[imp] Possible bug ?

michel at casa.co.cu michel at casa.co.cu
Sun Sep 13 03:27:41 UTC 2009


agerhard at usp.br escribió:

> Hi Michel,
>
> mtnngprs.com (and for example, their IP 41.220.75.3) is a well known
> source of nigerian/scam spam. Probably one of your users account was
> compromised maybe by him answering a scam pretending to be from staff
> of your institution and asking the user's name and password.
> You should implement rate-limit rules in IMP and postfix at your
> outgoing server, it is also important to aware your users about the
> problem.
>
> Andre Gerhard
> Universidade de Sao Paulo
>
> Citando michel at casa.co.cu:
>
>>
>> hi
>>
>> I have recently migrated to Horde Groupware Webmail Edition 1.2.3, I
>> have problems, apparently has a bug horde.
>>
>> Let me explain more.
>>
>> From abroad are using a potential vulnerability that may have horde to
>> generate large amounts of mail to multiple servers, aol, hotmail, yahoo
>> etc. ..
>>
>> As a result brought me to block emails from my domains or IP addresses.
>> when they generate this amount of advertising messages in postfix
>> clearly out who was who took delivery of the mail, in this case my
>> webmail. apparently everything is through compose.php page.
>>
>> I am sending you the logs generated by apache, I tried to configure  
>>  horde to generate logs also but I did still like it to work.
>>
>> But they also sent postfix logs. are not like you can generate  
>> these  messages are making me look like an open relay server
>>
>> please do not keep quiet on the list this time, help me.
>>
>>
>> mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252607369444 HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET  
>> /index.php?url=http%3A%2F%2Fwebmail.home.com%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26uniq%3D1252591436222 HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:02:19:12 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252591436222 HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:02:19:15 -0400] "GET  
>> /login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222&nosidebar=1&horde_logout_token=WV8go8aYyg6y_EVyMTVSWErcPFA&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:02:19:18 -0400] "GET  
>> /imp/login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222 HTTP/1.1" 200  
>> 3622
>> mtnngprs.com - - [11/Sep/2009:02:46:29 -0400] "GET / HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:02:46:35 -0400] "GET /login.php  
>> HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:02:46:37 -0400] "GET /imp/login.php  
>> HTTP/1.1" 200 3551
>> mtnngprs.com - - [11/Sep/2009:02:46:45 -0400] "GET /js/prototype.js  
>> HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:48 -0400] "GET  
>> /js/horde-prototype.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:52 -0400] "GET /imp/js/login.js  
>> HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
>> /themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
>> /imp/themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
>> /themes/ideas/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:57 -0400] "GET  
>> /imp/themes/ideas/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET  
>> /themes/graphics/horde-power1.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET  
>> /themes/ideas/graphics/background.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:46:59 -0400] "GET  
>> /themes/opera.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:02 -0400] "GET  
>> /themes/ideas/graphics/menu_top.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:11 -0400] "POST  
>> /imp/redirect.php HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:02:47:16 -0400] "GET  
>> /index.php?url=http%3A%2F%2Fwebmail.home.com%2F HTTP/1.1" 200 333
>> mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET  
>> /services/portal/sidebar.php HTTP/1.1" 200 2273
>> mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET  
>> /?frameset_loaded=1 HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET /login.php  
>> HTTP/1.1" 200 2551
>> mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET  
>> /services/javascript.php?file=tree.js&app=horde HTTP/1.1" 200 4169
>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>> /ingo/themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>> /nag/themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>> /kronolith/themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>> /mnemo/themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:29 -0400] "GET  
>> /turba/themes/ideas/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/popup.js  
>> HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET  
>> /turba/themes/screen.css HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/sidebar.js  
>> HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
>> /themes/graphics/prefs.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
>> /themes/graphics/horde.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
>> /themes/graphics/help_index.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
>> /themes/graphics/alerts/message.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
>> /themes/graphics/logout.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
>> /ingo/themes/graphics/blacklist.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:37 -0400] "GET  
>> /themes/graphics/problem.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET /imp/js/popup.js  
>> HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
>> /themes/graphics/edit.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
>> /themes/graphics/delete.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:40 -0400] "GET  
>> /ingo/themes/graphics/whitelist.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
>> /themes/ideas/graphics/left_menu_top.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
>> /themes/graphics/hide_panel.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
>> /themes/ideas/graphics/left_menu_bottom.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:43 -0400] "GET  
>> /themes/graphics/show_panel.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:45 -0400] "GET  
>> /themes/graphics/tree/plusonly.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:46 -0400] "GET  
>> /themes/graphics/organizing.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET  
>> /themes/graphics/tree/nullonly.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET  
>> /imp/themes/graphics/newmail.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:48:31 -0400] "GET /imp/ HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:02:48:47 -0400] "GET  
>> /imp/mailbox.php?mailbox=INBOX&mailbox_token=wZnvebIzfCa_lW5VDB0LPOfvkzI  
>> HTTP/1.1" 200 5536
>> mtnngprs.com - - [11/Sep/2009:02:48:51 -0400] "GET  
>> /imp/js/effects.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:48:54 -0400] "GET  
>> /imp/js/redbox.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:48:57 -0400] "GET  
>> /imp/js/mailbox.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET  
>> /imp/themes/graphics/compose.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET  
>> /imp/themes/graphics/folders/inbox.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:01 -0400] "GET  
>> /imp/themes/graphics/folders/folder_open.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET  
>> /themes/graphics/reload.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET  
>> /imp/themes/graphics/fetchmail.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:04 -0400] "GET  
>> /imp/themes/graphics/folders/folder.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET  
>> /imp/themes/graphics/mail_unseen.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET  
