[imp] Spamming using imp?

Rajkumar S rajkumars at asianetindia.com
Tue Feb 12 11:03:54 UTC 2008


Hello,

In past couple of days there has been some spamming via web mail
login. The horde logs show the following entries.

Feb 12 11:53:05 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
(forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
user1 at domain.com [on line 258 of
"/var/www/webmail/imp/lib/Auth/imp.php"]

Feb 12 11:53:39 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
(forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
user2 at domain.com [on line 258 of
"/var/www/webmail/imp/lib/Auth/imp.php"]

There have been some brute force successes and the headers of the mail show

Received: (qmail 2818 invoked from network); 4 Feb 2008 11:07:32 -0000
Received: from xx.xx.xx.xx (HELO
webmail.mydomain.com) ([xx.xx.xx.xx])
         (envelope-sender <info at yahoo.com>)
         by my.server.com (qmail-ldap-1.03) with SMTP
         for <rloke74 at aol.com>; 4 Feb 2008 11:07:32 -0000
Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by
       webmail.mydomain.com (Horde MIME library) with HTTP; Mon,
04 Feb 2008 16:37:30 +0530
Message-ID: <20080204163730.hjp0k1hsocs8g48k at webmail.mydomain.com>
Date: Mon, 04 Feb 2008 16:37:30 +0530
From: AUSSIE INTERNATIONAL COMPANY <info at yahoo.com>
Reply-to: aussieclaimes10 at yahoo.com.hk
To: undisclosed-recipients:;
Subject:
MIME-Version: 1.0
Content-Type: text/plain;
       charset=ISO-8859-1;
       DelSp="Yes";
       format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)
X-AuthUser: user2 at domain.com

The interesting part is  this line:

Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by
       webmail.mydomain.com (Horde MIME library) with HTTP; Mon,

There is no 172.16.1.14 in our network, but the attacker has managed
to make Horde lib put wrong header information.

If I am correct there is some crawlers exploiting horde webmail to
send out spam. Any one else seeing this same attack?

raj


More information about the imp mailing list