[imp] Possible bug ?

mtecles at biof.ufrj.br mtecles at biof.ufrj.br
Sun Sep 13 14:55:30 UTC 2009


I had a similar problem. One of my users probably informed his\hers  
password to one of those spams.

Stop your postfix, use mailq to take a look at your mail queue. You  
will see easily the spams. Take note of your domain accouts that are  
sending spams. I don't have it in hands now, but I will send it  
tomorrow a line script to delete the spams based on "from" or "to".  
Restart postfix, it will not solve the problem, but will mitigate it.

If possible, configure SPF (http://www.openspf.org/) on your DNS (it  
is just text), it is easy to setup postfix to use it.

Identify each account that is sending spam (using mailq), have their  
owner (the users) identified somehow (better if in person) and have  
then changed their password. Have then access their webmail account,  
if possible with you, and look for spam mail drafts, check their Mail  
Options -> Personal Information -> Identity (probably remove them all,  
the sistem will recreate an empty standard one).

Mauricio

-- 
Mauricio J. T. Tecles
Instituto de Biofisica C. C. F. - UFRJ
mtecles at biof.ufrj.br
Tel.: (21) 2562-6544



Citando michel at casa.co.cu:

> agerhard at usp.br escribió:
>
>> Hi Michel,
>>
>> mtnngprs.com (and for example, their IP 41.220.75.3) is a well known
>> source of nigerian/scam spam. Probably one of your users account was
>> compromised maybe by him answering a scam pretending to be from staff
>> of your institution and asking the user's name and password.
>> You should implement rate-limit rules in IMP and postfix at your
>> outgoing server, it is also important to aware your users about the
>> problem.
>>
>> Andre Gerhard
>> Universidade de Sao Paulo
>>
>> Citando michel at casa.co.cu:
>>
>>>
>>> hi
>>>
>>> I have recently migrated to Horde Groupware Webmail Edition 1.2.3, I
>>> have problems, apparently has a bug horde.
>>>
>>> Let me explain more.
>>>
>>> From abroad are using a potential vulnerability that may have horde to
>>> generate large amounts of mail to multiple servers, aol, hotmail, yahoo
>>> etc. ..
>>>
>>> As a result brought me to block emails from my domains or IP addresses.
>>> when they generate this amount of advertising messages in postfix
>>> clearly out who was who took delivery of the mail, in this case my
>>> webmail. apparently everything is through compose.php page.
>>>
>>> I am sending you the logs generated by apache, I tried to  
>>> configure  horde to generate logs also but I did still like it to  
>>> work.
>>>
>>> But they also sent postfix logs. are not like you can generate  
>>> these  messages are making me look like an open relay server
>>>
>>> please do not keep quiet on the list this time, help me.
>>>
>>>
>>> mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252607369444 HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET  
>>> /index.php?url=http%3A%2F%2Fwebmail.home.com%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26uniq%3D1252591436222 HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:02:19:12 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252591436222 HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:02:19:15 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222&nosidebar=1&horde_logout_token=WV8go8aYyg6y_EVyMTVSWErcPFA&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:02:19:18 -0400] "GET  
>>> /imp/login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222 HTTP/1.1" 200  
>>> 3622
>>> mtnngprs.com - - [11/Sep/2009:02:46:29 -0400] "GET / HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:02:46:35 -0400] "GET /login.php  
>>> HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:02:46:37 -0400] "GET /imp/login.php  
>>> HTTP/1.1" 200 3551
>>> mtnngprs.com - - [11/Sep/2009:02:46:45 -0400] "GET  
>>> /js/prototype.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:48 -0400] "GET  
>>> /js/horde-prototype.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:52 -0400] "GET  
>>> /imp/js/login.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
>>> /themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
>>> /imp/themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
>>> /themes/ideas/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:57 -0400] "GET  
>>> /imp/themes/ideas/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET  
>>> /themes/graphics/horde-power1.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET  
>>> /themes/ideas/graphics/background.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:46:59 -0400] "GET  
>>> /themes/opera.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:02 -0400] "GET  
>>> /themes/ideas/graphics/menu_top.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:11 -0400] "POST  
>>> /imp/redirect.php HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:02:47:16 -0400] "GET  
>>> /index.php?url=http%3A%2F%2Fwebmail.home.com%2F HTTP/1.1" 200 333
>>> mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET  
>>> /services/portal/sidebar.php HTTP/1.1" 200 2273
>>> mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET  
>>> /?frameset_loaded=1 HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET /login.php  
