Homer Wilson Smith wrote the following on 3/4/2014 4:38 PM:
Dear Gentle Folk, What is the state of the art in dealing with users whose SASL password has been compromised? Running CentOS, and latest postfix. When a password gets compromised, spam starts to pour out of the server from endless numbers of IP's, to endless numbers of addresses. Rate limiting is interesting but doesn't really stop the spam. Counting client=[IP] addresses until a threshold is reached is highly effective, but then what? Change their password? Thanks in advance. Homer
Just to confirm what others have said. Yes. Monitor activity for abusive/suspicious behavior and take action to stop it as soon as it's discovered. If you can automate it, even better.
While one could use a policy server, we chose to use an out of band monitoring solution that used the postfix logs. We track emails sent and then geolocate by IP of the client. If a single customer is simultaneously (or very quickly) spending time in several countries or continents then we know there's a problem. This has had a very low false positive hit rate and does a good job of catching most of the abuse we see coming from our customer accounts. We use other thresholds based on volume to catch spam sent from one or two IP addresses. Like another poster, we also use fail2ban, anvil, and have minimum password requirements to help create a layered solution to slow or prevent abuse in an automatic fashion.
We typically change the password on accounts flagged for abuse and then contact the customer to inform them of the problem and recommend they take action to secure their systems and change their passwords on any other accounts that may have shared similar credentials.
--Blake
