> I thought those characters looked like Base64...and it turns out, > they are. I was able to extract enough from them to figure out the > account.
only if the session is using the "AUTH login" mechanism (and btw this means that the server allows such an /unsafe/ option); for more details, see http://www.fehcom.de/qmail/smtpauth.html notice that it may be advisable to use MD5 instead of login/plain since both are easily "crackable" in case the traffic is sniffed or in any case intercepted About finding out which account got compromised, the best way to do so is to find out the date/time from the ASSP logs and then look at the mailserver logs; there you'll find the logon infos "in clear" and those will allow you to track the account As for tracking such issues (and others) I'd suggest you to use the "outbound rate limiter" option; expand the "relaying" section in ASSP GUI and scroll down, you'll find the entries named "LocalFrequencyInt" and "LocalFrequencyNumRcpt" for a start set them to 1800 and 120, that means that if a given sender will go over the imposed "outbound email" limit ASSP will reject the message with an error (retry after...); now, to get a notify for such an event, Locate the "notifyRe" under the "Logging" section and add either "warning: too many recipients" or "notification: too many recipients" the first one will notify you about any and each violation, the second will notify you only once a day about each violation; for a start I'd suggest you to use the first one (warning) so that you'll immediately get back messages, at that point, if the sender is a "legit" one (e.g. a mailing list or a newsletter), just add the sender address to "NoLocalFrequency" (use a file for that); once you'll have your "NoLocalFrequency" set up, you may change the notification regexp to "notification" so that you will only get ONE alert a day for each sender violating the rate limiter; btw you may also need to fine tune the limiter values (1800/120) to better suit your setup, the ones above are just a starting point The above mechanism will allow you to detect spamming users and compromised accounts and quickly act so that your mail service won't keep *sending* out "junk" ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
