[imp] May be our horde installation was used for spam
Hi, since saturday we got about 40 reports from spamcom.net and other mailserver providers, that 'we' are sending or are used for sending spam. The MX is 193.196.129.3 So far I received about 7.000 returned mail bounces from our system and all reported messages do have User-Agent: Internet Messaging Program (IMP) H3 (4.3.9) in the mailheader. Or something like Received: from switchde.switchvpn.com (switchde.switchvpn.com [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP; Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition. My questions: What is the best way to find the leak? What may I configure in horde/imp/apache/php ... to make it harder to be compromised? This is the first time in 10 years ... so far our setup was not that bad. Thanks a lot and best regards hor any hint! Götz Reinicke -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt smime.p7s Description: S/MIME Cryptographic Signature -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
Citeren Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de: My questions: What is the best way to find the leak? What may I configure in horde/imp/apache/php ... to make it harder to be compromised? If you're using SMTP AUTH for sending mail, the mailserver might have logged the userid that has been used to send these messages. This is the first time in 10 years ... so far our setup was not that bad. Consider the possibility that this isn't a bug in Horde, but that one of your user accounts has been compromised. There is virtually nothing you as an administrator can do to prevent that users are careless with their credentials. The only thing you can do to limit the impact, is to setup quotas on the number of messages a user can sent per hour/day/week. Since you have received over 7000 bounces, chances are that you don't use this right now (which is highly recommended). Best regards, Arjen -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
How may I limit the number of messages a user may send? :-) for example google 'policyd' -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
Am 23.05.11 10:30, schrieb azurIt: How may I limit the number of messages a user may send? :-) for example google 'policyd' not for sendmail as far as I know. /Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt smime.p7s Description: S/MIME Cryptographic Signature -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
uuhm, sendmail users still exists ? ;) __ Od: Götz Reinicke - IT-Koordinator Komu: imp@lists.horde.org Dátum: 23.05.2011 10:36 Predmet: Re: [imp] May be our horde installation was used for spam Am 23.05.11 10:30, schrieb azurIt: How may I limit the number of messages a user may send? :-) for example google 'policyd' not for sendmail as far as I know. /Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
Am 20:59, schrieb Götz Reinicke - IT-Koordinator: Hi, since saturday we got about 40 reports from spamcom.net and other mailserver providers, that 'we' are sending or are used for sending spam. The MX is 193.196.129.3 It's not widely listed at http://multirbl.valli.org/dnsbl-lookup/193.196.129.3.html so you should check in the MTA logfile if indeed this machine is sending out spam. So far I received about 7.000 returned mail bounces from our system and all reported messages do have User-Agent: Internet Messaging Program (IMP) H3 (4.3.9) in the mailheader. Or something like Received: from switchde.switchvpn.com (switchde.switchvpn.com [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP; As said, first check if you are really the origin. Headers are easily spoofed. Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition. My questions: What is the best way to find the leak? What may I configure in horde/imp/apache/php ... to make it harder to be compromised? This is the first time in 10 years ... so far our setup was not that bad. Horde/IMP per se is beside some long ago fixed bugs not usable to send Spam by default. You have to find out if some user-account is hacked or if some other web accessible scripts are abused. Beside this there is some hardening which can be done to lower the impact if a user account is phished: - Disable the user preference for setting the sender address - Use maillog and the rate-limits built into Horde - Use secure access to the Webmail server with https at least for mobile users Regards Andreas -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
