Re: [imp] Possible bug ?

Sun, 13 Sep 2009 10:22:00 -0700 

mtec...@biof.ufrj.br escribió:
I had a similar problem. One of my users probably informed his\hers password to one of those spams. 


Stop your postfix, use mailq to take a look at your mail queue. You  
will see easily the spams. Take note of your domain accouts that are  
sending spams. I don't have it in hands now, but I will send it  
tomorrow a line script to delete the spams based on "from" or "to".  
Restart postfix, it will not solve the problem, but will mitigate it.



If possible, configure SPF (http://www.openspf.org/) on your DNS (it  
is just text), it is easy to setup postfix to use it.



Identify each account that is sending spam (using mailq), have their  
owner (the users) identified somehow (better if in person) and have  
then changed their password. Have then access their webmail account,  
if possible with you, and look for spam mail drafts, check their  
Mail Options -> Personal Information -> Identity (probably remove  
them all, the sistem will recreate an empty standard one).


Mauricio

--
Mauricio J. T. Tecles
Instituto de Biofisica C. C. F. - UFRJ
mtec...@biof.ufrj.br
Tel.: (21) 2562-6544



Citando mic...@casa.co.cu:


agerh...@usp.br escribió:


Hi Michel,

mtnngprs.com (and for example, their IP 41.220.75.3) is a well known
source of nigerian/scam spam. Probably one of your users account was
compromised maybe by him answering a scam pretending to be from staff
of your institution and asking the user's name and password.
You should implement rate-limit rules in IMP and postfix at your
outgoing server, it is also important to aware your users about the
problem.

Andre Gerhard
Universidade de Sao Paulo

Citando mic...@casa.co.cu:



hi

I have recently migrated to Horde Groupware Webmail Edition 1.2.3, I
have problems, apparently has a bug horde.

Let me explain more.

From abroad are using a potential vulnerability that may have horde to
generate large amounts of mail to multiple servers, aol, hotmail, yahoo
etc. ..

As a result brought me to block emails from my domains or IP addresses.
when they generate this amount of advertising messages in postfix
clearly out who was who took delivery of the mail, in this case my
webmail. apparently everything is through compose.php page.


I am sending you the logs generated by apache, I tried to  
configure  horde to generate logs also but I did still like it to  
work.



But they also sent postfix logs. are not like you can generate  
these  messages are making me look like an open relay server


please do not keep quiet on the list this time, help me.



mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252607369444 HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:02:19:01 -0400] "GET  
/index.php?url=http%3A%2F%2Fwebmail.home.com%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26uniq%3D1252591436222 HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:02:19:12 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252591436222 HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:02:19:15 -0400] "GET  
/login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222&nosidebar=1&horde_logout_token=WV8go8aYyg6y_EVyMTVSWErcPFA&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:02:19:18 -0400] "GET  
/imp/login.php?url=%2Fimp%2Fcompose.php%3Fmailbox%3DINBOX%26amp%3Buniq%3D1252591436222 HTTP/1.1" 200  
3622

