Am 20:59, schrieb Götz Reinicke - IT-Koordinator:
> Hi,
> since saturday we got about 40 reports from and other
> mailserver providers, that 'we' are sending or are used for sending spam.
> The MX is

It's not widely listed at so you should
check in the MTA logfile if indeed this machine is sending out spam.

> So far I received about 7.000 returned mail bounces from our system and
> all reported messages do have User-Agent: Internet Messaging Program
> (IMP) H3 (4.3.9) in the mailheader.
> Or something like
> Received: from (
>  []) by (Horde Framework) with HTTP;

As said, first check if you are really the origin. Headers are easily

> Our mailserver is a Red Hat EL 5.x server with sendmail 8.13.8, apache
> httpd 2.2.3, php 5.2.11, mysql 5.0.77 and latest horde webmailedition.
> My questions:
> What is the best way to find the leak? What may I configure in
> horde/imp/apache/php ... to make it harder to be compromised?
> This is the first time in 10 years ... so far our setup was not that bad.

Horde/IMP per se is beside some long ago fixed bugs not usable to send
Spam by default. You have to find out if some user-account is hacked or
if some other web accessible scripts are abused. Beside this there is
some "hardening" which can be done to lower the impact if a user account
is phished:
- Disable the user preference for setting the sender address
- Use maillog and the rate-limits built into Horde
- Use secure access to the Webmail server with https at least for mobile


IMP mailing list
Frequently Asked Questions:
To unsubscribe, mail:

Reply via email to