[imp] May be our horde installation was used for spam
Andi Liste
lst_hoe02 at kwsoft.de
Mon May 23 09:22:15 UTC 2011
Am 20:59, schrieb Götz Reinicke - IT-Koordinator:
> Hi,
>
> since saturday we got about 40 reports from spamcom.net and other
> mailserver providers, that 'we' are sending or are used for sending spam.
>
> The MX is 193.196.129.3
It's not widely listed at
http://multirbl.valli.org/dnsbl-lookup/193.196.129.3.html so you should
check in the MTA logfile if indeed this machine is sending out spam.
> So far I received about 7.000 returned mail bounces from our system and
> all reported messages do have User-Agent: Internet Messaging Program
> (IMP) H3 (4.3.9) in the mailheader.
>
> Or something like
>
> Received: from switchde.switchvpn.com (switchde.switchvpn.com
> [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP;
>
As said, first check if you are really the origin. Headers are easily
spoofed.
> Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache
> httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition.
>
>
> My questions:
>
> What is the best way to find the leak? What may I configure in
> horde/imp/apache/php ... to make it harder to be compromised?
>
> This is the first time in 10 years ... so far our setup was not that bad.
Horde/IMP per se is beside some long ago fixed bugs not usable to send
Spam by default. You have to find out if some user-account is hacked or
if some other web accessible scripts are abused. Beside this there is
some "hardening" which can be done to lower the impact if a user account
is phished:
- Disable the user preference for setting the sender address
- Use maillog and the rate-limits built into Horde
- Use secure access to the Webmail server with https at least for mobile
users
Regards
Andreas
More information about the imp
mailing list