Re: [imp] Possible bug ?

Sat, 12 Sep 2009 20:30:15 -0700 

agerh...@usp.br escribió:


Hi Michel,

mtnngprs.com (and for example, their IP 41.220.75.3) is a well known
source of nigerian/scam spam. Probably one of your users account was
compromised maybe by him answering a scam pretending to be from staff
of your institution and asking the user's name and password.
You should implement rate-limit rules in IMP and postfix at your
outgoing server, it is also important to aware your users about the
problem.

Andre Gerhard
Universidade de Sao Paulo

Citando mic...@casa.co.cu:



hi

I have recently migrated to Horde Groupware Webmail Edition 1.2.3, I
have problems, apparently has a bug horde.

Let me explain more.

From abroad are using a potential vulnerability that may have horde to
generate large amounts of mail to multiple servers, aol, hotmail, yahoo
etc. ..

As a result brought me to block emails from my domains or IP addresses.
when they generate this amount of advertising messages in postfix
clearly out who was who took delivery of the mail, in this case my
webmail. apparently everything is through compose.php page.
I am sending you the logs generated by apache, I tried to configure horde to generate logs also but I did still like it to work.
But they also sent postfix logs. are not like you can generate these messages are making me look like an open relay server 

please do not keep quiet on the list this time, help me.
mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252607369444 HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET /index.php?url=http%3A%2F%2Fwebmail.home.com%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26uniq%3D1252591436222 HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:02:19:12 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252591436222 HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:02:19:15 -0400] "GET /login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222&nosidebar=1&horde_logout_token=WV8go8aYyg6y_EVyMTVSWErcPFA&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:02:19:18 -0400] "GET /imp/login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222 HTTP/1.1" 200 3622 
mtnngprs.com - - [11/Sep/2009:02:46:29 -0400] "GET / HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:02:46:35 -0400] "GET /login.php HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:02:46:37 -0400] "GET /imp/login.php HTTP/1.1" 200 3551 mtnngprs.com - - [11/Sep/2009:02:46:45 -0400] "GET /js/prototype.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:48 -0400] "GET /js/horde-prototype.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:52 -0400] "GET /imp/js/login.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET /themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET /imp/themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET /themes/ideas/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:57 -0400] "GET /imp/themes/ideas/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET /themes/graphics/horde-power1.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET /themes/ideas/graphics/background.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:46:59 -0400] "GET /themes/opera.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:02 -0400] "GET /themes/ideas/graphics/menu_top.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:11 -0400] "POST /imp/redirect.php HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:02:47:16 -0400] "GET /index.php?url=http%3A%2F%2Fwebmail.home.com%2F HTTP/1.1" 200 333 mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET /services/portal/sidebar.php HTTP/1.1" 200 2273 mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET /?frameset_loaded=1 HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET /login.php HTTP/1.1" 200 2551 mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET /services/javascript.php?file=tree.js&app=horde HTTP/1.1" 200 4169 mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET /ingo/themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET /nag/themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET /kronolith/themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET /mnemo/themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:29 -0400] "GET /turba/themes/ideas/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/popup.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /turba/themes/screen.css HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/sidebar.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET /themes/graphics/prefs.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET /themes/graphics/horde.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET /themes/graphics/help_index.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET /themes/graphics/alerts/message.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET /themes/graphics/logout.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET /ingo/themes/graphics/blacklist.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:37 -0400] "GET /themes/graphics/problem.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET /imp/js/popup.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET /themes/graphics/edit.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET /themes/graphics/delete.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:40 -0400] "GET /ingo/themes/graphics/whitelist.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET /themes/ideas/graphics/left_menu_top.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET /themes/graphics/hide_panel.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET /themes/ideas/graphics/left_menu_bottom.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:43 -0400] "GET /themes/graphics/show_panel.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:45 -0400] "GET /themes/graphics/tree/plusonly.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:46 -0400] "GET /themes/graphics/organizing.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET /themes/graphics/tree/nullonly.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET /imp/themes/graphics/newmail.png HTTP/1.1" 304 - 
mtnngprs.com - - [11/Sep/2009:02:48:31 -0400] "GET /imp/ HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:02:48:47 -0400] "GET /imp/mailbox.php?mailbox=INBOX&mailbox_token=wZnvebIzfCa_lW5VDB0LPOfvkzI HTTP/1.1" 200 5536 mtnngprs.com - - [11/Sep/2009:02:48:51 -0400] "GET /imp/js/effects.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:48:54 -0400] "GET /imp/js/redbox.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:48:57 -0400] "GET /imp/js/mailbox.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET /imp/themes/graphics/compose.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET /imp/themes/graphics/folders/inbox.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:01 -0400] "GET /imp/themes/graphics/folders/folder_open.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET /themes/graphics/reload.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET /imp/themes/graphics/fetchmail.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:04 -0400] "GET /imp/themes/graphics/folders/folder.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET /imp/themes/graphics/mail_unseen.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET /themes/graphics/az.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET /imp/themes/graphics/filters.