On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote:
Hi,
I did not find the compromised account yet, but I see a lot off messages
like the following one in our logs:
/var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200]
74.82.171.30 TLSv1 RC4-MD5 "POST
/horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1" 92
/var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200]
74.82.171.30 TLSv1 RC4-MD5 "POST
/horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1" 92
/var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200]
74.82.171.30 TLSv1 RC4-MD5 "POST
/horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1" 92
May be anyone has an idea how to protect against such direct postings...
if it is possible anyway?
I'm not sure what you mean by "direct postings". There is nothing
inherently evil about calling compose.php multiple times.
One thing I forgot to mention about identifying compromised accounts - the
spammers like to put the content of their message (the spam) into the
user's signature block. That simplifies the creation and sending of the
spam because IMP will automatically include the signature block in any
message. You could search your preferences backend (MySQL or whatever)
for the signature preference, possibly qualifying your search by looking
for strings longer/larger than a certain amount.
You'll also see the reply-to and identity preferences are frequently
changed by spammers.
Once you see the preferences of a compromised account, you'll know what to
look for in the future. It's very obvious.
Andy--
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
