On Mon, 23 May 2011, Götz Reinicke - IT-Koordinator wrote:
Hi,
since saturday we got about 40 reports from spamcom.net and other
mailserver providers, that 'we' are sending or are used for sending spam.
The MX is 193.196.129.3
So far I received about 7.000 returned mail bounces from our system and
all reported messages do have User-Agent: Internet Messaging Program
(IMP) H3 (4.3.9) in the mailheader.
Or something like
Received: from switchde.switchvpn.com (switchde.switchvpn.com
[178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP;
Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache
httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition.
My questions:
What is the best way to find the leak? What may I configure in
horde/imp/apache/php ... to make it harder to be compromised?
As others have said, most likely one of your user's is compromised. You
can easily place limits on the number of messages that can be sent in a
specified time period to limit the damage. For example, we limit our
users to 500 messages per day from IMP.
To turn this feature on, login to Horde as an administrator and go to the
Administration > Setup > Mail (imp) > Other Settings tab. Configure the
"Outgoing Email Logging" settings. Here is what we use:
$conf['sentmail']['params']['threshold'] = 30;
$conf['sentmail']['params']['limit_period'] = 24;
$conf['sentmail']['params']['table'] = 'imp_sentmail';
$conf['sentmail']['params']['driverconfig'] = 'horde';
$conf['sentmail']['driver'] = 'sql';
Then, go to Administration > Permissions and add a child permission for
Mail (imp) called "Maximum Number of Recipients per Time Period
(max_timelimit)". Set it to 500 or the value you want for "Authenticated
Users".
We keep track of the use/abuse by running a nightly cronjob. It is
attached to this message and named report_senders.pl. All it really does
is run the following SQL query:
SELECT sentmail_who, COUNT(sentmail_who) cc
FROM imp_sentmail
WHERE (sentmail_ts > UNIX_TIMESTAMP() - 86400)
GROUP BY sentmail_who
HAVING cc > 100
ORDER BY cc DESC
We have a second perl script which will report all the messages that a
particular user sent in the last 24 hours (attached as query-sentmail.pl).
It is pretty obvious when a spammer has control of the account when you
look at the list of recipients. They like to send to the same domain with
a list of alphabetical usernames. If I have any doubt, I open up the
user's mailbox and look at their sent-mail and any bounce messages they
have received. There are usually lots of bounce messages for spam.
Lots of people on this list are recommending dumping sendmail in favor of
postfix. Personally, that sounds like postfix bigotry to me. Postfix is
a nice SMTP server, but sendmail will work fine too. Fix your immediately
problem in IMP first by deploying this sender limits. If you want to mess
with your SMTP server, do it later when you can spend the time to research
and test a solution.
Andy
#!/usr/bin/perl -w
use DBI;
if ($#ARGV < 0) {
print "Usage: $0 <username\@domain>\n";
print " Reports all messages sent via Webmail for\n";
print " username\@domain in the last 24 hours.\n";
exit;
}
$who = $ARGV[0];
# Setup some variables
require "/private/admin/acct/requires/prefs.pl";
# Connect to db
$dbh = DBI->connect($prefs{'webmail_connect_string'},
$prefs{'migrate_sql_user'},
$prefs{'migrate_sql_pass'},
{ RaiseError => 1, AutoCommit => 1 })
or die("$DBI::errstr\n");
# Get total session count
$sth = $dbh->prepare("SELECT sentmail_ts, sentmail_action, sentmail_recipient
FROM imp_sentmail
WHERE (sentmail_ts > UNIX_TIMESTAMP() - 86400)
AND sentmail_who = ?
ORDER BY sentmail_ts ASC");
$sth->execute($who);
printf("%-24s %-8s %s\n", "Time sent", "Action", "Recipient");
while (($ts, $action, $recip) = $sth->fetchrow_array) {
$time = localtime($ts);
printf("%-24s %-8s %s\n", $time, $action, $recip);
}
# Cleanup
$sth->finish;
$dbh->disconnect;
#!/usr/bin/perl -w
use DBI;
# Setup some variables
require "/private/admin/acct/requires/prefs.pl";
# Connect to db
$dbh = DBI->connect($prefs{'webmail_connect_string'},
$prefs{'migrate_sql_user'},
$prefs{'migrate_sql_pass'},
{ RaiseError => 1, AutoCommit => 1 })
or die("$DBI::errstr\n");
# Get total session count
$sth = $dbh->prepare("SELECT sentmail_who, COUNT(sentmail_who) cc
FROM imp_sentmail
WHERE (sentmail_ts > UNIX_TIMESTAMP() - 86400)
GROUP BY sentmail_who
HAVING cc > 100
ORDER BY cc DESC");
$sth->execute();
print "Users with more than 100 messages sent in the last 24 hours:\n\n";
printf("%-30s %s\n", "Username", "Messages");
while (($user, $count) = $sth->fetchrow_array) {
printf("%-30s %d\n", $user, $count);
}
# Cleanup
$sth->finish;
$dbh->disconnect;
--
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org