If you have left port 25 open, this is a good place to start. http://www.uceprotect.net/en/rblcheck.php
I suspect any decent IDS will tell you which machine has weird traffic. I suppose you can put rules based on the IDS result to redirect them to a special web page to tell them, they have to do something. The main issue, it not to know which machines are hijacked, but to support these machines. ----- Original Message ----- From: "Suresh Ramasubramanian" <ops.li...@gmail.com> To: "Alex Kamiru" <nderitua...@gmail.com> Cc: nanog@nanog.org Sent: Thursday, 22 April, 2010 1:35:56 PM Subject: Re: Mail Submission Protocol Log and monitor all that you can. And watch for a large number of IPs logging into an account over a day (over a set limit - even across country - that takes into account "home - blackberry - airport lounge - airport lounge in another country - hotel - RIPE meeting venue" type scenarios). And especially watch for and/or firewall off logins from areas from where you see particularly high levels of smtp auth abuse / logins to compromised accounts --srs 2010/4/21 Alex Kamiru <nderitua...@gmail.com>: >>>Inside customers, we have not changed to force port 587 and >>>authentication for email clients, but the topic has come up in >>>discussions. This won't of course, stop spammers if they are >>>hijacking the users local email client settings. > > How best would you stop spammers hijacking local users email clients > > -Mike