6.0.0-git
2019-03-19

[#5669] spam protection needed
Summary spam protection needed
Queue IMP
Queue Version 4.0.4
Type Enhancement
State Rejected
Priority 3. High
Owners
Requester zoli (at) polarhome (dot) com
Created 2007-08-24 (4225 days ago)
Due
Updated 2007-09-01 (4217 days ago)
Assigned
Resolved 2007-08-24 (4225 days ago)
Milestone
Patch No

History
2007-09-01 20:55:13 zoli (at) polarhome (dot) com Comment #7 Reply to this comment
Thank you very much... seems it works.

It is a great feature.



Regards,

Z
2007-08-27 15:30:01 Chuck Hagenbuch Comment #6 Reply to this comment
You need to turn on sentmail logging in IMP's configuration; then you 
can set permissions for the actual limits (using Horde's permissions 
system).
2007-08-27 09:41:57 zoli (at) polarhome (dot) com Comment #5 Reply to this comment
Hello,
I am aware of that  option and this is also set
Really? Then why did you say you're using IMP 4.0.4?
I beg your pardon... you have right. I used 4.1.4.
However, IMP 4.2 includes options for the maximum number of
recipients that a
user can send do at once, and in a configurable period.
I have upgraded to

Horde: 3.2-ALPHA

Imp: H3 (4.2-ALPHA) (run Imp tests)



and could not find the options that you have mentioned.



Could you please help me with this...



Thank you in advance.



Regards,

Z
2007-08-24 15:16:02 Chuck Hagenbuch Comment #4 Reply to this comment
However, IMP 4.2 includes options for the maximum number of 
recipients that a
user can send do at once, and in a configurable period.
I am aware of that  option and this is also set
Really? Then why did you say you're using IMP 4.0.4?
As I can see the abuser sends in a well defined URL  that Horde/IMP
accepts with current authentication allowing sendig out many
thousands of mails in few hours.
This is *exactly* what the rate limiting in IMP 4.2 prevents.
2007-08-24 08:43:23 zoli (at) polarhome (dot) com Comment #3 Reply to this comment
Hello,
Even whups doesn't have a captcha for authenticated users, and I
don't think adding one to IMP is a good idea. However, IMP 4.2
includes options for the maximum number of recipients that a user can
send do at once, and in a configurable period.
I am aware of that  option and this is also set, regardless the IMP is 
abused several times at polarhome.com (this is the reason why I have 
been forced to disable for all 100k+ users)



As I can see the abuser sends in a well defined URL  that Horde/IMP 
accepts with current authentication allowing sendig out many thousands 
of mails in few hours.



An explicit spam protection that would require the user to use the 
compose page through web inteface and enter a unique combination of 
letters would prevent automatic URL submissions - what might be the 
case here.



If you have any other workaround please tell us now.



Thank you in advance.



Regards,

Zoltan Arpadffy
2007-08-24 02:49:26 Chuck Hagenbuch Comment #2
State ⇒ Rejected
Reply to this comment
Even whups doesn't have a captcha for authenticated users, and I don't 
think adding one to IMP is a good idea. However, IMP 4.2 includes 
options for the maximum number of recipients that a user can send do 
at once, and in a configurable period.
2007-08-24 02:26:37 zoli (at) polarhome (dot) com Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 3. High
Summary ⇒ spam protection needed
Queue ⇒ IMP
Reply to this comment
Hello,



I have been using Horde framework for years and it have been working 
most of the time very well.



During the last year I have noticed that IMP has been abused several 
times to send out spam (thousands of mail).



As my mail server has a limitation of 15 recepiens it is done by 
reusing horde/imp session and resubmit the url.



I would kindly ask you to add an optional (configurable) spam 
protection field to compose and forward functionality in IMP (like in 
this ticket application) in order to improve spam protection of the 
application itself.



Thank you very much in advance.



Regards,

Zoltan Arpadffy


Saved Queries