>>> HTTP/1.1" 200 2551
>>> mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET  
>>> /services/javascript.php?file=tree.js&app=horde HTTP/1.1" 200 4169
>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>>> /ingo/themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>>> /nag/themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>>> /kronolith/themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
>>> /mnemo/themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:29 -0400] "GET  
>>> /turba/themes/ideas/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/popup.js  
>>> HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET  
>>> /turba/themes/screen.css HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/sidebar.js  
>>> HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
>>> /themes/graphics/prefs.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
>>> /themes/graphics/horde.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
>>> /themes/graphics/help_index.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
>>> /themes/graphics/alerts/message.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
>>> /themes/graphics/logout.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
>>> /ingo/themes/graphics/blacklist.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:37 -0400] "GET  
>>> /themes/graphics/problem.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
>>> /imp/js/popup.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
>>> /themes/graphics/edit.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
>>> /themes/graphics/delete.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:40 -0400] "GET  
>>> /ingo/themes/graphics/whitelist.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
>>> /themes/ideas/graphics/left_menu_top.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
>>> /themes/graphics/hide_panel.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
>>> /themes/ideas/graphics/left_menu_bottom.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:43 -0400] "GET  
>>> /themes/graphics/show_panel.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:45 -0400] "GET  
>>> /themes/graphics/tree/plusonly.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:46 -0400] "GET  
>>> /themes/graphics/organizing.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET  
>>> /themes/graphics/tree/nullonly.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET  
>>> /imp/themes/graphics/newmail.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:48:31 -0400] "GET /imp/ HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:02:48:47 -0400] "GET  
>>> /imp/mailbox.php?mailbox=INBOX&mailbox_token=wZnvebIzfCa_lW5VDB0LPOfvkzI  
>>> HTTP/1.1" 200 5536
>>> mtnngprs.com - - [11/Sep/2009:02:48:51 -0400] "GET  
>>> /imp/js/effects.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:48:54 -0400] "GET  
>>> /imp/js/redbox.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:48:57 -0400] "GET  
>>> /imp/js/mailbox.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET  
>>> /imp/themes/graphics/compose.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET  
>>> /imp/themes/graphics/folders/inbox.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:01 -0400] "GET  
>>> /imp/themes/graphics/folders/folder_open.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET  
>>> /themes/graphics/reload.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET  
>>> /imp/themes/graphics/fetchmail.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:04 -0400] "GET  
>>> /imp/themes/graphics/folders/folder.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET  
>>> /imp/themes/graphics/mail_unseen.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET  
>>> /themes/graphics/az.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET  
>>> /imp/themes/graphics/filters.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET  
>>> /themes/graphics/search.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:09 -0400] "GET  
>>> /imp/themes/graphics/mail_personal.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:49:15 -0400] "GET  
>>> /imp/themes/graphics/empty_spam.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:51:19 -0400] "GET  
>>> /imp/login.php?url=%2Fimp%2Fmailbox.php%3Fmailbox%3DINBOX  
>>> HTTP/1.1" 200 3610
>>> mtnngprs.com - - [11/Sep/2009:02:51:23 -0400] "GET  
>>> /imp/themes/graphics/favicon.ico HTTP/1.1" 200 1406
>>> mtnngprs.com - - [11/Sep/2009:02:52:08 -0400] "GET  
>>> /services/prefs.php?app=imp HTTP/1.1" 200 3247
>>> mtnngprs.com - - [11/Sep/2009:02:52:14 -0400] "GET /js/horde.js  
>>> HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:52:32 -0400] "GET  
>>> /services/prefs.php?app=imp&group=identities HTTP/1.1" 200 7487
>>> mtnngprs.com - - [11/Sep/2009:02:52:46 -0400] "GET  
>>> /services/prefs.php?app=imp&group=identities&actionID=delete_identity&id=2  
>>> HTTP/1.1" 200 6393
>>> mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET  
>>> /themes/graphics/alerts/success.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1449
>>> mtnngprs.com - - [11/Sep/2009:02:54:54 -0400] "POST  
>>> /services/prefs.php HTTP/1.1" 200 3292
