[imp] May be our horde installation was used for spam
Michael Menge
michael.menge at zdv.uni-tuebingen.de
Mon May 23 15:00:52 UTC 2011
> My questions:
>
> What is the best way to find the leak? What may I configure in
> horde/imp/apache/php ... to make it harder to be compromised?
>
There are many phishing mails which target webmail accounts.
IMHO this is the most comon case for abuse of imp and other webmail
software
IMP has some Options to limit the impact and show the used
account. Have a look at Imp Configuration -> Other settings
-> Outgoing Email Logging
Permissions -> Imp -> max_recipients and max_timelimit
You can use the following sql-statement to show the supissius accounts
SELECT * FROM (
SELECT sentmail_who, COUNT(sentmail_recipient) AS nrcpt FROM imp_sentmail
WHERE sentmail_ts > '@BEGIN_TS@' and sentmail_ts < '@END_TS@'
GROUP BY sentmail_who ORDER BY nrcpt DESC
) AS foo WHERE nrcpt > @NRCPT@;
Repalce
@BEGIN_TS@ and @END_TS@ with the begining and end point timestamp of
the timeframe
@NRCPT@ with the number of recipients to ignore
To find the user you can try to search horde_prefs table for the spam
content in the users signature (pref_scope='horde' and
pref_name='identities' and pref_value like '%SPAMTEXT%')
Regards
Michael Menge
--------------------------------------------------------------------------------
M.Menge Tel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5267 bytes
Desc: S/MIME Signatur
URL: <http://lists.horde.org/archives/imp/attachments/20110523/b2ffeedb/attachment.bin>
More information about the imp
mailing list