Apologies for top posting.. No wonder you have an issue. Install postfix asap and replace sendmail. This is more secure and less complex (and it sounds like you don't need complex). In the meantime take that box offline until you establish of it's the server or a compromised user account. Does your setup even use smtp auth? Simon Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de wrote: htmlheadmeta name=Generator content=Microsoft Exchange Server !-- converted from text -- style!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #80 2px solid; } --/style/head body font size=2div class=PlainTextAm 23.05.11 10:30, schrieb azurIt:br gt; br gt;gt; How may I limit the number of messages a user may send? :-)br gt; br gt; br gt; for example google 'policyd'br br not for sendmail as far as I know.br br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; /Götzbr -- br Götz Reinickebr IT-Koordinatorbr br Tel. #43;49 7141 969 420br Faxnbsp; #43;49 7141 969 55 420br E-Mail goetz.reini...@filmakademie.debr br Filmakademie Baden-Württemberg GmbHbr Akademiehof 10br 71638 Ludwigsburgbr a href=http://www.filmakademie.de; target=_BLANKwww.filmakademie.de/abr br Eintragung Amtsgericht Stuttgart HRB 205016br Vorsitzende des Aufsichtsrats:br Prof. Dr. Claudia Hübnerbr br Geschäftsführer:br Prof. Thomas Schadtbr br /div/font /body /html -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
Quoting Simon Brereton simon.brere...@dada.net: Apologies for top posting.. No wonder you have an issue. Install postfix asap and replace sendmail. This is more secure and less complex (and it sounds like you don't need complex). actually, if one goes to make a secure server, it is not at all so simple. Fortunately, posfix configuration seems much more user-frendly than sendmail's Janis This message was sent using IMP, the Internet Messaging Program. -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
* G?tz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de [2011-05-23 04:30]: hmmm... do you have any hint for me gow to find the userid? We use the method described here: http://www.mail-archive.com/imp@lists.horde.org/msg04736.html How may I limit the number of messages a user may send? :-) I wish we had a better solution, but this is what we have now: Our experience is that the bad guys have an unusually large number of recipients per message. We added a check_data rule to sendmail.cf to quarantine such messages. (Quarantining is a relatively recent sendmail feature.) Unfortunately, this quarantines a lot of valid messages too (in our case); some innocent people like to send mail to lots of recipients. So we *also* have mechanisms to auto-dequarantine innocuous messages, saving more suspicious ones for sysadmin inspection. All this took some tuning and scripting. But we were desperate, because way too many of our users aren't very good at detecting phishing. -- -- Paul A. Sand | Three things are certain: -- University of New Hampshire | Death, taxes, and lost data. -- p...@unh.edu | Guess which has occurred. -- http://pubpages.unh.edu/~pas | (David Dixon) -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
My questions: What is the best way to find the leak? What may I configure in horde/imp/apache/php ... to make it harder to be compromised? There are many phishing mails which target webmail accounts. IMHO this is the most comon case for abuse of imp and other webmail software IMP has some Options to limit the impact and show the used account. Have a look at Imp Configuration - Other settings - Outgoing Email Logging Permissions - Imp - max_recipients and max_timelimit You can use the following sql-statement to show the supissius accounts SELECT * FROM ( SELECT sentmail_who, COUNT(sentmail_recipient) AS nrcpt FROM imp_sentmail WHERE sentmail_ts '@BEGIN_TS@' and sentmail_ts '@END_TS@' GROUP BY sentmail_who ORDER BY nrcpt DESC ) AS foo WHERE nrcpt @NRCPT@; Repalce @BEGIN_TS@ and @END_TS@ with the begining and end point timestamp of the timeframe @NRCPT@ with the number of recipients to ignore To find the user you can try to search horde_prefs table for the spam content in the users signature (pref_scope='horde' and pref_name='identities' and pref_value like '%SPAMTEXT%') Regards Michael Menge M.MengeTel.: (49) 7071/29-70316 Universität Tübingen Fax.: (49) 7071/29-5912 Zentrum für Datenverarbeitung mail: michael.me...@zdv.uni-tuebingen.de Wächterstraße 76 72074 Tübingen smime.p7s Description: S/MIME Signatur -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
