Just to expand a bit on my situation. > Further investigation showed that the compromised account belonging to a > host on our network with a public IP was compromised with a trojan on the > machine. This trojan I suppose was running a small server watching email > traffic and sniffing passwords. > Once compromised I do believe the master server where the trojan came from > executed the attack. I did not see but only one IP using the account for > this purpose. Not Say that the master(hacker) could wake more bots to be > used in the attack. > > A little more control over the queue would be nice. For now I have > implemented nagios to watch the concurrency level and warn me when it goes > above a certain level. > > I had similar problems, but mails were sent via webmail (I'm using Horde). I'm installing a captcha to stop bots using my webmail interface. With the script I posted some mails ago, I'm monitoring the queue every minute, so as to detect a compromised account. But these are all temporal solutions until a real solution could be implemented, like an accounting module to qmail, which can limit the numbers of mails being sent from an IP or an authenticated user. Googling a bit I found an accounting module for qmail, but I could't test it: http://www.gplhost.com/old_stuff/index.php?rub=softwares&sousrub=mysqmail Has Anyone used it?
Natalio.
