The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Horde Spam - difficult to track?

Discussion in 'E-mail Discussions' started by ElrondBCN, Oct 29, 2010.

  1. ElrondBCN

    ElrondBCN Active Member

    Joined:
    May 19, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Boston, MA USA
    We had an issue today where someone was sending spam through our server using the Horde webmail client. This isn't uncommon, however, what is uncommon is that we weren't able to easily track how these messages were sent, or by what user.

    The way we were able to find out which account was sending the emails is because the message ID header contained one of our legitimate hosting domains. We then went through each email account within this domain and found out which one was sending the spam. Ultimately we only figured it out because one of the email addresses here had the spam messages in its Sent folder. Why was there no other information in these headers, like the sending party's email address; can this be enabled in some way? Is this because Horde sends the mail via PHP rather than through Exim? Most mails that are sent from our servers can easily be tracked, but not these. What can we do to make tracking the origins of emails like this possible?

    Here's an excerpt of the header of one of these emails:

    Headers spool file

    1PBq2h-0002m3-R5-H
    mailnull 47 12
    <global@sender's fake domain>
    1288362895 0
    -helo_name localhost
    -host_address 127.0.0.1.39057
    -host_name localhost.localdomain
    -interface_address 127.0.0.1.25
    -received_protocol esmtp
    -body_linecount 12
    -max_received_linelength 73
    NN (insert dozens of email addresses here)

    210P Received: from localhost.localdomain ([127.0.0.1] helo=localhost)
    by (our server's FQDN) with esmtp (Exim 4.69)
    (envelope-from <global@sender's fake domain>)
    id 1PBq2h-0002m3-R5; Fri, 29 Oct 2010 10:34:55 -0400
    136P Received: from 41.184.133.78 ([41.184.133.78]) by mail.(legitimate customer email domain)
    (Horde Framework) with HTTP; Fri, 29 Oct 2010 10:34:54 -0400
    070I Message-ID: <20101029103454.87936jbkrwayhqq6@mail.legitimate customer email domain>
    038 Date: Fri, 29 Oct 2010 10:34:54 -0400
    035F From: Global Firm <global@sender's fake domain>
    030R Reply-to: glbfirm@sender's fake domain
    029T To: undisclosed-recipients:;
    010 Subject:
    018 MIME-Version: 1.0
    078 Content-Type: text/plain;
    charset=ISO-8859-1;
    DelSp="Yes";
    format="flowed"
    028 Content-Disposition: inline
    032 Content-Transfer-Encoding: 7bit
    056 User-Agent: Internet Messaging Program (IMP) H3 (4.3.7)
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Do you have "MailHeaders" selected in EasyApache for PHP's Exhaustive Options list? Here's information on that option:

    CHOON.NET : Resources : Scripts & Patches : PHP Mail Header Patch

    This might help out for tracking these down. Also, you can always view /var/log/maillog or /usr/local/cpanel/logs/access_log for logins to either IMAP or POP3 or Webmail during the times the messages are sent to track down the user.
     
  3. Melvin Kum

    Melvin Kum Registered

    Joined:
    Nov 8, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    My Horde Email client is recently getting bombarded with spam & I cannot find a suitable way to stop these evils. Unlike GMail or Yahoo I found Horde to be totally incapable of fighting spams.
     
Loading...

Share This Page