[imp] Possible bug ?
michel at casa.co.cu
michel at casa.co.cu
Sun Sep 13 17:19:42 UTC 2009
mtecles at biof.ufrj.br escribió:
> I had a similar problem. One of my users probably informed his\hers
> password to one of those spams.
>
> Stop your postfix, use mailq to take a look at your mail queue. You
> will see easily the spams. Take note of your domain accouts that are
> sending spams. I don't have it in hands now, but I will send it
> tomorrow a line script to delete the spams based on "from" or "to".
> Restart postfix, it will not solve the problem, but will mitigate it.
>
> If possible, configure SPF (http://www.openspf.org/) on your DNS (it
> is just text), it is easy to setup postfix to use it.
>
> Identify each account that is sending spam (using mailq), have their
> owner (the users) identified somehow (better if in person) and have
> then changed their password. Have then access their webmail account,
> if possible with you, and look for spam mail drafts, check their
> Mail Options -> Personal Information -> Identity (probably remove
> them all, the sistem will recreate an empty standard one).
>
> Mauricio
>
> --
> Mauricio J. T. Tecles
> Instituto de Biofisica C. C. F. - UFRJ
> mtecles at biof.ufrj.br
> Tel.: (21) 2562-6544
>
>
>
> Citando michel at casa.co.cu:
>
>> agerhard at usp.br escribió:
>>
>>> Hi Michel,
>>>
>>> mtnngprs.com (and for example, their IP 41.220.75.3) is a well known
>>> source of nigerian/scam spam. Probably one of your users account was
>>> compromised maybe by him answering a scam pretending to be from staff
>>> of your institution and asking the user's name and password.
>>> You should implement rate-limit rules in IMP and postfix at your
>>> outgoing server, it is also important to aware your users about the
>>> problem.
>>>
>>> Andre Gerhard
>>> Universidade de Sao Paulo
>>>
>>> Citando michel at casa.co.cu:
>>>
>>>>
>>>> hi
>>>>
>>>> I have recently migrated to Horde Groupware Webmail Edition 1.2.3, I
>>>> have problems, apparently has a bug horde.
>>>>
>>>> Let me explain more.
>>>>
>>>> From abroad are using a potential vulnerability that may have horde to
>>>> generate large amounts of mail to multiple servers, aol, hotmail, yahoo
>>>> etc. ..
>>>>
>>>> As a result brought me to block emails from my domains or IP addresses.
>>>> when they generate this amount of advertising messages in postfix
>>>> clearly out who was who took delivery of the mail, in this case my
>>>> webmail. apparently everything is through compose.php page.
>>>>
>>>> I am sending you the logs generated by apache, I tried to
>>>> configure horde to generate logs also but I did still like it to
>>>> work.
>>>>
>>>> But they also sent postfix logs. are not like you can generate
>>>> these messages are making me look like an open relay server
>>>>
>>>> please do not keep quiet on the list this time, help me.
>>>>
>>>>
>>>> mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252607369444 HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET
>>>> /index.php?url=http%3A%2F%2Fwebmail.home.com%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26uniq%3D1252591436222 HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:02:19:12 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252591436222 HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:02:19:15 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222&nosidebar=1&horde_logout_token=WV8go8aYyg6y_EVyMTVSWErcPFA&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:02:19:18 -0400] "GET
>>>> /imp/login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222 HTTP/1.1" 200
>>>> 3622
>>>> mtnngprs.com - - [11/Sep/2009:02:46:29 -0400] "GET / HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:02:46:35 -0400] "GET /login.php
>>>> HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:02:46:37 -0400] "GET /imp/login.php
>>>> HTTP/1.1" 200 3551
>>>> mtnngprs.com - - [11/Sep/2009:02:46:45 -0400] "GET
>>>> /js/prototype.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:48 -0400] "GET
>>>> /js/horde-prototype.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:52 -0400] "GET
>>>> /imp/js/login.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET
>>>> /themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET
>>>> /imp/themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET
>>>> /themes/ideas/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:57 -0400] "GET
>>>> /imp/themes/ideas/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET
>>>> /themes/graphics/horde-power1.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET
>>>> /themes/ideas/graphics/background.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:46:59 -0400] "GET
>>>> /themes/opera.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:02 -0400] "GET
>>>> /themes/ideas/graphics/menu_top.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:11 -0400] "POST
>>>> /imp/redirect.php HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:02:47:16 -0400] "GET
>>>> /index.php?url=http%3A%2F%2Fwebmail.home.com%2F HTTP/1.1" 200 333
>>>> mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET
>>>> /services/portal/sidebar.php HTTP/1.1" 200 2273
>>>> mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET
>>>> /?frameset_loaded=1 HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET /login.php
>>>> HTTP/1.1" 200 2551
>>>> mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET
>>>> /services/javascript.php?file=tree.js&app=horde HTTP/1.1" 200 4169
>>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET
>>>> /ingo/themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET
>>>> /nag/themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET
