[imp] Spam Problem ... close to a solution ... may be you could help?

Götz Reinicke - IT-Koordinator goetz.reinicke at filmakademie.de
Wed May 25 07:42:05 UTC 2011 

Am 24.05.11 21:40, schrieb Andrew Morgan:
> On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote:
> 
>> Hi,
>>
>> I did not find the compromised account yet, but I see a lot off messages
>> like the following one in our logs:
>>
>> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200]
>> 74.82.171.30 TLSv1 RC4-MD5 "POST
>> /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1" 92
>>
>> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200]
>> 74.82.171.30 TLSv1 RC4-MD5 "POST
>> /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1" 92
>>
>> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200]
>> 74.82.171.30 TLSv1 RC4-MD5 "POST
>> /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1" 92
>>
>>
>> May be anyone has an idea how to protect against such direct postings...
>> if it is possible anyway?
> 
> I'm not sure what you mean by "direct postings".  There is nothing
> inherently evil about calling compose.php multiple times.

By 'direct posting' I thought about, that the spammer is not logged on
to the HORDE webpage using a webbrowser.

I was thinking, that he uses some tool, which call
/horde/imp/compose.php....

In the webserver log I do have about 1.600 POST messages from that IP
... and checking some message IDs in the mailserverlog shows that there
are 100 or 200 recepiens.

And I don't think, that a spammer is sitting in Front of his webbrowser
entering such an amount of e-mail addresses.

> 
> One thing I forgot to mention about identifying compromised accounts -
> the spammers like to put the content of their message (the spam) into
> the user's signature block.  That simplifies the creation and sending of
> the spam because IMP will automatically include the signature block in
> any message.  You could search your preferences backend (MySQL or
> whatever) for the signature preference, possibly qualifying your search
> by looking for strings longer/larger than a certain amount.
> 
> You'll also see the reply-to and identity preferences are frequently
> changed by spammers.
> 
> Once you see the preferences of a compromised account, you'll know what
> to look for in the future.  It's very obvious.


Thats a good point, I'll try to look that up.

	Thanks a lot for your suggestions . Best Regards Götz

-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6656 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.horde.org/archives/imp/attachments/20110525/f21a70a6/attachment.bin>

More information about the imp mailing list