[imp] Spamming using imp?
Rajkumar S
rajkumars at asianetindia.com
Wed Feb 13 06:48:21 UTC 2008
On Feb 12, 2008 10:40 PM, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> On 12.02.08 16:33, Rajkumar S wrote:
> > In past couple of days there has been some spamming via web mail
> > login. The horde logs show the following entries.
> >
> > Feb 12 11:53:05 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
> > (forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
> > user1 at domain.com [on line 258 of
> > "/var/www/webmail/imp/lib/Auth/imp.php"]
> >
> > Feb 12 11:53:39 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
> > (forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
> > user2 at domain.com [on line 258 of
> > "/var/www/webmail/imp/lib/Auth/imp.php"]
>
> We noticed the same problem, mostly the passwords were weak, if not stupid
> (e.g. the same like login name)
Same here, accounts with same username and password. Are they using
some sort of robot targeting Imp to spam? The user agents show Opera.
> > Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by
> > webmail.mydomain.com (Horde MIME library) with HTTP; Mon,
> >
> > There is no 172.16.1.14 in our network, but the attacker has managed
> > to make Horde lib put wrong header information.
>
> horde just takes X-Forwarded-For without checking of its content.
> see http://bugs.horde.org/ticket/?id=6133 I filled up.
Ok. Any way it seems the only work around now is to disable accounts
with same username and password.
raj
More information about the imp
mailing list