On 03/Mar/11 04:20, Mark Constable wrote: > We just had 2 accounts compromised and used for sending out a ton of > spam, one I found because an irate recipient sent back a complaint > which included the headers and the AUTH: LOGIN details.
That only has the user's name, not the password. It is in every mail one sends... Was the password cracked using several attempts? (From several IPs?) > I've already blocked the IP at this stage but the spammer can just > hop on another machine with a different IP and start sending to the > same compromised account which I can only guess at. IMHO, one should block the user in this case. I would reset her/his password, larger sites may engineer some automated mechanism, e.g. using SMS and web forms. > FWIW for future googling of the list archives, I found this useful... > > alias failedlogin='grep '\''LOGIN FAILED, user='\'' /var/log/mail/mail.log | > awk -F'\''user='\'' '\''{print $2}'\'' | awk -F, '\''{print $1}'\'' | sort | > uniq -c | sort -nr' I use /LOGIN FAILED, user=\S* ip=\[<HOST>]/ but also /courieresmtpd: error,relay=<HOST>,msg="535 Authentication failed."/ However, it is still difficult to match such entries against a user-id. How about an additional query to be issued when the password is wrong, say some MYSQL_FAILEDAUTH_CLAUSE UPDATE user SET failures = failures + 1 WHERE address = '$(local_part)@$(domain)' sort of thing? It would then be trivial to limit login to users having a decent number of failures, and to reset failures on the CHPASS clause... -- See http://www.mail-archive.com/courier-users@lists.sourceforge.net/msg35526.html ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users