>> /themes/graphics/az.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET  
>> /imp/themes/graphics/filters.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET  
>> /themes/graphics/search.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:09 -0400] "GET  
>> /imp/themes/graphics/mail_personal.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:49:15 -0400] "GET  
>> /imp/themes/graphics/empty_spam.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:51:19 -0400] "GET  
>> /imp/login.php?url=%2Fimp%2Fmailbox.php%3Fmailbox%3DINBOX HTTP/1.1"  
>> 200 3610
>> mtnngprs.com - - [11/Sep/2009:02:51:23 -0400] "GET  
>> /imp/themes/graphics/favicon.ico HTTP/1.1" 200 1406
>> mtnngprs.com - - [11/Sep/2009:02:52:08 -0400] "GET  
>> /services/prefs.php?app=imp HTTP/1.1" 200 3247
>> mtnngprs.com - - [11/Sep/2009:02:52:14 -0400] "GET /js/horde.js  
>> HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:52:32 -0400] "GET  
>> /services/prefs.php?app=imp&group=identities HTTP/1.1" 200 7487
>> mtnngprs.com - - [11/Sep/2009:02:52:46 -0400] "GET  
>> /services/prefs.php?app=imp&group=identities&actionID=delete_identity&id=2  
>> HTTP/1.1" 200 6393
>> mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET  
>> /themes/graphics/alerts/success.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1449
>> mtnngprs.com - - [11/Sep/2009:02:54:54 -0400] "POST  
>> /services/prefs.php HTTP/1.1" 200 3292
>> mtnngprs.com - - [11/Sep/2009:02:57:55 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
>> mtnngprs.com - - [11/Sep/2009:02:58:14 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252652212573 HTTP/1.1" 200 7299
>> mtnngprs.com - - [11/Sep/2009:02:58:19 -0400] "GET  
>> /imp/js/autocomplete.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:22 -0400] "GET  
>> /imp/js/KeyNavList.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:29 -0400] "GET  
>> /imp/js/SpellChecker.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:32 -0400] "GET  
>> /imp/js/compose.js HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:35 -0400] "GET  
>> /themes/graphics/help.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
>> /imp/themes/graphics/addressbook_browse.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
>> /themes/graphics/keyboard.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
>> /imp/themes/graphics/manage_attachments.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:39 -0400] "GET  
>> /imp/themes/graphics/popdown.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:02:58:43 -0400] "GET  
>> /imp/themes/graphics/spellcheck.png HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "GET  
>> /imp/themes/graphics/loading.gif HTTP/1.1" 304 -
>> mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:01:37 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:01:38 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:01:40 -0400] "POST  
>> /imp/compose.php?uniq=3qazi9sivvuv HTTP/1.1" 200 92
>> mtnngprs.com - - [11/Sep/2009:03:02:59 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1447
>> mtnngprs.com - - [11/Sep/2009:03:08:14 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1448
>> mtnngprs.com - - [11/Sep/2009:03:11:05 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252652981227 HTTP/1.1" 200 7300
>> mtnngprs.com - - [11/Sep/2009:03:11:10 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252652988462 HTTP/1.1" 200 7298
>> mtnngprs.com - - [11/Sep/2009:03:11:16 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252652993718 HTTP/1.1" 200 7301
>> mtnngprs.com - - [11/Sep/2009:03:11:19 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252652997151 HTTP/1.1" 200 7301
>> mtnngprs.com - - [11/Sep/2009:03:13:21 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
>> mtnngprs.com - - [11/Sep/2009:03:16:04 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:16:09 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:16:11 -0400] "POST  
>> /imp/compose.php?uniq=2qz5zcka6ec7 HTTP/1.1" 200 92
>> mtnngprs.com - - [11/Sep/2009:03:18:26 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>> mtnngprs.com - - [11/Sep/2009:03:23:32 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1403
>> mtnngprs.com - - [11/Sep/2009:03:24:14 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:24:24 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:24:28 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:24:29 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:03:24:30 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> 41.220.75.16 - - [11/Sep/2009:03:24:33 -0400] "POST  
>> /imp/compose.php?uniq=1euuxs4pmk2c HTTP/1.1" 200 92
>> mtnngprs.com - - [11/Sep/2009:03:28:38 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>> mtnngprs.com - - [11/Sep/2009:03:33:43 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>> mtnngprs.com - - [11/Sep/2009:03:43:48 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:43:54 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:43:52 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:43:53 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:43:51 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:43:57 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=eglGjEMldNr9UH24zIkdKK1eSV4&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=WX77PhweZ-KmKF0YTUGhs6guGvs&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>> mtnngprs.com - - [11/Sep/2009:03:44:00 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=jzb53DZTOewdzYI70Vk3lQsrR9Q&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST  
>> /imp/compose.php?uniq=4w682dzniadq HTTP/1.1" 200 4965
>> mtnngprs.com - - [11/Sep/2009:03:44:01 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=B5_o6GqJ75P6gIus19hUSYvlouk&app= HTTP/1.1" 302  
>> 26
>> 41.220.75.16 - - [11/Sep/2009:03:44:03 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=Cgdmins9lt30Vgar4yWXI12hWjU&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:44:04 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=FanJ81FZSHtYfBiqnpZwzr5367c&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET  
>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=tLLr3miFgVw5-iO3K7hm42IL8K0&app= HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:03:44:09 -0400] "GET  
>> /login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1&nosidebar=1&horde_logout_token=ZChMZnm3eFpSkPjeW4G8rnLOJBQ&app=horde HTTP/1.1" 302  
>> 26
>> mtnngprs.com - - [11/Sep/2009:03:44:10 -0400] "GET  
>> /imp/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc HTTP/1.1" 200  
>> 3603
>> mtnngprs.com - - [11/Sep/2009:03:44:13 -0400] "GET  
>> /imp/login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1  
>> HTTP/1.1" 200 3598
>> mtnngprs.com - - [11/Sep/2009:03:44:33 -0400] "POST  
>> /imp/redirect.php HTTP/1.1" 302 26
>> mtnngprs.com - - [11/Sep/2009:03:44:41 -0400] "GET  
>> /imp/compose.php?actionID=recompose HTTP/1.1" 200 7495
>> mtnngprs.com - - [11/Sep/2009:03:44:51 -0400] "POST  
>> /imp/compose.php?uniq=4zyav2hgmp6 HTTP/1.1" 200 92
>> mtnngprs.com - - [11/Sep/2009:04:14:59 -0400] "GET  
>> /imp/compose.php?mailbox=INBOX&uniq=1252656813421 HTTP/1.1" 200 7297
>> 41.220.75.16 - - [11/Sep/2009:04:16:21 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:04:16:26 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:04:16:28 -0400] "POST  
>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>> mtnngprs.com - - [11/Sep/2009:04:16:35 -0400] "POST  
>> /imp/compose.php?uniq=3w45vknv29e0 HTTP/1.1" 200 92
>> 114.127.246.36 - - [11/Sep/2009:04:17:19 -0400] "GET  
>> /imp/login.php? HTTP/1.1" 200 3580
>> 114.127.246.36 - - [11/Sep/2009:04:17:50 -0400] "GET  
>> /imp/login.php? HTTP/1.1" 200 3579
>> mtnngprs.com - - [11/Sep/2009:04:18:12 -0400] "GET  
>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>
>>
>> suggestions?
>>



