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:00:50 HORDE [error] [imp] FAILED LOGIN 81.199.53.20 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:03:05 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as ns4813 at argontech.net 
[on line 258 of "/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:08:31 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as ns4813 [on line 258 
of "/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:09:58 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:10:12 HORDE [error] [imp] FAILED LOGIN 81.199.53.20 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:10:32 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:12:16 HORDE [error] [imp] FAILED LOGIN 213.185.118.210 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as parsons4813 [on line 
258 of "/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:12:48 HORDE [notice] [imp] Login success for parsons4813 
[213.185.118.210] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 04:13:40 HORDE [notice] [imp] Login success for parsons4813 
[81.199.53.20] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 04:13:43 HORDE [error] [imp] FAILED LOGIN 81.199.197.136 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]

*<>SNIP

Jan 03 04:50:47 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:50:47 HORDE [error] [horde] Error writing session data:  [on 
line 173 of "/usr/share/horde/lib/Horde/SessionHandler/pgsql.php"]
Jan 03 04:50:55 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:50:55 HORDE [error] [horde] Error writing session data:  [on 
line 173 of "/usr/share/horde/lib/Horde/SessionHandler/pgsql.php"]
Jan 03 04:50:56 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:50:56 HORDE [error] [horde] Error writing session data:  [on 
line 173 of "/usr/share/horde/lib/Horde/SessionHandler/pgsql.php"]
Jan 03 04:51:02 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:51:02 HORDE [error] [horde] Error writing session data:  [on 
line 173 of "/usr/share/horde/lib/Horde/SessionHandler/pgsql.php"]
Jan 03 04:51:48 HORDE [error] [imp] FAILED LOGIN 81.199.197.136 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:52:38 HORDE [error] [imp] FAILED LOGIN 81.199.197.136 to 
mail.argontech.net:993[imap/ssl/novalidate-cert] as 
parsons4813 at argontech.net [on line 258 of 
"/usr/share/horde/imp/lib/Auth/imp.php"]
Jan 03 04:53:25 HORDE [notice] [imp] Login success for parsons4813 
[81.199.197.136] to {mail.argontech.net:993} [on line 154 of 
"/usr/share/horde/imp/redirect.php"]
Jan 03 04:54:04 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:54:31 HORDE [error] [horde] Error writing session data:  [on 
line 173 of "/usr/share/horde/lib/Horde/SessionHandler/pgsql.php"]
Jan 03 04:54:31 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:54:33 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:54:35 HORDE [emergency] [horde] DB Error: connect failed:  
[nativecode=Unable to connect to PostgreSQL server: FATAL:  connection 
limit exceeded for non-superusers] ** Array [on line 1627 of 
"/usr/share/horde/lib/Horde/DataTree/sql.php"]
Jan 03 04:54:35 HORDE [error] [horde] Error writing session data:  [on 
line 173 of "/usr/share/horde/lib/Horde/SessionHandler/pgsql.php"]
Jan 03 04:56:05 HORDE [emergency] [imp] DB Error: unknown error: UPDATE 
horde_prefs SET pref_value = 'a:7:{i:0;a:14:{s:2:"id";s:16:"Default 
Identity";s:8:"fullname";s:19:"Mr. Thomas 
Williams";s:9:"from_addr";s:24:"thomas_williams at hscb.com";s:12:"replyto_addr";s:31:"thomas_williams_02 at yahoo.com.hk";s:10:"alias_addr";a:0:{}s:10:"tieto_addr";a:0:{}s:8:"bcc_addr";a:0:{}s:8:"mail_hdr";s:0:"";s:9:"signature";s:4287:"Dear 
Friend,  ^M
 ^M
Good fortune has blessed you with a name that has planted you into the 
center ^M
of relevance in my life. I would respectfully request that you keep the 
content ^M
of this mail confidential because of its nature and respect the 
integrity of ^M
this information. I also will not want you to read through this mail in a ^M
hurry.Please take your time to read it.First of all I''ll like to 
introduce ^M
myself and status, I am Thomas Williams, staff of International Private 
Banking ^M
at HSBC Bank London. I am contacting you concerning a deceased customer 
and a ^M
financial portfolio of $8.5m United state dollars, which he placed under 
HSBC ^M
Bank managements two years ago for turn over on his behalf.  ^M
 ^M
As the Chief Operations Officer of the private banking sector, I 
encouraged the ^M
deceased on his arrival to our bank on various growth of fund with prime ^M
ratings.The favoured route in my advice to him was accessing data on 6000 ^M
traditional stocks and bond management.Based on my advise, attractive 
margins ^M
accrued profit and interest stood at over $10m United States dollars,this ^M
margin was not the full potential of the fund but he desired low risk ^M
guaranteed returns on investment. Early 2004 my client asked that the 
money be ^M
liquidated because of an urgent investment requiring cash payments here 
in ^M
United Kingdom, and that the liquidated fund be deposited in CORPORATE ^M
SECURITIES CO, a security consulting firm based in London who are 
specialist ^M
private firm that accepts deposits from high net worth individuals and 
blue ^M
chip corporations that handle valuable products and undertake 
transactions that ^M
need immediate access to cash. This order was given to me in 
anticipation of ^M
his a!  ^M
rrival from Norway later that week, this was the last communication we 
had.  ^M
 ^M
Sometimes this year I got a call from CORPORATE SECURITIES CO. informing 
me of ^M
the inactivity of the portfolio, since I was the only one who knew about 
the ^M
deposit, I immediately passed the task of locating my client to the 
Internal ^M