>>>> /kronolith/themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET
>>>> /mnemo/themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:29 -0400] "GET
>>>> /turba/themes/ideas/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/popup.js
>>>> HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET
>>>> /turba/themes/screen.css HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/sidebar.js
>>>> HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET
>>>> /themes/graphics/prefs.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET
>>>> /themes/graphics/horde.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET
>>>> /themes/graphics/help_index.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET
>>>> /themes/graphics/alerts/message.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET
>>>> /themes/graphics/logout.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET
>>>> /ingo/themes/graphics/blacklist.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:37 -0400] "GET
>>>> /themes/graphics/problem.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET
>>>> /imp/js/popup.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET
>>>> /themes/graphics/edit.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET
>>>> /themes/graphics/delete.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:40 -0400] "GET
>>>> /ingo/themes/graphics/whitelist.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET
>>>> /themes/ideas/graphics/left_menu_top.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET
>>>> /themes/graphics/hide_panel.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET
>>>> /themes/ideas/graphics/left_menu_bottom.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:43 -0400] "GET
>>>> /themes/graphics/show_panel.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:45 -0400] "GET
>>>> /themes/graphics/tree/plusonly.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:46 -0400] "GET
>>>> /themes/graphics/organizing.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET
>>>> /themes/graphics/tree/nullonly.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET
>>>> /imp/themes/graphics/newmail.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:48:31 -0400] "GET /imp/ HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:02:48:47 -0400] "GET
>>>> /imp/mailbox.php?mailbox=INBOX&mailbox_token=wZnvebIzfCa_lW5VDB0LPOfvkzI
>>>> HTTP/1.1" 200 5536
>>>> mtnngprs.com - - [11/Sep/2009:02:48:51 -0400] "GET
>>>> /imp/js/effects.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:48:54 -0400] "GET
>>>> /imp/js/redbox.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:48:57 -0400] "GET
>>>> /imp/js/mailbox.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET
>>>> /imp/themes/graphics/compose.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET
>>>> /imp/themes/graphics/folders/inbox.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:01 -0400] "GET
>>>> /imp/themes/graphics/folders/folder_open.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET
>>>> /themes/graphics/reload.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET
>>>> /imp/themes/graphics/fetchmail.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:04 -0400] "GET
>>>> /imp/themes/graphics/folders/folder.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET
>>>> /imp/themes/graphics/mail_unseen.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET
>>>> /themes/graphics/az.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET
>>>> /imp/themes/graphics/filters.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET
>>>> /themes/graphics/search.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:09 -0400] "GET
>>>> /imp/themes/graphics/mail_personal.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:49:15 -0400] "GET
>>>> /imp/themes/graphics/empty_spam.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:51:19 -0400] "GET
>>>> /imp/login.php?url=%2Fimp%2Fmailbox.php%3Fmailbox%3DINBOX
>>>> HTTP/1.1" 200 3610
>>>> mtnngprs.com - - [11/Sep/2009:02:51:23 -0400] "GET
>>>> /imp/themes/graphics/favicon.ico HTTP/1.1" 200 1406
>>>> mtnngprs.com - - [11/Sep/2009:02:52:08 -0400] "GET
>>>> /services/prefs.php?app=imp HTTP/1.1" 200 3247
>>>> mtnngprs.com - - [11/Sep/2009:02:52:14 -0400] "GET /js/horde.js
>>>> HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:52:32 -0400] "GET
>>>> /services/prefs.php?app=imp&group=identities HTTP/1.1" 200 7487
>>>> mtnngprs.com - - [11/Sep/2009:02:52:46 -0400] "GET
>>>> /services/prefs.php?app=imp&group=identities&actionID=delete_identity&id=2 HTTP/1.1" 200
>>>> 6393
>>>> mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET
>>>> /themes/graphics/alerts/success.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1449
>>>> mtnngprs.com - - [11/Sep/2009:02:54:54 -0400] "POST
>>>> /services/prefs.php HTTP/1.1" 200 3292
>>>> mtnngprs.com - - [11/Sep/2009:02:57:55 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
>>>> mtnngprs.com - - [11/Sep/2009:02:58:14 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252652212573 HTTP/1.1" 200
>>>> 7299
>>>> mtnngprs.com - - [11/Sep/2009:02:58:19 -0400] "GET
>>>> /imp/js/autocomplete.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:22 -0400] "GET
>>>> /imp/js/KeyNavList.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:29 -0400] "GET
>>>> /imp/js/SpellChecker.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:32 -0400] "GET
>>>> /imp/js/compose.js HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:35 -0400] "GET
>>>> /themes/graphics/help.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET
>>>> /imp/themes/graphics/addressbook_browse.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET
>>>> /themes/graphics/keyboard.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET
>>>> /imp/themes/graphics/manage_attachments.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:39 -0400] "GET
>>>> /imp/themes/graphics/popdown.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:02:58:43 -0400] "GET
>>>> /imp/themes/graphics/spellcheck.png HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "GET
>>>> /imp/themes/graphics/loading.gif HTTP/1.1" 304 -
>>>> mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:01:37 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:01:38 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:01:40 -0400] "POST
>>>> /imp/compose.php?uniq=3qazi9sivvuv HTTP/1.1" 200 92
>>>> mtnngprs.com - - [11/Sep/2009:03:02:59 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1447
>>>> mtnngprs.com - - [11/Sep/2009:03:08:14 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1448
>>>> mtnngprs.com - - [11/Sep/2009:03:11:05 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252652981227 HTTP/1.1" 200
>>>> 7300
>>>> mtnngprs.com - - [11/Sep/2009:03:11:10 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252652988462 HTTP/1.1" 200
>>>> 7298
>>>> mtnngprs.com - - [11/Sep/2009:03:11:16 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252652993718 HTTP/1.1" 200
>>>> 7301
>>>> mtnngprs.com - - [11/Sep/2009:03:11:19 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252652997151 HTTP/1.1" 200
>>>> 7301
>>>> mtnngprs.com - - [11/Sep/2009:03:13:21 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
>>>> mtnngprs.com - - [11/Sep/2009:03:16:04 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:16:09 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:16:11 -0400] "POST
>>>> /imp/compose.php?uniq=2qz5zcka6ec7 HTTP/1.1" 200 92
>>>> mtnngprs.com - - [11/Sep/2009:03:18:26 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>>> mtnngprs.com - - [11/Sep/2009:03:23:32 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1403
>>>> mtnngprs.com - - [11/Sep/2009:03:24:14 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:24:24 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:24:28 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:24:29 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:03:24:30 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> 41.220.75.16 - - [11/Sep/2009:03:24:33 -0400] "POST
>>>> /imp/compose.php?uniq=1euuxs4pmk2c HTTP/1.1" 200 92
>>>> mtnngprs.com - - [11/Sep/2009:03:28:38 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>>> mtnngprs.com - - [11/Sep/2009:03:33:43 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>>> mtnngprs.com - - [11/Sep/2009:03:43:48 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:43:54 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:43:52 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:43:53 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:43:51 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:43:57 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=eglGjEMldNr9UH24zIkdKK1eSV4&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=WX77PhweZ-KmKF0YTUGhs6guGvs&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
>>>> mtnngprs.com - - [11/Sep/2009:03:44:00 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=jzb53DZTOewdzYI70Vk3lQsrR9Q&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST
>>>> /imp/compose.php?uniq=4w682dzniadq HTTP/1.1" 200 4965
>>>> mtnngprs.com - - [11/Sep/2009:03:44:01 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=B5_o6GqJ75P6gIus19hUSYvlouk&app= HTTP/1.1" 302
>>>> 26
>>>> 41.220.75.16 - - [11/Sep/2009:03:44:03 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=Cgdmins9lt30Vgar4yWXI12hWjU&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:44:04 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=FanJ81FZSHtYfBiqnpZwzr5367c&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET
>>>> /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=tLLr3miFgVw5-iO3K7hm42IL8K0&app= HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:03:44:09 -0400] "GET
>>>> /login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1&nosidebar=1&horde_logout_token=ZChMZnm3eFpSkPjeW4G8rnLOJBQ&app=horde HTTP/1.1" 302
>>>> 26
>>>> mtnngprs.com - - [11/Sep/2009:03:44:10 -0400] "GET
>>>> /imp/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc HTTP/1.1" 200
>>>> 3603
>>>> mtnngprs.com - - [11/Sep/2009:03:44:13 -0400] "GET
>>>> /imp/login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1
>>>> HTTP/1.1" 200 3598
>>>> mtnngprs.com - - [11/Sep/2009:03:44:33 -0400] "POST
>>>> /imp/redirect.php HTTP/1.1" 302 26
>>>> mtnngprs.com - - [11/Sep/2009:03:44:41 -0400] "GET
>>>> /imp/compose.php?actionID=recompose HTTP/1.1" 200 7495
>>>> mtnngprs.com - - [11/Sep/2009:03:44:51 -0400] "POST
>>>> /imp/compose.php?uniq=4zyav2hgmp6 HTTP/1.1" 200 92
>>>> mtnngprs.com - - [11/Sep/2009:04:14:59 -0400] "GET
>>>> /imp/compose.php?mailbox=INBOX&uniq=1252656813421 HTTP/1.1" 200
>>>> 7297
>>>> 41.220.75.16 - - [11/Sep/2009:04:16:21 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:04:16:26 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:04:16:28 -0400] "POST
>>>> /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200
>>>> 34
>>>> mtnngprs.com - - [11/Sep/2009:04:16:35 -0400] "POST
>>>> /imp/compose.php?uniq=3w45vknv29e0 HTTP/1.1" 200 92
>>>> 114.127.246.36 - - [11/Sep/2009:04:17:19 -0400] "GET
>>>> /imp/login.php? HTTP/1.1" 200 3580
>>>> 114.127.246.36 - - [11/Sep/2009:04:17:50 -0400] "GET
>>>> /imp/login.php? HTTP/1.1" 200 3579
>>>> mtnngprs.com - - [11/Sep/2009:04:18:12 -0400] "GET
>>>> /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
>>>>
>>>>
>>>> suggestions?