I do not think any of my user account has been compromised, but if so  
each time you send spam messages using the account, then the email  
address appear on each message, is not it?

Which so far has not happened, only appear from the line of the email  
addresses that do not exist in my domain and sometimes not even using  
the @ domain is not mine?

pepe at linux.com would use eg, when my domain for this case is home.com


that messages are coming from webmail because not only see the apache  
logs but of postfix and each time they send out clear messages:
   message-id = <20090912181854.208571wgnq9h1w7i @ webmail.home.com>

then I have reason to suspect it is a problem in imp / compose.php

until yesterday i make a filter in postfix for accept only mail from  
valid accounts of my domains and reject every message generated by the  
hacker using no valid accounts . so , today he or she use a valid  
account only for generate the messages . i check dovecot sessions in  
my logs and no appears logons for the account that he is use to  
generate the emails.


how obtain the list of valid accounts? simple  make a search in google  
. maybe a second solutions is user policyd to limit the rate-limit but  
the problem in horde persists, so how i can fix this?

sorry for my english

is poor

Thanks

I pass a part of my postfix logs.


Sep 12 18:18:54 serverlinux postfix/smtpd[4657]: F1FC98F2AD:  
client=serverlinux.home.com[192.168.25.254]
Sep 12 18:18:55 serverlinux postfix/cleanup[4833]: F1FC98F2AD:  
message-id=<20090912181854.208571wgnq9h1w7i at webmail.home.com>
Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD:  
from=<mr_huang at home.com>, size=2429, nrcpt=24 (queue active)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<02cbb at alumni.williams.edu>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1065401001 at amsa.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1010motoring at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1234andy at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1982cj7 at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1amiller at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1caldero at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1harnish at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1pdickinson at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<100234.547 at compuserve.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<110536.427 at compuserve.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<01doublehelix10 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1230.bb03 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1230.bb05 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1skier1 at home.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1bigtuki at hotmial.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<196362 at iwon.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<13152024 at msn.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1ljd at msn.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<103rle at verizon.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1cvi at verizon.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<13throw at whidbey.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1lawdivadram at yahoo.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<2002 at yahoo.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD: removed


----------------------------------------------
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.



More information about the imp mailing list