Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Horde Spam - difficult to track?

Discussion in 'E-mail Discussion' started by ElrondBCN, Oct 29, 2010.

  1. ElrondBCN

    ElrondBCN Active Member

    May 19, 2003
    Likes Received:
    Trophy Points:
    Boston, MA USA
    We had an issue today where someone was sending spam through our server using the Horde webmail client. This isn't uncommon, however, what is uncommon is that we weren't able to easily track how these messages were sent, or by what user.

    The way we were able to find out which account was sending the emails is because the message ID header contained one of our legitimate hosting domains. We then went through each email account within this domain and found out which one was sending the spam. Ultimately we only figured it out because one of the email addresses here had the spam messages in its Sent folder. Why was there no other information in these headers, like the sending party's email address; can this be enabled in some way? Is this because Horde sends the mail via PHP rather than through Exim? Most mails that are sent from our servers can easily be tracked, but not these. What can we do to make tracking the origins of emails like this possible?

    Here's an excerpt of the header of one of these emails:

    Headers spool file

    mailnull 47 12
    <global@sender's fake domain>
    1288362895 0
    -helo_name localhost
    -host_name localhost.localdomain
    -received_protocol esmtp
    -body_linecount 12
    -max_received_linelength 73
    NN (insert dozens of email addresses here)

    210P Received: from localhost.localdomain ([] helo=localhost)
    by (our server's FQDN) with esmtp (Exim 4.69)
    (envelope-from <global@sender's fake domain>)
    id 1PBq2h-0002m3-R5; Fri, 29 Oct 2010 10:34:55 -0400
    136P Received: from ([]) by mail.(legitimate customer email domain)
    (Horde Framework) with HTTP; Fri, 29 Oct 2010 10:34:54 -0400
    070I Message-ID: <20101029103454.87936jbkrwayhqq6@mail.legitimate customer email domain>
    038 Date: Fri, 29 Oct 2010 10:34:54 -0400
    035F From: Global Firm <global@sender's fake domain>
    030R Reply-to: glbfirm@sender's fake domain
    029T To: undisclosed-recipients:;
    010 Subject:
    018 MIME-Version: 1.0
    078 Content-Type: text/plain;
    028 Content-Disposition: inline
    032 Content-Transfer-Encoding: 7bit
    056 User-Agent: Internet Messaging Program (IMP) H3 (4.3.7)
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst Staff Member

    Oct 2, 2010
    Likes Received:
    Trophy Points:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Do you have "MailHeaders" selected in EasyApache for PHP's Exhaustive Options list? Here's information on that option:

    CHOON.NET : Resources : Scripts & Patches : PHP Mail Header Patch

    This might help out for tracking these down. Also, you can always view /var/log/maillog or /usr/local/cpanel/logs/access_log for logins to either IMAP or POP3 or Webmail during the times the messages are sent to track down the user.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Melvin Kum

    Melvin Kum Registered

    Nov 8, 2010
    Likes Received:
    Trophy Points:
    My Horde Email client is recently getting bombarded with spam & I cannot find a suitable way to stop these evils. Unlike GMail or Yahoo I found Horde to be totally incapable of fighting spams.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice