My default_host is set to local host and only registered users can login to the webmail. Although auto create user is set to true, as new accounts are being created everyday (through on a gmail like invitation basis).
I know that the reply to address can be configured through email clients also but if I am able to disable it throgh roundcube, thats one less way to spoof for the users. If its possible, please reply.
Also, does anyone else able to spoof emails using the reply to address in roundcube? I can test as my hosting is supended.
On 4/6/06, Thomas Bruederli <roundcube@gmail.com> wrote:
Basically, one can only send mails from a RoundCube installation when he
or she passes an IMAP login. Otherwise you won't get a valid session in
RC. Depending on your RoundCube configuration, logins can be done on any
IMAP host (if no default_host is configured) or only on your mailserver.
If you don't have a default_host configured and autocreate_user is
enabled, then anybody can use your RoundCube installation to send mails
using the PHP mail function or the SMTP server you configured.
If your installation is configured properly and only registered users
are allowed to login, I don't see anything to improve with RoundCube.
All the properties that you can set in RoundCube (From-address,
Reply-to, etc.) can also be configured the same way in any common mail
client.
I regret that documentation on RoundCube's installation and
configuration is not very detailed but please remember that you are
using a new webmail solution which is still under development. Before
setting it up in a public environment you should test your configuration
carefully and keep an eye on the logs.
Regards
Thomas
Nipun Jain schrieb:
> Since my hosting account is currently shut, I cannot access any logs.
> No, my machine has not been verified to send the virus ridden emails.
> They have suspended the hosting to take their time to analyze the
> headers and see if it was my fault or someone outside the domain is
> seding these spoofed mails.
> And I havent given any email account to a spammer. And all my passwords
> are alphanumeric and of good lengths so are not easy to guess.
>
> I am assuming that its someone using my webmail coz only since my
> webhost can make the complaint of my domain being used to send these
> emails.
>
> On 4/5/06, *Nipun Jain* <jain.nipun@gmail.com
> <mailto:jain.nipun@gmail.com>> wrote:
>
> I am facing a problem of email spoofing with my webmail (running on
> roundcube).
>
> Some unscruplous person(s) using my webmail has set their reply to
> address as
info@mydomain.com <mailto:info@mydomain.com> and / or
> administrator@mydomain.com <mailto:
administrator@mydomain.com> in
> their identity and is / are using that identity to send email to
> other people on their webmail account at mydomain.com
> <
http://mydomain.com/>. Now the recipient gets fooled by this
> spoofed mail as roundcube (and maybe other web based email) displays
> the sender as the spoofed email id (
i.e. info@mydomain.com
> <mailto:info@mydomain.com> or administrator@mydomain.com
> <mailto:administrator@mydomain.com>) and not the actual email id
> used to send the email. I myself have received a couple of such
> mails and was perplexed to see to get an email from
> administrator@mydomain.com <mailto:administrator@mydomain.com> as I
> am the admin, and my email is
admin@mydomain.com
> <mailto:admin@mydomain.com> ( administrator@mydomain.com
> <mailto:administrator@mydomaincom>does not exist). I tried to figure
> out the actual email id by reading the email headers but it didnt
> show the actual email id, only showed the spoofed email id as
> administrator@mydomain.com <mailto:administrator@mydomain.com>(or
>
info@mydomain.com <mailto:info@mydomain.com>).
>
> Now is this supposed to work this way? I mean setting the reply to
> field to any email address in roundcube enables one to spoof the
> sender's email id? Is there any way to disable the "Reply To" field
> in roundcube so that users are unable to send spoofed mails?
>
>