Hello,
In past couple of days there has been some spamming via web mail
login. The horde logs show the following entries.
Feb 12 11:53:05 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
(forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
[EMAIL PROTECTED] [on line 258 of
"/var/www/webmail/imp/lib/Auth/imp.php"]
Feb 12 11:53:39 HORDE [error] [imp] FAILED LOGIN 80.255.59.243
(forwarded for [172.16.1.14]) to xx.xx.xx.xx:153[imap/notls] as
[EMAIL PROTECTED] [on line 258 of
"/var/www/webmail/imp/lib/Auth/imp.php"]
There have been some brute force successes and the headers of the mail show
Received: (qmail 2818 invoked from network); 4 Feb 2008 11:07:32 -0000
Received: from xx.xx.xx.xx (HELO
webmail.mydomain.com) ([xx.xx.xx.xx])
(envelope-sender <[EMAIL PROTECTED]>)
by my.server.com (qmail-ldap-1.03) with SMTP
for <[EMAIL PROTECTED]>; 4 Feb 2008 11:07:32 -0000
Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by
webmail.mydomain.com (Horde MIME library) with HTTP; Mon,
04 Feb 2008 16:37:30 +0530
Message-ID: <[EMAIL PROTECTED]>
Date: Mon, 04 Feb 2008 16:37:30 +0530
From: AUSSIE INTERNATIONAL COMPANY <[EMAIL PROTECTED]>
Reply-to: [EMAIL PROTECTED]
To: undisclosed-recipients:;
Subject:
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)
X-AuthUser: [EMAIL PROTECTED]
The interesting part is this line:
Received: from 172.16.1.14 (172.16.1.14 [172.16.1.14]) by
webmail.mydomain.com (Horde MIME library) with HTTP; Mon,
There is no 172.16.1.14 in our network, but the attacker has managed
to make Horde lib put wrong header information.
If I am correct there is some crawlers exploiting horde webmail to
send out spam. Any one else seeing this same attack?
raj
--
IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: [EMAIL PROTECTED]