mtnngprs.com - - [11/Sep/2009:02:46:29 -0400] "GET / HTTP/1.1" 302 26

mtnngprs.com - - [11/Sep/2009:02:46:35 -0400] "GET /login.php  
HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:02:46:37 -0400] "GET /imp/login.php  
HTTP/1.1" 200 3551
mtnngprs.com - - [11/Sep/2009:02:46:45 -0400] "GET  
/js/prototype.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:48 -0400] "GET  
/js/horde-prototype.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:52 -0400] "GET  
/imp/js/login.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
/imp/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:55 -0400] "GET  
/themes/ideas/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:57 -0400] "GET  
/imp/themes/ideas/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET  
/themes/graphics/horde-power1.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:58 -0400] "GET  
/themes/ideas/graphics/background.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:46:59 -0400] "GET  
/themes/opera.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:02 -0400] "GET  
/themes/ideas/graphics/menu_top.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:11 -0400] "POST  
/imp/redirect.php HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:02:47:16 -0400] "GET  
/index.php?url=http%3A%2F%2Fwebmail.home.com%2F HTTP/1.1" 200 333
mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET  
/services/portal/sidebar.php HTTP/1.1" 200 2273
mtnngprs.com - - [11/Sep/2009:02:47:19 -0400] "GET  
/?frameset_loaded=1 HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET /login.php  
HTTP/1.1" 200 2551
mtnngprs.com - - [11/Sep/2009:02:47:23 -0400] "GET  
/services/javascript.php?file=tree.js&app=horde HTTP/1.1" 200 4169
mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
/ingo/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
/nag/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
/kronolith/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:27 -0400] "GET  
/mnemo/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:29 -0400] "GET  
/turba/themes/ideas/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/popup.js  
HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET  
/turba/themes/screen.css HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:30 -0400] "GET /js/sidebar.js  
HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
/themes/graphics/prefs.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
/themes/graphics/horde.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:33 -0400] "GET  
/themes/graphics/help_index.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
/themes/graphics/alerts/message.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
/themes/graphics/logout.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:36 -0400] "GET  
/ingo/themes/graphics/blacklist.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:37 -0400] "GET  
/themes/graphics/problem.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
/imp/js/popup.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
/themes/graphics/edit.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:39 -0400] "GET  
/themes/graphics/delete.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:40 -0400] "GET  
/ingo/themes/graphics/whitelist.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
/themes/ideas/graphics/left_menu_top.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
/themes/graphics/hide_panel.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:42 -0400] "GET  
/themes/ideas/graphics/left_menu_bottom.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:43 -0400] "GET  
/themes/graphics/show_panel.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:45 -0400] "GET  
/themes/graphics/tree/plusonly.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:46 -0400] "GET  
/themes/graphics/organizing.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET  
/themes/graphics/tree/nullonly.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:47:48 -0400] "GET  
/imp/themes/graphics/newmail.png HTTP/1.1" 304 -

