On Feb 12, 2008 10:40 PM, Matus UHLAR - fantomas <[EMAIL PROTECTED]> wrote: > On 12.02.08 16:33, Rajkumar S wrote: > > In past couple of days there has been some spamming via web mail > > login. The horde logs show the following entries. > > > > Feb 12 11:53:05 HORDE [error] [imp] FAILED LOGIN 80.255.59.243 > > (forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as > > [EMAIL PROTECTED] [on line 258 of > > "/var/www/webmail/imp/lib/Auth/imp.php"] > > > > Feb 12 11:53:39 HORDE [error] [imp] FAILED LOGIN 80.255.59.243 > > (forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as > > [EMAIL PROTECTED] [on line 258 of > > "/var/www/webmail/imp/lib/Auth/imp.php"] > > We noticed the same problem, mostly the passwords were weak, if not stupid > (e.g. the same like login name)
Same here, accounts with same username and password. Are they using some sort of robot targeting Imp to spam? The user agents show Opera. > > Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by > > webmail.mydomain.com (Horde MIME library) with HTTP; Mon, > > > > There is no 172.16.1.14 in our network, but the attacker has managed > > to make Horde lib put wrong header information. > > horde just takes X-Forwarded-For without checking of its content. > see http://bugs.horde.org/ticket/?id=6133 I filled up. Ok. Any way it seems the only work around now is to disable accounts with same username and password. raj -- IMP mailing list - Join the hunt: http://horde.org/bounties/#imp Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: [EMAIL PROTECTED]
