[imp] May be our horde installation was used for spam

Andrew Morgan morgan at orst.edu
Mon May 23 17:31:01 UTC 2011 

On Mon, 23 May 2011, Götz Reinicke - IT-Koordinator wrote:

> Hi,
>
> since saturday we got about 40 reports from spamcom.net and other
> mailserver providers, that 'we' are sending or are used for sending spam.
>
> The MX is 193.196.129.3
>
> So far I received about 7.000 returned mail bounces from our system and
> all reported messages do have User-Agent: Internet Messaging Program
> (IMP) H3 (4.3.9) in the mailheader.
>
> Or something like
>
> Received: from switchde.switchvpn.com (switchde.switchvpn.com
> [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP;
>
>
> Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache
> httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition.
>
>
> My questions:
>
> What is the best way to find the leak? What may I configure in
> horde/imp/apache/php ... to make it harder to be compromised?

As others have said, most likely one of your user's is compromised.  You 
can easily place limits on the number of messages that can be sent in a 
specified time period to limit the damage.  For example, we limit our 
users to 500 messages per day from IMP.

To turn this feature on, login to Horde as an administrator and go to the 
Administration > Setup > Mail (imp) > Other Settings tab.  Configure the 
"Outgoing Email Logging" settings.  Here is what we use:

$conf['sentmail']['params']['threshold'] = 30;
$conf['sentmail']['params']['limit_period'] = 24;
$conf['sentmail']['params']['table'] = 'imp_sentmail';
$conf['sentmail']['params']['driverconfig'] = 'horde';
$conf['sentmail']['driver'] = 'sql';

Then, go to Administration > Permissions and add a child permission for 
Mail (imp) called "Maximum Number of Recipients per Time Period 
(max_timelimit)".  Set it to 500 or the value you want for "Authenticated 
Users".

We keep track of the use/abuse by running a nightly cronjob.  It is 
attached to this message and named report_senders.pl.  All it really does 
is run the following SQL query:

SELECT sentmail_who, COUNT(sentmail_who) cc
                 FROM imp_sentmail
                 WHERE (sentmail_ts > UNIX_TIMESTAMP() - 86400)
                 GROUP BY sentmail_who
                 HAVING cc > 100
                 ORDER BY cc DESC

We have a second perl script which will report all the messages that a 
particular user sent in the last 24 hours (attached as query-sentmail.pl). 
It is pretty obvious when a spammer has control of the account when you 
look at the list of recipients.  They like to send to the same domain with 
a list of alphabetical usernames.  If I have any doubt, I open up the 
user's mailbox and look at their sent-mail and any bounce messages they 
have received.  There are usually lots of bounce messages for spam.

Lots of people on this list are recommending dumping sendmail in favor of 
postfix.  Personally, that sounds like postfix bigotry to me.  Postfix is 
a nice SMTP server, but sendmail will work fine too.  Fix your immediately 
problem in IMP first by deploying this sender limits.  If you want to mess 
with your SMTP server, do it later when you can spend the time to research 
and test a solution.

 	Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: query-sentmail.pl
Type: text/x-perl
Size: 1036 bytes
Desc: 
URL: <http://lists.horde.org/archives/imp/attachments/20110523/697956fb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: report_senders.pl
Type: text/x-perl
Size: 840 bytes
Desc: 
URL: <http://lists.horde.org/archives/imp/attachments/20110523/697956fb/attachment-0001.bin>

More information about the imp mailing list