But you didn't answer Jan's question.  There is *no* way to send a 
message via IMP without first being authenticated.  If you don't 
believe me, try directly accessing compose.php directly (without any 
session information).  You will get a login screen instead.  If not, 
your installation is seriously broken.



The only way they could use IMP to send messages is if they hijacked 
the session.  And exactly like Jan told you, you need to upgrade since 
newer versions of Horde have further protections against this kind of 
attack (i.e. IP checking).

Hi,  this started happening at a local ISP in Grants Pass Oregon. We 
using IMP as our webmail server, and we are getting

one login every minute or so, with 31 character login id's like: 
20070308123837.1rzybom81m4ow8so (each login is different, but all are 
31 characters long).  I have had to clean out 1000's of spam messages 
from the postfix system.



We are currently running Debian 1:3.3.5-13 with horde3 that came with 
the install

And what makes you think this happens without being logged in? Beside 
that, you are using an ancient, unmaintained version.

Today I discovered that some robots are sending tons of spam via IMP 
on my server.

It seems that they can send it by passing data via POST to proper url, 
here are some entries from apache log:

POST /horde2/imp/compose.php?uniq=82628848545cdd1e23e7441171116589640 
HTTP/1.1" 200 102 
"https://my-server-address/horde2/imp/compose.php?popup=1&to=&cc=&bcc=&msg=&subject=&thismailbox=INBOX&uniq=1171116505671



and just after that, another one:



POST /horde2/imp/compose.php?uniq=60020459645cdd1e5ce54b1171116607218 
HTTP/1.1" 200 102 
"https://my-server-address/horde2/imp/compose.php?popup=1&to=&cc=&bcc=&msg=&subject=&thismailbox=INBOX&uniq=1171116508500