[imp] Spam Problem ... close to a solution ... may be you could help?

Michael Menge michael.menge at zdv.uni-tuebingen.de
Wed May 25 09:51:26 UTC 2011 

Quoting Götz Reinicke - IT-Koordinator <goetz.reinicke at filmakademie.de>:

> Am 24.05.11 21:40, schrieb Andrew Morgan:
>> On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote:
>>
>>> Hi,
>>>
>>> I did not find the compromised account yet, but I see a lot off messages
>>> like the following one in our logs:
>>>
>>> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200]
>>> 74.82.171.30 TLSv1 RC4-MD5 "POST
>>> /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1" 92
>>>
>>> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200]
>>> 74.82.171.30 TLSv1 RC4-MD5 "POST
>>> /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1" 92
>>>
>>> /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200]
>>> 74.82.171.30 TLSv1 RC4-MD5 "POST
>>> /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1" 92
>>>
>>>
>>> May be anyone has an idea how to protect against such direct postings...
>>> if it is possible anyway?
>>
>> I'm not sure what you mean by "direct postings".  There is nothing
>> inherently evil about calling compose.php multiple times.
>
> By 'direct posting' I thought about, that the spammer is not logged on
> to the HORDE webpage using a webbrowser.
>

If the spammer is not logged in, they should not be able to send
mails at all.

> I was thinking, that he uses some tool, which call
> /horde/imp/compose.php....

yes, but there is no way to distinguish this tool from a normal webbrowser.
Both connect to the Webserver, and send a POST-Request

>
> In the webserver log I do have about 1.600 POST messages from that IP
> ... and checking some message IDs in the mailserverlog shows that there
> are 100 or 200 recepiens.
>
> And I don't think, that a spammer is sitting in Front of his webbrowser
> entering such an amount of e-mail addresses.

No, this is done by script, but as Horde only sees the result
there is no way to distinguish a normal browser from a script.

Therefor limit the number of recipients per message in Horde,
and limit the number of recipients per timeframe.




--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail:  
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5267 bytes
Desc: S/MIME Signatur
URL: <http://lists.horde.org/archives/imp/attachments/20110525/7dc4e459/attachment.bin>

More information about the imp mailing list