Hi, a mailbox of mines was compromised last week. I hate that. I changed the password just before the automated limit blocked the account. The spammer seems to have a huge botnet, and I still see "535 Authentication failed" in the logs. I set DEBUG_LOGIN=2 to make sure they are using the old password rather than trying and crack the new one.
Blocking accounts, like I do, is not very smart. Some sort of "freeze" would seem to be better. Something like moderating posts on lists, maybe. For example, as I use MySQL, I could add a "badpw" field in the user table, and craft a select statement that returns the honeypot's username when the input local_part matches the compromised password instead of the good one. That way I can also get rid of the verbose output of DEBUG_LOGIN=2, so long as 535s stay limited to the usual, innocuous attempts. A filter would shoot on sight at honeypot's authenticated posts, and direct them to some script that either recognizes the spam template or keeps the message quarantined. The idea is to report the compromised web site appearing in the message body, so as to cause some friction. (The bot's IP could also be reported --more easily-- but I'm not sure an ISP would bother acting on it.) Maybe there's some better way to achieve the same result. Thoughts? Ale ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
