[imp] Spam Problem ... close to a solution ... may be you could help?

Andy Dorman adorman at ironicdesign.com
Tue May 24 14:05:36 UTC 2011 

On 05/24/2011 07:53 AM, � wrote:
> Hi,
>
> I did not find the compromised account yet, but I see a lot off messages
> like the following one in our logs:
>
> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200]
> 74.82.171.30 TLSv1 RC4-MD5 "POST
> /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1" 92
>
> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200]
> 74.82.171.30 TLSv1 RC4-MD5 "POST
> /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1" 92
>
> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200]
> 74.82.171.30 TLSv1 RC4-MD5 "POST
> /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1" 92
>
>
> May be anyone has an idea how to protect against such direct postings...
> if it is possible anyway?
>
> Any suggestion is welcome!!!!
>

OK, you said any suggestion...

We use two techniques to stop outgoing spam.  The first is pretty complex and 
not for everyone.  You must use version control like Git or Bazaar to keep your 
local code changes safe when you do upstream updates (and using PEAR is out). 
The second technique is simple but not free.

1. We run memcache on the horde servers.  We then added local code to 
horde/imp/lib/Compose.php to save and update a 24 hour count of recipients in 
memcache for a sender.

Then when a sender hits the 24 hr limit or a limit for the number of addresses 
in a single email (spammers love to send to 40 or 50 BCC addresses), we 
deactivate the sender (so they can not send any more until an admin has taken 
action) and send a note to an admin so someone can follow up and decide if this 
is a spammer OR a valid user whose account was stolen.

I am sure someone like Chuck or Jan could write a patch for you on a consulting 
basis.  I have been trying to get our code organized and clean enough that we 
could submit it as something just about anyone could use.  But right now it is 
tied pretty closely to our LDAP user store which is pretty complicated.

2. This is not free...For the horde mailer config item we use smtp and point it 
to antespam.com.  AnteSpam checks the outgoing email for spam and viruses.  When 
it finds either, it quarantines the email and sends a note to the user and the 
domain admin.  The user can manually free the email from quarantine.  But since 
a spammer needs to send a large quantity of spam, needing to release emails from 
quarantine quickly kills his/her profits.  Also, the domain admin can also look 
at the email and if it is really spam, they can quickly shut down the spammer.

I wish I had a better idea to suggest.  But we have found that spammers are 
clever and persistent and hard to stop.

Good luck,

-- 
Andy Dorman
FanMail.com

More information about the imp mailing list