>>>>
>>
>>
>>
>> I do not think any of my user account has been compromised, but if
>> so each time you send spam messages using the account, then the
>> email address appear on each message, is not it?
>>
>> Which so far has not happened, only appear from the line of the
>> email addresses that do not exist in my domain and sometimes not
>> even using the @ domain is not mine?
>>
>> pepe at linux.com would use eg, when my domain for this case is home.com
>>
>>
>> that messages are coming from webmail because not only see the
>> apache logs but of postfix and each time they send out clear
>> messages:
>> message-id = <20090912181854.208571wgnq9h1w7i @ webmail.home.com>
>>
>> then I have reason to suspect it is a problem in imp / compose.php
>>
>> until yesterday i make a filter in postfix for accept only mail
>> from valid accounts of my domains and reject every message
>> generated by the hacker using no valid accounts . so , today he or
>> she use a valid account only for generate the messages . i check
>> dovecot sessions in my logs and no appears logons for the account
>> that he is use to generate the emails.
>>
>>
>> how obtain the list of valid accounts? simple make a search in
>> google . maybe a second solutions is user policyd to limit the
>> rate-limit but the problem in horde persists, so how i can fix this?
>>
>> sorry for my english
>>
>> is poor
>>
>> Thanks
>>
>> I pass a part of my postfix logs.
>>
>>
>> Sep 12 18:18:54 serverlinux postfix/smtpd[4657]: F1FC98F2AD:
>> client=serverlinux.home.com[192.168.25.254]
>> Sep 12 18:18:55 serverlinux postfix/cleanup[4833]: F1FC98F2AD:
>> message-id=<20090912181854.208571wgnq9h1w7i at webmail.home.com>
>> Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD:
>> from=<mr_huang at home.com>, size=2429, nrcpt=24 (queue active)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<02cbb at alumni.williams.edu>,
>> relay=mx.home.com[192.168.25.10]:25, delay=0.16,
>> delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:
>> queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1065401001 at amsa.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1010motoring at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1234andy at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1982cj7 at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1amiller at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1caldero at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1harnish at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1pdickinson at comcast.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<100234.547 at compuserve.com>,
>> relay=mx.home.com[192.168.25.10]:25, delay=0.16,
>> delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:
>> queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<110536.427 at compuserve.com>,
>> relay=mx.home.com[192.168.25.10]:25, delay=0.16,
>> delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:
>> queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<01doublehelix10 at gmail.com>,
>> relay=mx.home.com[192.168.25.10]:25, delay=0.16,
>> delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:
>> queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1230.bb03 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1230.bb05 at gmail.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1skier1 at home.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1bigtuki at hotmial.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<196362 at iwon.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<13152024 at msn.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1ljd at msn.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16,
>> delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:
>> queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<103rle at verizon.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1cvi at verizon.net>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<13throw at whidbey.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<1lawdivadram at yahoo.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:
>> to=<2002 at yahoo.com>, relay=mx.home.com[192.168.25.10]:25,
>> delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250
>> 2.0.0 Ok: queued as 0FFE8164859)
>> Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD: removed
>>
Hi Mauricio
Thanks for respond my email , tomorrow i will send a email to all my
users in the system for change his passwords for precautions , but
until yesterday the hacker use in the line "from" emails address that
ever exist in my active directory.
I have spf in my dns.
so how i can send email truth horde webmail when the email address
don't exists?
how make this , if no possible that horde have a possible security
breach, a bug?
----------------------------------------------
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.
More information about the imp
mailing list