mtnngprs.com - - [11/Sep/2009:02:48:31 -0400] "GET /imp/ HTTP/1.1" 302 26

mtnngprs.com - - [11/Sep/2009:02:48:47 -0400] "GET  
/imp/mailbox.php?mailbox=INBOX&mailbox_token=wZnvebIzfCa_lW5VDB0LPOfvkzI  
HTTP/1.1" 200 5536
mtnngprs.com - - [11/Sep/2009:02:48:51 -0400] "GET  
/imp/js/effects.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:48:54 -0400] "GET  
/imp/js/redbox.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:48:57 -0400] "GET  
/imp/js/mailbox.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET  
/imp/themes/graphics/compose.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:00 -0400] "GET  
/imp/themes/graphics/folders/inbox.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:01 -0400] "GET  
/imp/themes/graphics/folders/folder_open.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET  
/themes/graphics/reload.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:03 -0400] "GET  
/imp/themes/graphics/fetchmail.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:04 -0400] "GET  
/imp/themes/graphics/folders/folder.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET  
/imp/themes/graphics/mail_unseen.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:06 -0400] "GET  
/themes/graphics/az.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET  
/imp/themes/graphics/filters.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:08 -0400] "GET  
/themes/graphics/search.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:09 -0400] "GET  
/imp/themes/graphics/mail_personal.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:49:15 -0400] "GET  
/imp/themes/graphics/empty_spam.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:51:19 -0400] "GET  
/imp/login.php?url=%2Fimp%2Fmailbox.php%3Fmailbox%3DINBOX  
HTTP/1.1" 200 3610
mtnngprs.com - - [11/Sep/2009:02:51:23 -0400] "GET  
/imp/themes/graphics/favicon.ico HTTP/1.1" 200 1406
mtnngprs.com - - [11/Sep/2009:02:52:08 -0400] "GET  
/services/prefs.php?app=imp HTTP/1.1" 200 3247
mtnngprs.com - - [11/Sep/2009:02:52:14 -0400] "GET /js/horde.js  
HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:52:32 -0400] "GET  
/services/prefs.php?app=imp&group=identities HTTP/1.1" 200 7487
mtnngprs.com - - [11/Sep/2009:02:52:46 -0400] "GET  
/services/prefs.php?app=imp&group=identities&actionID=delete_identity&id=2 HTTP/1.1" 200  
6393
mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET  
/themes/graphics/alerts/success.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:52:51 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1449
mtnngprs.com - - [11/Sep/2009:02:54:54 -0400] "POST  
/services/prefs.php HTTP/1.1" 200 3292
mtnngprs.com - - [11/Sep/2009:02:57:55 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
mtnngprs.com - - [11/Sep/2009:02:58:14 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252652212573 HTTP/1.1" 200  
7299
mtnngprs.com - - [11/Sep/2009:02:58:19 -0400] "GET  
/imp/js/autocomplete.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:22 -0400] "GET  
/imp/js/KeyNavList.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:29 -0400] "GET  
/imp/js/SpellChecker.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:32 -0400] "GET  
/imp/js/compose.js HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:35 -0400] "GET  
/themes/graphics/help.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
/imp/themes/graphics/addressbook_browse.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
/themes/graphics/keyboard.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:36 -0400] "GET  
/imp/themes/graphics/manage_attachments.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:39 -0400] "GET  
/imp/themes/graphics/popdown.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:02:58:43 -0400] "GET  
/imp/themes/graphics/spellcheck.png HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "GET  
/imp/themes/graphics/loading.gif HTTP/1.1" 304 -
mtnngprs.com - - [11/Sep/2009:03:01:36 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:01:37 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:01:38 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:01:40 -0400] "POST  
/imp/compose.php?uniq=3qazi9sivvuv HTTP/1.1" 200 92
mtnngprs.com - - [11/Sep/2009:03:02:59 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1447
mtnngprs.com - - [11/Sep/2009:03:08:14 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1448
mtnngprs.com - - [11/Sep/2009:03:11:05 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252652981227 HTTP/1.1" 200  
7300
mtnngprs.com - - [11/Sep/2009:03:11:10 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252652988462 HTTP/1.1" 200  
7298
mtnngprs.com - - [11/Sep/2009:03:11:16 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252652993718 HTTP/1.1" 200  
7301
mtnngprs.com - - [11/Sep/2009:03:11:19 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252652997151 HTTP/1.1" 200  
7301
mtnngprs.com - - [11/Sep/2009:03:13:21 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1446
mtnngprs.com - - [11/Sep/2009:03:16:04 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:16:09 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:16:11 -0400] "POST  
/imp/compose.php?uniq=2qz5zcka6ec7 HTTP/1.1" 200 92
mtnngprs.com - - [11/Sep/2009:03:18:26 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
mtnngprs.com - - [11/Sep/2009:03:23:32 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1403
mtnngprs.com - - [11/Sep/2009:03:24:14 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:24:24 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:24:27 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:24:28 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:24:29 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:03:24:30 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
41.220.75.16 - - [11/Sep/2009:03:24:33 -0400] "POST  
/imp/compose.php?uniq=1euuxs4pmk2c HTTP/1.1" 200 92
mtnngprs.com - - [11/Sep/2009:03:28:38 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
mtnngprs.com - - [11/Sep/2009:03:33:43 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401
mtnngprs.com - - [11/Sep/2009:03:43:48 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:43:54 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:43:52 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:43:53 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:43:51 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:43:57 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=eglGjEMldNr9UH24zIkdKK1eSV4&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=WX77PhweZ-KmKF0YTUGhs6guGvs&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:43:58 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 302 -
mtnngprs.com - - [11/Sep/2009:03:44:00 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=jzb53DZTOewdzYI70Vk3lQsrR9Q&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:43:59 -0400] "POST  
/imp/compose.php?uniq=4w682dzniadq HTTP/1.1" 200 4965
mtnngprs.com - - [11/Sep/2009:03:44:01 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=B5_o6GqJ75P6gIus19hUSYvlouk&app= HTTP/1.1" 302  
26
41.220.75.16 - - [11/Sep/2009:03:44:03 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=Cgdmins9lt30Vgar4yWXI12hWjU&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:44:04 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=FanJ81FZSHtYfBiqnpZwzr5367c&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET  
/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc&nosidebar=1&horde_logout_token=tLLr3miFgVw5-iO3K7hm42IL8K0&app= HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:44:06 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:03:44:09 -0400] "GET  
/login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1&nosidebar=1&horde_logout_token=ZChMZnm3eFpSkPjeW4G8rnLOJBQ&app=horde HTTP/1.1" 302  
26
mtnngprs.com - - [11/Sep/2009:03:44:10 -0400] "GET  
/imp/login.php?url=%2Fimp%2Fimple.php%3Fimple%3DContactAutoCompleter%2Finput%3Dbcc HTTP/1.1" 200  
3603
mtnngprs.com - - [11/Sep/2009:03:44:13 -0400] "GET  
/imp/login.php?url=%2Fservices%2Fportal%2Fsidebar.php%3Fhttpclient%3D1  
HTTP/1.1" 200 3598
mtnngprs.com - - [11/Sep/2009:03:44:33 -0400] "POST  
/imp/redirect.php HTTP/1.1" 302 26
mtnngprs.com - - [11/Sep/2009:03:44:41 -0400] "GET  
/imp/compose.php?actionID=recompose HTTP/1.1" 200 7495
mtnngprs.com - - [11/Sep/2009:03:44:51 -0400] "POST  
/imp/compose.php?uniq=4zyav2hgmp6 HTTP/1.1" 200 92
mtnngprs.com - - [11/Sep/2009:04:14:59 -0400] "GET  
/imp/compose.php?mailbox=INBOX&uniq=1252656813421 HTTP/1.1" 200  
7297
41.220.75.16 - - [11/Sep/2009:04:16:21 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:04:16:25 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:04:16:26 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:04:16:28 -0400] "POST  
/imp/imple.php?imple=ContactAutoCompleter/input=bcc HTTP/1.1" 200  
34
mtnngprs.com - - [11/Sep/2009:04:16:35 -0400] "POST  
/imp/compose.php?uniq=3w45vknv29e0 HTTP/1.1" 200 92
114.127.246.36 - - [11/Sep/2009:04:17:19 -0400] "GET  
/imp/login.php? HTTP/1.1" 200 3580
114.127.246.36 - - [11/Sep/2009:04:17:50 -0400] "GET  
/imp/login.php? HTTP/1.1" 200 3579
mtnngprs.com - - [11/Sep/2009:04:18:12 -0400] "GET  
/services/portal/sidebar.php?httpclient=1 HTTP/1.1" 200 1401



