6.0.0-git
2019-04-24

[#5022] Ability to sending email without login, spamming
Summary Ability to sending email without login, spamming
Queue IMP
Queue Version 3.2.8
Type Bug
State Not A Bug
Priority 1. Low
Owners
Requester mezon (at) niestety (dot) pl
Created 2007-02-22 (4444 days ago)
Due
Updated 2007-03-09 (4429 days ago)
Assigned
Resolved 2007-02-22 (4444 days ago)
Milestone
Patch No

History
2007-03-09 03:40:54 Michael Slusarz Comment #4 Reply to this comment
But you didn't answer Jan's question.  There is *no* way to send a 
message via IMP without first being authenticated.  If you don't 
believe me, try directly accessing compose.php directly (without any 
session information).  You will get a login screen instead.  If not, 
your installation is seriously broken.



The only way they could use IMP to send messages is if they hijacked 
the session.  And exactly like Jan told you, you need to upgrade since 
newer versions of Horde have further protections against this kind of 
attack (i.e. IP checking).
2007-03-08 19:53:29 fred (at) sundancer (dot) us Comment #3 Reply to this comment
And what makes you think this happens without being logged in? Beside
that, you are using an ancient, unmaintained version.
Hi,  this started happening at a local ISP in Grants Pass Oregon. We 
using IMP as our webmail server, and we are getting

one login every minute or so, with 31 character login id's like: 
20070308123837.1rzybom81m4ow8so (each login is different, but all are 
31 characters long).  I have had to clean out 1000's of spam messages 
from the postfix system.



We are currently running Debian 1:3.3.5-13 with horde3 that came with 
the install


2007-02-22 16:55:19 Jan Schneider Comment #2
State ⇒ Not A Bug
Priority ⇒ 1. Low
Reply to this comment
And what makes you think this happens without being logged in? Beside 
that, you are using an ancient, unmaintained version.
2007-02-22 16:20:12 mezon (at) niestety (dot) pl Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ Ability to sending email without login, spamming
Queue ⇒ IMP
Reply to this comment
Today I discovered that some robots are sending tons of spam via IMP 
on my server.

It seems that they can send it by passing data via POST to proper url, 
here are some entries from apache log:

POST /horde2/imp/compose.php?uniq=82628848545cdd1e23e7441171116589640 
HTTP/1.1" 200 102 
"https://my-server-address/horde2/imp/compose.php?popup=1&to=&cc=&bcc=&msg=&subject=&thismailbox=INBOX&uniq=1171116505671



and just after that, another one:



POST /horde2/imp/compose.php?uniq=60020459645cdd1e5ce54b1171116607218 
HTTP/1.1" 200 102 
"https://my-server-address/horde2/imp/compose.php?popup=1&to=&cc=&bcc=&msg=&subject=&thismailbox=INBOX&uniq=1171116508500


Saved Queries