[imp] May be our horde installation was used for spam

[Andi Liste]

Am 20:59, schrieb Götz Reinicke - IT-Koordinator:
> Hi,
>
> since saturday we got about 40 reports from spamcom.net and other
> mailserver providers, that 'we' are sending or are used for sending spam.
>
> The MX is 193.196.129.3

It's not widely listed at
http://multirbl.valli.org/dnsbl-lookup/193.196.129.3.html so you should
check in the MTA logfile if indeed this machine is sending out spam.

> So far I received about 7.000 returned mail bounces from our system and
> all reported messages do have User-Agent: Internet Messaging Program
> (IMP) H3 (4.3.9) in the mailheader.
>
> Or something like
>
> Received: from switchde.switchvpn.com (switchde.switchvpn.com
>  [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP;
>

As said, first check if you are really the origin. Headers are easily
spoofed.

> Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache
> httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition.
>
>
> My questions:
>
> What is the best way to find the leak? What may I configure in
> horde/imp/apache/php ... to make it harder to be compromised?
>
> This is the first time in 10 years ... so far our setup was not that bad.

Horde/IMP per se is beside some long ago fixed bugs not usable to send
Spam by default. You have to find out if some user-account is hacked or
if some other web accessible scripts are abused. Beside this there is
some "hardening" which can be done to lower the impact if a user account
is phished:
- Disable the user preference for setting the sender address
- Use maillog and the rate-limits built into Horde
- Use secure access to the Webmail server with https at least for mobile
users

Regards

Andreas