>>> mtnngprs.com - - [11/Sep/2009:02:57:55 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
>>> mtnngprs.com - - [11/Sep/2009:02:58:14 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252652212573 HTTP/1.1" 200 7299
>>> mtnngprs.com - - [11/Sep/2009:02:58:19 -0400] "GET  
>>> /imp/js/autocomplete.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:22 -0400] "GET  
>>> /imp/js/KeyNavList.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:29 -0400] "GET  
>>> /imp/js/SpellChecker.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:32 -0400] "GET  
>>> /imp/js/compose.js HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:35 -0400] "GET  
>>> /themes/graphics/help.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
>>> /imp/themes/graphics/addressbook_browse.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
>>> /themes/graphics/keyboard.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
>>> /imp/themes/graphics/manage_attachments.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:39 -0400] "GET  
>>> /imp/themes/graphics/popdown.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:02:58:43 -0400] "GET  
>>> /imp/themes/graphics/spellcheck.png HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "GET  
>>> /imp/themes/graphics/loading.gif HTTP/1.1" 304 -
>>> mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:01:37 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:01:38 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:01:40 -0400] "POST  
>>> /imp/compose.php?uniq=3qazi9sivvuv HTTP/1.1" 200 92
>>> mtnngprs.com - - [11/Sep/2009:03:02:59 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1447
>>> mtnngprs.com - - [11/Sep/2009:03:08:14 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1448
>>> mtnngprs.com - - [11/Sep/2009:03:11:05 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252652981227 HTTP/1.1" 200 7300
>>> mtnngprs.com - - [11/Sep/2009:03:11:10 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252652988462 HTTP/1.1" 200 7298
>>> mtnngprs.com - - [11/Sep/2009:03:11:16 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252652993718 HTTP/1.1" 200 7301
>>> mtnngprs.com - - [11/Sep/2009:03:11:19 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252652997151 HTTP/1.1" 200 7301
>>> mtnngprs.com - - [11/Sep/2009:03:13:21 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
>>> mtnngprs.com - - [11/Sep/2009:03:16:04 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:16:09 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:16:11 -0400] "POST  
>>> /imp/compose.php?uniq=2qz5zcka6ec7 HTTP/1.1" 200 92
>>> mtnngprs.com - - [11/Sep/2009:03:18:26 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>> mtnngprs.com - - [11/Sep/2009:03:23:32 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1403
>>> mtnngprs.com - - [11/Sep/2009:03:24:14 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:24:24 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:24:28 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:24:29 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:03:24:30 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> 41.220.75.16 - - [11/Sep/2009:03:24:33 -0400] "POST  
>>> /imp/compose.php?uniq=1euuxs4pmk2c HTTP/1.1" 200 92
>>> mtnngprs.com - - [11/Sep/2009:03:28:38 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>> mtnngprs.com - - [11/Sep/2009:03:33:43 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>> mtnngprs.com - - [11/Sep/2009:03:43:48 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:43:54 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:43:52 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:43:53 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:43:51 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:43:57 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=eglGjEMldNr9UH24zIkdKK1eSV4&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=WX77PhweZ-KmKF0YTUGhs6guGvs&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>> mtnngprs.com - - [11/Sep/2009:03:44:00 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=jzb53DZTOewdzYI70Vk3lQsrR9Q&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST  
>>> /imp/compose.php?uniq=4w682dzniadq HTTP/1.1" 200 4965
>>> mtnngprs.com - - [11/Sep/2009:03:44:01 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=B5_o6GqJ75P6gIus19hUSYvlouk&app= HTTP/1.1" 302  
>>> 26
>>> 41.220.75.16 - - [11/Sep/2009:03:44:03 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=Cgdmins9lt30Vgar4yWXI12hWjU&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:44:04 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=FanJ81FZSHtYfBiqnpZwzr5367c&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET  
>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=tLLr3miFgVw5-iO3K7hm42IL8K0&app= HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:03:44:09 -0400] "GET  
>>> /login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1&nosidebar=1&horde_logout_token=ZChMZnm3eFpSkPjeW4G8rnLOJBQ&app=horde HTTP/1.1" 302  
>>> 26
>>> mtnngprs.com - - [11/Sep/2009:03:44:10 -0400] "GET  
>>> /imp/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc HTTP/1.1" 200  
>>> 3603
>>> mtnngprs.com - - [11/Sep/2009:03:44:13 -0400] "GET  
