What about an outbound milter that would do nothing other than read the to and from fields, and then store the message meta data along with a timestamp in a database? You could then run queries to find the total number of emails sent per user, and an average send rate (over the whole organization or on a per-user basis). Then, aberration like a spike can be easily seen. You could choose the granularity. For faster detection of "stuff that needs to be looked at" you could do this on an hourly report basis... When something is outside parameters, the cron job that runs the queries can email you.
Michael Munger, dCAP, MCPS, MCNPS, MBSS High Powered Help, Inc. Microsoft Certified Professional Microsoft Certified Small Business Specialist Digium Certified Asterisk Professional mich...@highpoweredhelp.com On 12/06/2016 03:50 PM, John Fawcett wrote: > On 12/06/2016 02:52 AM, Alex wrote: >> Hi, >> >> I have a postfix-3.0.5 system with a few hundred users. They have >> access to submission, webmail, and dovecot to send and receive mail. >> >> On occasion, user's local desktop are compromised, and with it their >> account on this system. This leads to their local desktop using the >> submission service to send hundreds or thousands of spam emails >> through this compromised account. >> >> They're only stopped after the user receives a ton of bounce messages, >> or we happen to see it somehow while watching logs. >> >> What mechanisms are available to say, control the number of messages >> sent per day or otherwise be made aware of a pattern of messages being >> sent by an account that could be indicative of account compromise? >> >> Thanks, >> Alex > You could use a policy server that can do rate limiting (such as > > policyd). This will reduce the impact of the problem without > > stopping it altogether. > > I use a home grown log parser script that can trigger account > > blocking if there are too many successful logins from different > > ips in a short space of time or too many logins in general. > > It won't be for everyone (since it has PHP as a prerequisite) > > but if that's not an issue you might want to give it a try. > > http://www.voipsupport.it/wiki/index.php/CheckAuthLog > > John >
