My questions: What is the best way to find the leak? What may I configure in horde/imp/apache/php ... to make it harder to be compromised?
There are many phishing mails which target webmail accounts.
IMHO this is the most comon case for abuse of imp and other webmail
software
IMP has some Options to limit the impact and show the used
account. Have a look at Imp Configuration -> Other settings
-> Outgoing Email Logging
Permissions -> Imp -> max_recipients and max_timelimit
You can use the following sql-statement to show the supissius accounts
SELECT * FROM (
SELECT sentmail_who, COUNT(sentmail_recipient) AS nrcpt FROM imp_sentmail
WHERE sentmail_ts > '@BEGIN_TS@' and sentmail_ts < '@END_TS@'
GROUP BY sentmail_who ORDER BY nrcpt DESC
) AS foo WHERE nrcpt > @NRCPT@;
Repalce
@BEGIN_TS@ and @END_TS@ with the begining and end point timestamp of
the timeframe
@NRCPT@ with the number of recipients to ignoreTo find the user you can try to search horde_prefs table for the spam content in the users signature (pref_scope='horde' and pref_name='identities' and pref_value like '%SPAMTEXT%')
Regards Michael Menge -------------------------------------------------------------------------------- M.Menge Tel.: (49) 7071/29-70316 Universität Tübingen Fax.: (49) 7071/29-5912Zentrum für Datenverarbeitung mail: [email protected]
Wächterstraße 76 72074 Tübingen
smime.p7s
Description: S/MIME Signatur
-- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: [email protected]
