[imp] May be our horde installation was used for spam

Michael Menge michael.menge at zdv.uni-tuebingen.de
Mon May 23 15:00:52 UTC 2011


> My questions:
>
> What is the best way to find the leak? What may I configure in
> horde/imp/apache/php ... to make it harder to be compromised?
>

There are many phishing mails which target webmail accounts.
IMHO this is the most comon case for abuse of imp and  other webmail
software

IMP has some Options to limit the impact and show the used
account. Have a look at Imp Configuration -> Other settings
-> Outgoing Email Logging

Permissions -> Imp -> max_recipients and max_timelimit

You can use the following sql-statement to show the supissius accounts

SELECT * FROM (
     SELECT sentmail_who, COUNT(sentmail_recipient) AS  nrcpt FROM imp_sentmail
     WHERE sentmail_ts > '@BEGIN_TS@' and sentmail_ts < '@END_TS@'
     GROUP BY sentmail_who ORDER BY nrcpt DESC
) AS foo WHERE nrcpt > @NRCPT@;

Repalce
@BEGIN_TS@ and @END_TS@ with the begining and end point timestamp of  
the timeframe
@NRCPT@ with the number of recipients to ignore


To find the user you can try to search horde_prefs table for the spam  
content in the users signature (pref_scope='horde' and  
pref_name='identities' and pref_value like '%SPAMTEXT%')

Regards

   Michael Menge
--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail:  
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5267 bytes
Desc: S/MIME Signatur
URL: <http://lists.horde.org/archives/imp/attachments/20110523/b2ffeedb/attachment.bin>


More information about the imp mailing list