suggestions?






I do not think any of my user account has been compromised, but if  
so each time you send spam messages using the account, then the  
email address appear on each message, is not it?



Which so far has not happened, only appear from the line of the  
email addresses that do not exist in my domain and sometimes not  
even using the @ domain is not mine?


p...@linux.com would use eg, when my domain for this case is home.com



that messages are coming from webmail because not only see the  
apache logs but of postfix and each time they send out clear  
messages:

 message-id = <20090912181854.208571wgnq9h1w7i @ webmail.home.com>

then I have reason to suspect it is a problem in imp / compose.php


until yesterday i make a filter in postfix for accept only mail  
from valid accounts of my domains and reject every message  
generated by the hacker using no valid accounts . so , today he or  
she use a valid account only for generate the messages . i check  
dovecot sessions in my logs and no appears logons for the account  
that he is use to generate the emails.




how obtain the list of valid accounts? simple  make a search in  
google . maybe a second solutions is user policyd to limit the  
rate-limit but the problem in horde persists, so how i can fix this?


sorry for my english

is poor

Thanks

I pass a part of my postfix logs.



Sep 12 18:18:54 serverlinux postfix/smtpd[4657]: F1FC98F2AD:  
client=serverlinux.home.com[192.168.25.254]
Sep 12 18:18:55 serverlinux postfix/cleanup[4833]: F1FC98F2AD:  
message-id=<20090912181854.208571wgnq9h1...@webmail.home.com>
Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD:  
from=<mr_hu...@home.com>, size=2429, nrcpt=24 (queue active)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<02...@alumni.williams.edu>,  
relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1065401...@amsa.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1010motor...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1234a...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1982...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1amil...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1cald...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1harn...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1pdickin...@comcast.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<100234....@compuserve.com>,  
relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<110536....@compuserve.com>,  
relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<01doubleheli...@gmail.com>,  
relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1230.b...@gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1230.b...@gmail.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1ski...@home.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1bigt...@hotmial.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<196...@iwon.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<13152...@msn.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1...@msn.com>, relay=mx.home.com[192.168.25.10]:25, delay=0.16,  
delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok:  
queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<103...@verizon.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1...@verizon.net>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<13th...@whidbey.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<1lawdivad...@yahoo.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)
Sep 12 18:18:55 serverlinux postfix/smtp[4834]: F1FC98F2AD:  
to=<2...@yahoo.com>, relay=mx.home.com[192.168.25.10]:25,  
delay=0.16, delays=0.06/0.01/0.03/0.06, dsn=2.0.0, status=sent (250  
2.0.0 Ok: queued as 0FFE8164859)

Sep 12 18:18:55 serverlinux postfix/qmgr[4991]: F1FC98F2AD: removed



Hi Mauricio


Thanks for respond my email , tomorrow i will send a email to all my  
users in the system for change his passwords for precautions , but  
until yesterday the hacker use in the line "from" emails address that  
ever exist in my active directory.


I have spf in my dns.


so how i can send email truth horde webmail when the email address  
don't exists?
how make this , if no possible that horde have a possible security  
breach, a bug?



----------------------------------------------
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.

--
IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org






















					Reply via email to