[imp] Strange logs in apache

Michael M Slusarz slusarz at horde.org
Tue Oct 16 18:03:14 UTC 2012 

Quoting Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br>:

> Citando Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br>:
>>
>> Citando Vilius Šumskas <vilius at lnk.lt>:
>>>>
>>>> Citando Vilius Šumskas <vilius at lnk.lt>:
>>>>     Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> rašė:
>>>>     More logs in my mail server, not the one where horde is:
>>>>
>>>   Here you say that it is your mail server.
>>>>
>>>> But the strange thing is how the message id is .. at myhordeserver.xxx.xxx if
>>>>     it's not my mail server?
>>>>
>>>   Here you say that it is NOT your mail server.
>>>
>>>   So which is it?
>>>
>>>   --
>>>     Vilius
>>>
>>>   --
>>>   imp mailing list
>>>   Frequently Asked Questions: http://wiki.horde.org/FAQTo  
>>> unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>
>> Those logs were in my mail server like I said. But the message id  
>> was of the horde server, this is exactly what I found strange, how  
>> the message id is .. at myhordeserver.xxx.xxx if it was sent by my  
>> mail server and should be ... at mymailserver.xxx.xxx?
>>    
>>
> I thought it was strange because of this (a message id being interpreted
> as an e-mail):
>
> ...GET /static/b169ed96a0dc55b4a76d1a29a1848ae3.css HTTP/1.1" 200 115911
> "https://myhordeserver.xxx.xxx/imp/compose-dimp.php?to=20120917130155.Horde.Rgb1fEv4Cn9QV0lzuz0nzRA@myhordeserver.xxx.xxx&popup=1"
> "Mozilla/5.0....
>
> As if someone was trying to send an email to a message id. But Michael
> Slusarz said this: "It looks like a Message-ID header from a message sent
> by Horde/IMP is being interpreted as an e-mail address somewhere in
> Horde/IMP. Looks like we are running the e-mail text search filter on the
> Message-ID header when we don't need to (maybe in View All Headers in the
> standard IMP view?) and a user is clicking on that.

Possible explanations:

1. The bot (or spamming) service is broken/dumb, and is trying to send  
messages to a non-existent e-mail address.
2. Your compose script has been compromised and this particular To  
string is used to activate the bad code in the compromised script.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the imp mailing list