Though a bit of a non-standard approach, I collect email subjects and
recipients from accounts that were compromised and used by the attacker
to send email. I use rspamd to mark them, and then I use bash scripts to
check for emails that hit the rspamd triggers and alert via Pushover
that an event needs to be investigated. It's so consistently on point
that I later plan to automate suspension and/or force password changes
on users that trigger them. Off the top of my head I'd say I catch 9 out
of 10 compromised email accounts with this process.
A couple examples of the data I use:
- Including the IMAP server hostname in the email subject (there's an
attacker out there that emails themselves, from the compromised account,
username+password+imapserver as an email subject to test login
credentials)
- Email subject "LARAVEL SMTP CRACK" means the user left their email
credentials exposed in a Laravel installation
On 2021-09-21 10:08, Alessio Cecchi via mailop wrote:
Hi,
we are an email hosting provider, and as you know many users use weak
passwords, or have trojan on their PC that stolen their password that
are used to sent spam or doing some kinds of fraud.
We already have a "script" that checks, from log files, the country of
the IP address and "do something" to detect if is an unusual login.
But is not really sufficient.
For "do something" I means:
- too many logins from different country
- too many fast login
So we are always looking for a system/software/service/script to
detect login to POP IMAP or SMTP not made by the user.
I have also test the AWS SageMaker IP Insights service but without
success.
Have someone experienced about these problems?
Thanks
--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
