Re: [imp] Spam Problem ... close to a solution ... may be you could help? - Kowtow Strike! :-)
Am 24.05.11 21:40, schrieb Andrew Morgan: On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote: ... One thing I forgot to mention about identifying compromised accounts - the spammers like to put the content of their message (the spam) into the user's signature block. That simplifies the creation and sending of the spam because IMP will automatically include the signature block in any message. You could search your preferences backend (MySQL or whatever) for the signature preference, possibly qualifying your search by looking for strings longer/larger than a certain amount. You'll also see the reply-to and identity preferences are frequently changed by spammers. Once you see the preferences of a compromised account, you'll know what to look for in the future. It's very obvious. Andy 100*100 Kowtow ! searching the horde db for some message strings revealed one account :-) THANKS A LOT TO ALL SUGGESTIONS! :-D Best regards . back to normal . Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt smime.p7s Description: S/MIME Cryptographic Signature -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Spam Problem ... close to a solution ... may be you could help?
Quoting Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de: Am 24.05.11 21:40, schrieb Andrew Morgan: On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote: Hi, I did not find the compromised account yet, but I see a lot off messages like the following one in our logs: /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1 92 May be anyone has an idea how to protect against such direct postings... if it is possible anyway? I'm not sure what you mean by direct postings. There is nothing inherently evil about calling compose.php multiple times. By 'direct posting' I thought about, that the spammer is not logged on to the HORDE webpage using a webbrowser. If the spammer is not logged in, they should not be able to send mails at all. I was thinking, that he uses some tool, which call /horde/imp/compose.php yes, but there is no way to distinguish this tool from a normal webbrowser. Both connect to the Webserver, and send a POST-Request In the webserver log I do have about 1.600 POST messages from that IP ... and checking some message IDs in the mailserverlog shows that there are 100 or 200 recepiens. And I don't think, that a spammer is sitting in Front of his webbrowser entering such an amount of e-mail addresses. No, this is done by script, but as Horde only sees the result there is no way to distinguish a normal browser from a script. Therefor limit the number of recipients per message in Horde, and limit the number of recipients per timeframe. M.MengeTel.: (49) 7071/29-70316 Universität Tübingen Fax.: (49) 7071/29-5912 Zentrum für Datenverarbeitung mail: michael.me...@zdv.uni-tuebingen.de Wächterstraße 76 72074 Tübingen smime.p7s Description: S/MIME Signatur -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Spam Problem ... close to a solution ... may be you could help?
On 05/24/2011 01:05 PM, Arjen de Korte wrote: Something very similar is already available in Horde through the Permission system where you can add IMP, specify the number of recipients per message (max_recipients) and total recipients per time unit (max_timelimit). You need to have the Outgoing Email Logging enabled for this to work though. Best regards, Arjen Arjen, thank you. I had forgotten about that feature. We did not use it because we do not use MySQL and I believe it requires the SQL db, no?. -- Andy Dorman Ironic Design, Inc. AnteSpam.com, HomeFreeMail.com, ComeHome.net -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
[imp] Spam Problem ... close to a solution ... may be you could help?
Hi, I did not find the compromised account yet, but I see a lot off messages like the following one in our logs: /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1 92 May be anyone has an idea how to protect against such direct postings... if it is possible anyway? Any suggestion is welcome -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt smime.p7s Description: S/MIME Cryptographic Signature -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Spam Problem ... close to a solution ... may be you could help?
On 05/24/2011 07:53 AM, � wrote: Hi, I did not find the compromised account yet, but I see a lot off messages like the following one in our logs: /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1 92 May be anyone has an idea how to protect against such direct postings... if it is possible anyway? Any suggestion is welcome OK, you said any suggestion... We use two techniques to stop outgoing spam. The first is pretty complex and not for everyone. You must use version control like Git or Bazaar to keep your local code changes safe when you do upstream updates (and using PEAR is out). The second technique is simple but not free. 1. We run memcache on the horde servers. We then added local code to horde/imp/lib/Compose.php to save and update a 24 hour count of recipients in memcache for a sender. Then when a sender hits the 24 hr limit or a limit for the number of addresses in a single email (spammers love to send to 40 or 50 BCC addresses), we deactivate the sender (so they can not send any more until an admin has taken action) and send a note to an admin so someone can follow up and decide if this is a spammer OR a valid user whose account was stolen. I am sure someone like Chuck or Jan could write a patch for you on a consulting basis. I have been trying to get our code organized and clean enough that we could submit it as something just about anyone could use. But right now it is tied pretty closely to our LDAP user store which is pretty complicated. 2. This is not free...For the horde mailer config item we use smtp and point it to antespam.com. AnteSpam checks the outgoing email for spam and viruses. When it finds either, it quarantines the email and sends a note to the user and the domain admin. The user can manually free the email from quarantine. But since a spammer needs to send a large quantity of spam, needing to release emails from quarantine quickly kills his/her profits. Also, the domain admin can also look at the email and if it is really spam, they can quickly shut down the spammer. I wish I had a better idea to suggest. But we have found that spammers are clever and persistent and hard to stop. Good luck, -- Andy Dorman FanMail.com -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Spam Problem ... close to a solution ... may be you could help?
Quoting Andy Dorman ador...@ironicdesign.com: Also, the domain admin can also look at the email and if it is really spam, they can quickly shut down the spammer. Off-topic - I like to know how much spam they would have sent, so when I verify it's spam I redirect their outgoing mail to /dev/null but continue to count the recipients. It blows your mind sometimes... I also apply the same 'counting' to my entire outgoing queue. I've found that while the per-user limits are helpful, those smarter spammers will just create more accounts. By monitoring the entire mail flow for traffic spikes, I can shut down the entire outgoing queue and remove the abuser(s). I use qmail, but any SMTP server should work. Essentially: 1. Route all 'non-verified' users mail from the incoming SMTP server to 192.168.1.1. 2. Route all mail from 192.168.1.1 to 192.168.1.2. 3. 192.168.1.2 runs smtp-delay to 'pause' traffic on 192.168.1.1 4. Run a cronjob that counts the number of emails in queue on 192.168.1.1 every minute. You will need to tweak both the counts and delay times for your environment (and as you environment scales up). So for example, if you consistently have 20 emails in queue, and spike to 60 under normal operations, set your program to shut the queue down at 70 and alert the admin. You will obviously need staff to manage the alert (if you're swamped with spammers) and/or understanding from your users that this will occur. Rick -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Spam Problem ... close to a solution ... may be you could help?
On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote: Hi, I did not find the compromised account yet, but I see a lot off messages like the following one in our logs: /var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1 92 /var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200] 74.82.171.30 TLSv1 RC4-MD5 POST /horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1 92 May be anyone has an idea how to protect against such direct postings... if it is possible anyway? I'm not sure what you mean by direct postings. There is nothing inherently evil about calling compose.php multiple times. One thing I forgot to mention about identifying compromised accounts - the spammers like to put the content of their message (the spam) into the user's signature block. That simplifies the creation and sending of the spam because IMP will automatically include the signature block in any message. You could search your preferences backend (MySQL or whatever) for the signature preference, possibly qualifying your search by looking for strings longer/larger than a certain amount. You'll also see the reply-to and identity preferences are frequently changed by spammers. Once you see the preferences of a compromised account, you'll know what to look for in the future. It's very obvious. Andy-- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
