On Thu, Apr 25, 2013 at 3:38 PM, Joseph Mays <m...@win.net> wrote: > I’m working with an older version of horde-imp on a server running FreeBSD > 5-4 Stable. They have a problem with people occasionally hacking into > accounts in the webmail system and spamming through them. When this happens > it can be very hard to identify what hacked webmail account got exploited > because there is nothing in the mail log or message headers to indicate > which account the spam message came from, and there is nothing in the horde > or imp logs to record what messages were sent out, and by whom. So I am > looking for a way to either log what account messages came from in the mail > log, record that information in the mail headers of the messages > themselves, or have horde log what messages were sent out through the mail > log system and by whom. Any information that could help with any of the > above would be greatly appreciated. > -- > imp mailing list
My solution is to restrict what email accounts they can send from. The first thing the spammer does in horde is to set up a new user profile and a signature which will contain the spam message. If you prevent them from sending from an arbitrary address, you'll be able to easily trace the spam outbreak to a compromised account. In my case, I use postfix as the SMTP solution. I have a config line like: smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access hash:/etc/postfix-internal/localdomain, reject Inside localdomain I have example.com OK This allows them to send email from only the domain. In addition, any hacked accounts are quickly added in here to block them: phishedacco...@example.com 550 This account has been compromised -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org