[imp] Spamming through Horde

Mauricio Jose T. Tecles mtecles at biof.ufrj.br
Fri Apr 26 12:55:35 UTC 2013 

----- Mensagem de arjen+horde at de-korte.org ---------
     Data: Thu, 25 Apr 2013 21:13:18 +0200
     De: Arjen de Korte <arjen+horde at de-korte.org>
  Assunto: Re: [imp] Spamming through Horde
       Para: imp at lists.horde.org


> Citeren Joseph Mays <mays at win.net>:
>
>> I?m working with an older version of horde-imp on a server running   
>> FreeBSD 5-4 Stable. They have a problem with people occasionally   
>> hacking into accounts in the webmail system and spamming through   
>> them. When this happens it can be very hard to identify what hacked  
>>  webmail account got exploited because there is nothing in the mail  
>>  log or message headers to indicate which account the spam message   
>> came from, and there is nothing in the horde or imp logs to record   
>> what messages were sent out, and by whom. So I am looking for a way  
>>  to either log what account messages came from in the mail log,   
>> record that information in the mail headers of the messages   
>> themselves, or have horde log what messages were sent out through   
>> the mail log system and by whom. Any information that could help   
>> with any of the above would be greatly appreciated.
>
> Not knowing exactly how old your version of IMP is, is there an  
> option  to enable the mail logging? Chances are that enabling this  
> will also  allow you to set limits on the number of messages and  
> recipients sent.
> -- 
> This message was sent from a mailinglist subscription address.
> For off-list replies, you must remove the address extension.
>

Unfortunately I have this experience, users just answer to mails that  
threat them and ask for their passwords. If your mail server is  
sending spam, it is likely it is being blocked and its mail queue has  
thousands of mails.

Save your mail logs, Horde logs, web server logs and the list of mails  
in queue. From mail logs, looking backward, it will be very clear when  
spam started (one sending to hundreds), so you have the date and time.  
Go to Horde logs and find that date and time, go backward in time,  
collect users login that are posting and logged in. Search backwards  
and probably you will find one that is logged from different IP  
(different place in the World) at the same time. This is the one.  
Correlate with web server logs. Again in mail log, before the time  
spam started, you will find that one authenticated via IMAP.

Be careful, sometimes it is not easy to find the user if the mail is  
busy with genuine users and a spammer.

After finding the compromised account, I just change its password to  
block it. Remove spams from the mail queue, Keep an eye on mail log  
and wait the get off from being blocked (it may take some days).


Mauricio

----- Final da mensagem de arjen+horde at de-korte.org -----



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the imp mailing list