>>> /imp/login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1  
>>> HTTP/1.1" 200 3598
>>> mtnngprs.com - - [11/Sep/2009:03:44:33 -0400] "POST  
>>> /imp/redirect.php HTTP/1.1" 302 26
>>> mtnngprs.com - - [11/Sep/2009:03:44:41 -0400] "GET  
>>> /imp/compose.php?actionID=recompose HTTP/1.1" 200 7495
>>> mtnngprs.com - - [11/Sep/2009:03:44:51 -0400] "POST  
>>> /imp/compose.php?uniq=4zyav2hgmp6 HTTP/1.1" 200 92
>>> mtnngprs.com - - [11/Sep/2009:04:14:59 -0400] "GET  
>>> /imp/compose.php?mailbox=INBOX&uniq=1252656813421 HTTP/1.1" 200 7297
>>> 41.220.75.16 - - [11/Sep/2009:04:16:21 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:04:16:26 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:04:16:28 -0400] "POST  
>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34
>>> mtnngprs.com - - [11/Sep/2009:04:16:35 -0400] "POST  
>>> /imp/compose.php?uniq=3w45vknv29e0 HTTP/1.1" 200 92
>>> 114.127.246.36 - - [11/Sep/2009:04:17:19 -0400] "GET  
>>> /imp/login.php? HTTP/1.1" 200 3580
>>> 114.127.246.36 - - [11/Sep/2009:04:17:50 -0400] "GET  
>>> /imp/login.php? HTTP/1.1" 200 3579
>>> mtnngprs.com - - [11/Sep/2009:04:18:12 -0400] "GET  
>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>>
>>>
>>> suggestions?
>>>
>
>
>
> I do not think any of my user account has been compromised, but if  
> so each time you send spam messages using the account, then the  
> email address appear on each message, is not it?
>
> Which so far has not happened, only appear from the line of the  
> email addresses that do not exist in my domain and sometimes not  
> even using the @ domain is not mine?
>
> pepe at linux.com would use eg, when my domain for this case is home.com
>
>
> that messages are coming from webmail because not only see the  
> apache logs but of postfix and each time they send out clear messages:
>   message-id = <20090912181854.208571wgnq9h1w7i @ webmail.home.com>
>
> then I have reason to suspect it is a problem in imp / compose.php
>
> until yesterday i make a filter in postfix for accept only mail from  
> valid accounts of my domains and reject every message generated by  
> the hacker using no valid accounts . so , today he or she use a  
> valid account only for generate the messages . i check dovecot  
> sessions in my logs and no appears logons for the account that he is  
> use to generate the emails.
>
>
> how obtain the list of valid accounts? simple  make a search in  
> google . maybe a second solutions is user policyd to limit the  
> rate-limit but the problem in horde persists, so how i can fix this?
>
> sorry for my english
>
> is poor
>
> Thanks
>
> I pass a part of my postfix logs.
>
>
> Sep 12 18:18:54 serverlinux postfix/smtpd[4657]: F1FC98F2AD:  
> client=serverlinux.home.com[192.168.25.254]
> Sep 12 18:18:55 serverlinux postfix/cleanup[4833]: F1FC98F2AD:  
> message-id=<20090912181854.208571wgnq9h1w7i at webmail.home.com>
> Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD:  
> from=<mr_huang at home.com>, size=2429, nrcpt=24 (queue active)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<02cbb at alumni.williams.edu>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1065401001 at amsa.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1010motoring at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1234andy at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1982cj7 at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1amiller at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1caldero at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1harnish at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1pdickinson at comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<100234.547 at compuserve.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<110536.427 at compuserve.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<01doublehelix10 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1230.bb03 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1230.bb05 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1skier1 at home.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1bigtuki at hotmial.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<196362 at iwon.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<13152024 at msn.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1ljd at msn.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
> delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
> queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<103rle at verizon.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1cvi at verizon.net>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<13throw at whidbey.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<1lawdivadram at yahoo.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
> to=<2002 at yahoo.com>, relay=mx.home.com[192.168.25.10]:25,  
> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
> 2.0.0 Ok: queued as 0FFE8164859)
> Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD: removed
>
>
> ----------------------------------------------
> Webmail, servicio de correo electronico
> Casa de las Americas - La Habana, Cuba.
>
> -- 
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the imp mailing list