Robert C Wittig wrote:
Have you considered adding a PF rule that would drop all incoming login requests from this specific user?
Yes. But it won't work, because there is a NAT-address-rewrite in between that changes the source address. Also, that user has plenty of machines to log on to. It seems by now that it is not a compromise, but something else, rather 'abuse'.
Uwe