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET /themes/graphics/search.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:09 -0400] "GET /imp/themes/graphics/mail_personal.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:49:15 -0400] "GET /imp/themes/graphics/empty_spam.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:51:19 -0400] "GET /imp/login.php?url=%2Fimp%2Fmailbox.php%3Fmailbox%3DINBOX HTTP/1.1" 200 3610 mtnngprs.com - - [11/Sep/2009:02:51:23 -0400] "GET /imp/themes/graphics/favicon.ico HTTP/1.1" 200 1406 mtnngprs.com - - [11/Sep/2009:02:52:08 -0400] "GET /services/prefs.php?app=imp HTTP/1.1" 200 3247 mtnngprs.com - - [11/Sep/2009:02:52:14 -0400] "GET /js/horde.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:52:32 -0400] "GET /services/prefs.php?app=imp&group=identities HTTP/1.1" 200 7487 mtnngprs.com - - [11/Sep/2009:02:52:46 -0400] "GET /services/prefs.php?app=imp&group=identities&actionID=delete_identity&id=2 HTTP/1.1" 200 6393 mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET /themes/graphics/alerts/success.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1449 mtnngprs.com - - [11/Sep/2009:02:54:54 -0400] "POST /services/prefs.php HTTP/1.1" 200 3292 mtnngprs.com - - [11/Sep/2009:02:57:55 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446 mtnngprs.com - - [11/Sep/2009:02:58:14 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252652212573 HTTP/1.1" 200 7299 mtnngprs.com - - [11/Sep/2009:02:58:19 -0400] "GET /imp/js/autocomplete.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:22 -0400] "GET /imp/js/KeyNavList.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:29 -0400] "GET /imp/js/SpellChecker.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:32 -0400] "GET /imp/js/compose.js HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:35 -0400] "GET /themes/graphics/help.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET /imp/themes/graphics/addressbook_browse.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET /themes/graphics/keyboard.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET /imp/themes/graphics/manage_attachments.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:39 -0400] "GET /imp/themes/graphics/popdown.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:02:58:43 -0400] "GET /imp/themes/graphics/spellcheck.png HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "GET /imp/themes/graphics/loading.gif HTTP/1.1" 304 - mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:01:37 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:01:38 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:01:40 -0400] "POST /imp/compose.php?uniq=3qazi9sivvuv HTTP/1.1" 200 92 mtnngprs.com - - [11/Sep/2009:03:02:59 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1447 mtnngprs.com - - [11/Sep/2009:03:08:14 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1448 mtnngprs.com - - [11/Sep/2009:03:11:05 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252652981227 HTTP/1.1" 200 7300 mtnngprs.com - - [11/Sep/2009:03:11:10 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252652988462 HTTP/1.1" 200 7298 mtnngprs.com - - [11/Sep/2009:03:11:16 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252652993718 HTTP/1.1" 200 7301 mtnngprs.com - - [11/Sep/2009:03:11:19 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252652997151 HTTP/1.1" 200 7301 mtnngprs.com - - [11/Sep/2009:03:13:21 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446 mtnngprs.com - - [11/Sep/2009:03:16:04 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:16:09 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:16:11 -0400] "POST /imp/compose.php?uniq=2qz5zcka6ec7 HTTP/1.1" 200 92 mtnngprs.com - - [11/Sep/2009:03:18:26 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401 mtnngprs.com - - [11/Sep/2009:03:23:32 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1403 mtnngprs.com - - [11/Sep/2009:03:24:14 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:24:24 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:24:28 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:24:29 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:03:24:30 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 41.220.75.16 - - [11/Sep/2009:03:24:33 -0400] "POST /imp/compose.php?uniq=1euuxs4pmk2c HTTP/1.1" 200 92 mtnngprs.com - - [11/Sep/2009:03:28:38 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401 mtnngprs.com - - [11/Sep/2009:03:33:43 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401 mtnngprs.com - - [11/Sep/2009:03:43:48 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:43:54 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:43:52 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:43:53 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:43:51 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:43:57 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=eglGjEMldNr9UH24zIkdKK1eSV4&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=WX77PhweZ-KmKF0YTUGhs6guGvs&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 - mtnngprs.com - - [11/Sep/2009:03:44:00 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=jzb53DZTOewdzYI70Vk3lQsrR9Q&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST /imp/compose.php?uniq=4w682dzniadq HTTP/1.1" 200 4965 mtnngprs.com - - [11/Sep/2009:03:44:01 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=B5_o6GqJ75P6gIus19hUSYvlouk&app= HTTP/1.1" 302 26 41.220.75.16 - - [11/Sep/2009:03:44:03 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=Cgdmins9lt30Vgar4yWXI12hWjU&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:44:04 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=FanJ81FZSHtYfBiqnpZwzr5367c&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET /login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=tLLr3miFgVw5-iO3K7hm42IL8K0&app= HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:44:09 -0400] "GET /login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1&nosidebar=1&horde_logout_token=ZChMZnm3eFpSkPjeW4G8rnLOJBQ&app=horde HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:44:10 -0400] "GET /imp/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc HTTP/1.1" 200 3603 mtnngprs.com - - [11/Sep/2009:03:44:13 -0400] "GET /imp/login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1 HTTP/1.1" 200 3598 mtnngprs.com - - [11/Sep/2009:03:44:33 -0400] "POST /imp/redirect.php HTTP/1.1" 302 26 mtnngprs.com - - [11/Sep/2009:03:44:41 -0400] "GET /imp/compose.php?actionID=recompose HTTP/1.1" 200 7495 mtnngprs.com - - [11/Sep/2009:03:44:51 -0400] "POST /imp/compose.php?uniq=4zyav2hgmp6 HTTP/1.1" 200 92 mtnngprs.com - - [11/Sep/2009:04:14:59 -0400] "GET /imp/compose.php?mailbox=INBOX&uniq=1252656813421 HTTP/1.1" 200 7297 41.220.75.16 - - [11/Sep/2009:04:16:21 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:04:16:26 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:04:16:28 -0400] "POST /imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200 34 mtnngprs.com - - [11/Sep/2009:04:16:35 -0400] "POST /imp/compose.php?uniq=3w45vknv29e0 HTTP/1.1" 200 92 114.127.246.36 - - [11/Sep/2009:04:17:19 -0400] "GET /imp/login.php? HTTP/1.1" 200 3580 114.127.246.36 - - [11/Sep/2009:04:17:50 -0400] "GET /imp/login.php? HTTP/1.1" 200 3579 mtnngprs.com - - [11/Sep/2009:04:18:12 -0400] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401 


