[imp] May be our horde installation was used for spam

Götz Reinicke - IT-Koordinator goetz.reinicke at filmakademie.de
Mon May 23 07:51:10 UTC 2011


Hi,

since saturday we got about 40 reports from spamcom.net and other
mailserver providers, that 'we' are sending or are used for sending spam.

The MX is 193.196.129.3

So far I received about 7.000 returned mail bounces from our system and
all reported messages do have User-Agent: Internet Messaging Program
(IMP) H3 (4.3.9) in the mailheader.

Or something like

Received: from switchde.switchvpn.com (switchde.switchvpn.com
 [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP;


Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache
httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition.


My questions:

What is the best way to find the leak? What may I configure in
horde/imp/apache/php ... to make it harder to be compromised?

This is the first time in 10 years ... so far our setup was not that bad.


Thanks a lot and best regards hor any hint!

	Götz Reinicke

-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6656 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.horde.org/archives/imp/attachments/20110523/d8328259/attachment.bin>


More information about the imp mailing list