----- Mensagem de arjen+ho...@de-korte.org ---------
Data: Thu, 25 Apr 2013 21:13:18 +0200
De: Arjen de Korte <arjen+ho...@de-korte.org>
Assunto: Re: [imp] Spamming through Horde
Para: imp@lists.horde.org
Citeren Joseph Mays <m...@win.net>:
I?m working with an older version of horde-imp on a server running
FreeBSD 5-4 Stable. They have a problem with people occasionally
hacking into accounts in the webmail system and spamming through
them. When this happens it can be very hard to identify what hacked
webmail account got exploited because there is nothing in the mail
log or message headers to indicate which account the spam message
came from, and there is nothing in the horde or imp logs to record
what messages were sent out, and by whom. So I am looking for a way
to either log what account messages came from in the mail log,
record that information in the mail headers of the messages
themselves, or have horde log what messages were sent out through
the mail log system and by whom. Any information that could help
with any of the above would be greatly appreciated.
Not knowing exactly how old your version of IMP is, is there an
option to enable the mail logging? Chances are that enabling this
will also allow you to set limits on the number of messages and
recipients sent.
--
This message was sent from a mailinglist subscription address.
For off-list replies, you must remove the address extension.
Unfortunately I have this experience, users just answer to mails that
threat them and ask for their passwords. If your mail server is
sending spam, it is likely it is being blocked and its mail queue has
thousands of mails.
Save your mail logs, Horde logs, web server logs and the list of mails
in queue. From mail logs, looking backward, it will be very clear when
spam started (one sending to hundreds), so you have the date and time.
Go to Horde logs and find that date and time, go backward in time,
collect users login that are posting and logged in. Search backwards
and probably you will find one that is logged from different IP
(different place in the World) at the same time. This is the one.
Correlate with web server logs. Again in mail log, before the time
spam started, you will find that one authenticated via IMAP.
Be careful, sometimes it is not easy to find the user if the mail is
busy with genuine users and a spammer.
After finding the compromised account, I just change its password to
block it. Remove spams from the mail queue, Keep an eye on mail log
and wait the get off from being blocked (it may take some days).
Mauricio
----- Final da mensagem de arjen+ho...@de-korte.org -----
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org