Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users:
The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system.
If you don't wanne use a form of 2FA, it could be impossible to identify hacked accounts before they spam.
The nature of a hacked account is, that the attacker has obtained the credentials from a PC and it's mailprogram oder via phising. In both cases, they have a valid set of credentials, do not produce any login error ( bruteforcing ) and their first login is most likely the moment they start spamming.
A 2FA could add the IP to a database(file) and you only accept mails from ips in this list + credentials. The 2FA could be a Website to login or an android app.
I i.e. used something different: an ip-account-timeframe threshold to detect botnets, which kicks them reliable at 2 AM before they can spam ;)
Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
