[imp] Spamming through Horde

[francis picabia]

On Thu, Apr 25, 2013 at 3:38 PM, Joseph Mays <mays at win.net> wrote:

> I’m working with an older version of horde-imp on a server running FreeBSD
> 5-4 Stable. They have a problem with people occasionally hacking into
> accounts in the webmail system and spamming through them. When this happens
> it can be very hard to identify what hacked webmail account got exploited
> because there is nothing in the mail log or message headers to indicate
> which account the spam message came from, and there is nothing in the horde
> or imp logs to record what messages were sent out, and by whom. So I am
> looking for a way to either log what account messages came from in the mail
> log, record that information in the mail headers of the messages
> themselves, or have horde log what messages were sent out through the mail
> log system and by whom. Any information that could help with any of the
> above would be greatly appreciated.
> --
> imp mailing list


My solution is to restrict what email accounts they can send from.  The
first thing
the spammer does in horde is to set up a new user profile and a signature
which will contain the spam message.  If you prevent them from sending from
an arbitrary address, you'll be able to easily trace the spam outbreak to a
compromised account.

In my case, I use postfix as the SMTP solution.  I have a config line like:

smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_unlisted_sender, check_sender_access
hash:/etc/postfix-internal/localdomain, reject

Inside localdomain I have

example.com               OK

This allows them to send email from only the domain.
In addition, any hacked accounts are quickly added in here
to block them:

phishedaccount at example.com 550 This account has been compromised