Re: [imp] Spam Problem ... close to a solution ... may be you could help?

Wed, 25 May 2011 02:51:39 -0700 

Quoting Götz Reinicke - IT-Koordinator <goetz.reini...@filmakademie.de>:


Am 24.05.11 21:40, schrieb Andrew Morgan:

On Tue, 24 May 2011, Götz Reinicke - IT-Koordinator wrote:


Hi,

I did not find the compromised account yet, but I see a lot off messages
like the following one in our logs:

/var/log/httpd/ssl_request_log.1:[21/May/2011:01:10:54 +0200]
74.82.171.30 TLSv1 RC4-MD5 "POST
/horde/imp/compose.php?uniq=721hskg326yc HTTP/1.1" 92

/var/log/httpd/ssl_request_log.1:[21/May/2011:01:14:38 +0200]
74.82.171.30 TLSv1 RC4-MD5 "POST
/horde/imp/compose.php?uniq=6khanz8ousab HTTP/1.1" 92

/var/log/httpd/ssl_request_log.1:[21/May/2011:01:24:41 +0200]
74.82.171.30 TLSv1 RC4-MD5 "POST
/horde/imp/compose.php?uniq=2bcbqsb503hi HTTP/1.1" 92


May be anyone has an idea how to protect against such direct postings...
if it is possible anyway?


I'm not sure what you mean by "direct postings".  There is nothing
inherently evil about calling compose.php multiple times.


By 'direct posting' I thought about, that the spammer is not logged on
to the HORDE webpage using a webbrowser.



If the spammer is not logged in, they should not be able to send
mails at all.


I was thinking, that he uses some tool, which call
/horde/imp/compose.php....


yes, but there is no way to distinguish this tool from a normal webbrowser.
Both connect to the Webserver, and send a POST-Request



In the webserver log I do have about 1.600 POST messages from that IP
... and checking some message IDs in the mailserverlog shows that there
are 100 or 200 recepiens.

And I don't think, that a spammer is sitting in Front of his webbrowser
entering such an amount of e-mail addresses.


No, this is done by script, but as Horde only sees the result
there is no way to distinguish a normal browser from a script.

Therefor limit the number of recipients per message in Horde,
and limit the number of recipients per timeframe.




--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail: michael.me...@zdv.uni-tuebingen.de 
Wächterstraße 76
72074 Tübingen

Attachment: smime.p7s
Description: S/MIME Signatur

-- 
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org

Reply via email to