Am 20:59, schrieb Götz Reinicke - IT-Koordinator: > Hi, > > since saturday we got about 40 reports from spamcom.net and other > mailserver providers, that 'we' are sending or are used for sending spam. > > The MX is 193.196.129.3
It's not widely listed at http://multirbl.valli.org/dnsbl-lookup/193.196.129.3.html so you should check in the MTA logfile if indeed this machine is sending out spam. > So far I received about 7.000 returned mail bounces from our system and > all reported messages do have User-Agent: Internet Messaging Program > (IMP) H3 (4.3.9) in the mailheader. > > Or something like > > Received: from switchde.switchvpn.com (switchde.switchvpn.com > [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP; > As said, first check if you are really the origin. Headers are easily spoofed. > Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache > httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition. > > > My questions: > > What is the best way to find the leak? What may I configure in > horde/imp/apache/php ... to make it harder to be compromised? > > This is the first time in 10 years ... so far our setup was not that bad. Horde/IMP per se is beside some long ago fixed bugs not usable to send Spam by default. You have to find out if some user-account is hacked or if some other web accessible scripts are abused. Beside this there is some "hardening" which can be done to lower the impact if a user account is phished: - Disable the user preference for setting the sender address - Use maillog and the rate-limits built into Horde - Use secure access to the Webmail server with https at least for mobile users Regards Andreas -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
