[imp] Spamming using imp?
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Feb 12 17:10:35 UTC 2008
On 12.02.08 16:33, Rajkumar S wrote:
> In past couple of days there has been some spamming via web mail
> login. The horde logs show the following entries.
>
> Feb 12 11:53:05 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
> (forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
> user1 at domain.com [on line 258 of
> "/var/www/webmail/imp/lib/Auth/imp.php"]
>
> Feb 12 11:53:39 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
> (forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
> user2 at domain.com [on line 258 of
> "/var/www/webmail/imp/lib/Auth/imp.php"]
We noticed the same problem, mostly the passwords were weak, if not stupid
(e.g. the same like login name)
> Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by
> webmail.mydomain.com (Horde MIME library) with HTTP; Mon,
>
> There is no 172.16.1.14 in our network, but the attacker has managed
> to make Horde lib put wrong header information.
horde just takes X-Forwarded-For without checking of its content.
see http://bugs.horde.org/ticket/?id=6133 I filled up.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
More information about the imp
mailing list