On Mon, 23 May 2011, Götz Reinicke - IT-Koordinator wrote: Hi, since saturday we got about 40 reports from spamcom.net and other mailserver providers, that 'we' are sending or are used for sending spam. The MX is 193.196.129.3 So far I received about 7.000 returned mail bounces from our system and all reported messages do have User-Agent: Internet Messaging Program (IMP) H3 (4.3.9) in the mailheader. Or something like Received: from switchde.switchvpn.com (switchde.switchvpn.com [178.162.182.142]) by mail.filmakademie.de (Horde Framework) with HTTP; Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition. My questions: What is the best way to find the leak? What may I configure in horde/imp/apache/php ... to make it harder to be compromised? As others have said, most likely one of your user's is compromised. You can easily place limits on the number of messages that can be sent in a specified time period to limit the damage. For example, we limit our users to 500 messages per day from IMP. To turn this feature on, login to Horde as an administrator and go to the Administration Setup Mail (imp) Other Settings tab. Configure the Outgoing Email Logging settings. Here is what we use: $conf['sentmail']['params']['threshold'] = 30; $conf['sentmail']['params']['limit_period'] = 24; $conf['sentmail']['params']['table'] = 'imp_sentmail'; $conf['sentmail']['params']['driverconfig'] = 'horde'; $conf['sentmail']['driver'] = 'sql'; Then, go to Administration Permissions and add a child permission for Mail (imp) called Maximum Number of Recipients per Time Period (max_timelimit). Set it to 500 or the value you want for Authenticated Users. We keep track of the use/abuse by running a nightly cronjob. It is attached to this message and named report_senders.pl. All it really does is run the following SQL query: SELECT sentmail_who, COUNT(sentmail_who) cc FROM imp_sentmail WHERE (sentmail_ts UNIX_TIMESTAMP() - 86400) GROUP BY sentmail_who HAVING cc 100 ORDER BY cc DESC We have a second perl script which will report all the messages that a particular user sent in the last 24 hours (attached as query-sentmail.pl). It is pretty obvious when a spammer has control of the account when you look at the list of recipients. They like to send to the same domain with a list of alphabetical usernames. If I have any doubt, I open up the user's mailbox and look at their sent-mail and any bounce messages they have received. There are usually lots of bounce messages for spam. Lots of people on this list are recommending dumping sendmail in favor of postfix. Personally, that sounds like postfix bigotry to me. Postfix is a nice SMTP server, but sendmail will work fine too. Fix your immediately problem in IMP first by deploying this sender limits. If you want to mess with your SMTP server, do it later when you can spend the time to research and test a solution. Andy#!/usr/bin/perl -w use DBI; if ($#ARGV 0) { print Usage: $0 username\@domain\n; print Reports all messages sent via Webmail for\n; print username\@domain in the last 24 hours.\n; exit; } $who = $ARGV[0]; # Setup some variables require /private/admin/acct/requires/prefs.pl; # Connect to db $dbh = DBI-connect($prefs{'webmail_connect_string'}, $prefs{'migrate_sql_user'}, $prefs{'migrate_sql_pass'}, { RaiseError = 1, AutoCommit = 1 }) or die($DBI::errstr\n); # Get total session count $sth = $dbh-prepare(SELECT sentmail_ts, sentmail_action, sentmail_recipient FROM imp_sentmail WHERE (sentmail_ts UNIX_TIMESTAMP() - 86400) AND sentmail_who = ? ORDER BY sentmail_ts ASC); $sth-execute($who); printf(%-24s %-8s %s\n, Time sent, Action, Recipient); while (($ts, $action, $recip) = $sth-fetchrow_array) { $time = localtime($ts); printf(%-24s %-8s %s\n, $time, $action, $recip); } # Cleanup $sth-finish; $dbh-disconnect; #!/usr/bin/perl -w use DBI; # Setup some variables require /private/admin/acct/requires/prefs.pl; # Connect to db $dbh = DBI-connect($prefs{'webmail_connect_string'}, $prefs{'migrate_sql_user'}, $prefs{'migrate_sql_pass'}, { RaiseError = 1, AutoCommit = 1 }) or die($DBI::errstr\n); # Get total session count $sth = $dbh-prepare(SELECT sentmail_who, COUNT(sentmail_who) cc FROM imp_sentmail WHERE (sentmail_ts UNIX_TIMESTAMP() - 86400) GROUP BY sentmail_who HAVING cc 100 ORDER BY cc DESC); $sth-execute(); print Users with more than 100 messages sent in the last 24 hours:\n\n; printf(%-30s %s\n, Username, Messages); while (($user, $count) = $sth-fetchrow_array) { printf(%-30s %d\n, $user, $count); } # Cleanup $sth-finish; $dbh-disconnect; -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] May be our horde installation was used for spam
Quoting Andrew Morgan mor...@orst.edu: On Mon, 23 May 2011, Götz Reinicke - IT-Koordinator wrote: Hi, since saturday we got about 40 reports from spamcom.net and other mailserver providers, that 'we' are sending or are used for sending spam -- IMP mailing list Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: imp-unsubscr...@lists.horde.org