[imp] Spam issues, need help.

Dos Wizard magician at euretirio.gr
Tue Jun 10 16:21:23 UTC 2008 

What I can't understand is the following ... how on earth they had 
successfully spoofed their IP address and did the following scam. 
(Actually this is the message which had doomed the system the last few 
days). What I have missed and they created such a mess? (I was never 
able to obtain a full original copy of the message, so I had to find it 
from a google cache).

 From info at yahoo.com <http://yahoo.com> Fri Jun 6 00:48:08 2008
Received: from epicurus.vip.gr (epicurus.vip.gr [*88.198.10.6*]) by
public.com <http://public.com> (8.12.11/8.12.10) with ESMTP id
m564kk2g054089 for poopypants.com <http://poopypants.com>>; Fri, 6 Jun 
2008 00:48:08
-0400 (EDT)
Received: from epicurus.vip.gr (localhost [127.0.0.1 
<http://127.0.0.1>]) by epicurus.vip.gr
(Postfix) with ESMTP id CD226303CE7; Fri, 6 Jun 2008 03:52:39 +0200
(CEST)
Received: by epicurus.vip.gr (Postfix, from userid 462) id 6082F2EB7B2;
Fri, 6 Jun 2008 03:52:35 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1 <http://127.0.0.1>]) by 
epicurus.vip.gr
(Postfix) with ESMTP id 69AEF303CCD; Fri, 6 Jun 2008 03:52:29 +0200
(CEST)
Received: from 192.168.0.31 <http://192.168.0.31> (192.168.0.31 
<http://192.168.0.31> [192.168.0.31 <http://192.168.0.31>]) by 
www.vip.gr <http://www.vip.gr>
(Horde MIME library) with HTTP; Fri, 06 Jun 2008 03:52:28 +0200
Message-ID: <20080606035228.jv8c4bx3ac48k0c8 at www.vip.gr <http://www.vip.gr>>
Date: Fri, 06 Jun 2008 03:52:28 +0200
From: "Mrs. Virgil Storrs" yahoo.com <http://yahoo.com>>
Reply-To: fedex_delivery71 at yahoo.com.hk <http://yahoo.com.hk>


Michael Menge wrote:
> Quoting Dos Wizard <magician at euretirio.gr>:
>
>   
>> Hello,
>>
>> I am running a free webmail service based on IMP, and while I had
>> successfully controlled incoming spam on the mail server level, I have
>> issues of outgoing spam, thus someone attempts to use an automated bot
>> process to send outgoing spam via horde.
>>
>> Now, probably I would need the following measures:
>> a) To use captcha on the login box of horde. Is there any mod around for
>> that, or I should alter the code myself?
>> b) To call spamc directly from horde per each mail sent to block
>> whatever spamassassin can block as spam.
>> c) To put a delay routine which would allow only one mail per two
>> minutes to be sent per account
>> d) To trim a setting to disallow someone to replace the sender e-mail
>> given by the service thus instead of send <user>@<myfreemail>.tld to
>> change it to <myspamname>@<myspamdomain>.tld
>>
>> The problem is that users have sometimes stupid passwords like 1234 or
>> 12345 making very easy for a spammer to break into accounts, with
>> trivial automated bot process.
>>
>> Now what I need:
>> for (a) I need someone to point where in the code, is the imap
>> authentication routine. (To alter it). Or if there's a mod around for that.
>> for (b) and (c) where in the code is the routine which connects to imap
>> to send mails.
>> for (d) which is the setting (obvious).
>>
>>     
> I cant help with (a) but.
>
> (b) Imp sends e-mails by calling sendmail (or any program which  
> accepts the same options) or by talking to an smtpserver. You can use  
> a wrapper sctript to pass the e-Mail to spamc befor sending it to  
> sendmail, or you can setup you smtpserver to scan e-Mails comming from  
> your IMP Server.
>
> (c) The new Horde 3.2 and IMP 4.2 have this feature build in.
>
> (d) You can lock you $_prefs['from_addr'] in horde/configs/prefs.php  
> or you can
> patch horde/templates/prefs/text.inc
>
> --- text.inc.orig       2007-12-20 16:04:04.000000000 +0100
> +++ text.inc    2008-06-09 15:03:27.000000000 +0200
> @@ -1,2 +1,6 @@
>   <?php echo Horde::label($pref, $_prefs[$pref]['desc']) ?>&nbsp;<?php  
> echo $helplink ?><br />
> -<input id="<?php echo $pref ?>" name="<?php echo $pref ?>" size="30"  
> maxlength="60" value="<?php echo  
> htmlspecialchars($prefs->getValue($pref)) ?>" /><br />
> +<input id="<?php echo $pref ?>" name="<?php echo $pref ?>" size="30"  
> maxlength="60" value="<?php echo  
> htmlspecialchars($prefs->getValue($pref)) ?>"
> +//[begin]Don't allow to edit from_addr
> +<?php if($pref=='from_addr') echo 'readonly'; ?>
> +//[end]
> +/><br />
>
> The patch has the favor that the from_address is still shown on the  
> identity page. Both ways will disallow the editing of the from_addres  
> completly, so you must put it in the prefs for your users.
>
> Regards
>
>         Michael
>
> --------------------------------------------------------------------------------
> M.Menge                                 Tel.: (49) 7071/29-70316
> Universitaet Tuebingen                  Fax.: (49) 7071/29-5912
> Zentrum fuer Datenverarbeitung          mail:  
> michael.menge at zdv.uni-tuebingen.de
> Waechterstrasse 76
> 72074 Tuebingen
>

More information about the imp mailing list