suggestions?
I do not think any of my user account has been compromised, but if so each time you send spam messages using the account, then the email address appear on each message, is not it?
Which so far has not happened, only appear from the line of the email addresses that do not exist in my domain and sometimes not even using the @ domain is not mine? 

p...@linux.com would use eg, when my domain for this case is home.com
that messages are coming from webmail because not only see the apache logs but of postfix and each time they send out clear messages: 
  message-id = <20090912181854.208571wgnq9h1w7i @ webmail.home.com>

then I have reason to suspect it is a problem in imp / compose.php
until yesterday i make a filter in postfix for accept only mail from valid accounts of my domains and reject every message generated by the hacker using no valid accounts . so , today he or she use a valid account only for generate the messages . i check dovecot sessions in my logs and no appears logons for the account that he is use to generate the emails.
how obtain the list of valid accounts? simple make a search in google . maybe a second solutions is user policyd to limit the rate-limit but the problem in horde persists, so how i can fix this? 

sorry for my english

is poor

Thanks

I pass a part of my postfix logs.
Sep 12 18:18:54 serverlinux postfix/smtpd[4657]: F1FC98F2AD: client=serverlinux.home.com[192.168.25.254] Sep 12 18:18:55 serverlinux postfix/cleanup[4833]: F1FC98F2AD: message-id=<20090912181854.208571wgnq9h1...@webmail.home.com> Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD: from=<mr_hu...@home.com>, size=2429, nrcpt=24 (queue active) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<02...@alumni.williams.edu>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1065401...@amsa.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1010motor...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1234a...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1982...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1amil...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1cald...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1harn...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1pdickin...@comcast.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<100234....@compuserve.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<110536....@compuserve.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<01doubleheli...@gmail.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1230.b...@gmail.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1230.b...@gmail.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1ski...@home.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1bigt...@hotmial.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<196...@iwon.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<13152...@msn.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1...@msn.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<103...@verizon.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1...@verizon.net>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<13th...@whidbey.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<1lawdivad...@yahoo.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD: to=<2...@yahoo.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0FFE8164859) 
Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD: removed


----------------------------------------------
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.

--
IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org

Reply via email to