On 10/3/2010 12:51 PM, Natalio Gatti wrote:
Just to expand a bit on my situation.
Further investigation showed that the compromised account
belonging to a host on our network with a public IP was
compromised with a trojan on the machine. This trojan I suppose
was running a small server watching email traffic and sniffing
passwords.
Once compromised I do believe the master server where the trojan
came from executed the attack. I did not see but only one IP using
the account for this purpose. Not Say that the master(hacker)
could wake more bots to be used in the attack.
A little more control over the queue would be nice. For now I have
implemented nagios to watch the concurrency level and warn me when
it goes above a certain level.
I had similar problems, but mails were sent via webmail (I'm using
Horde). I'm installing a captcha to stop bots using my webmail
interface. With the script I posted some mails ago, I'm monitoring the
queue every minute, so as to detect a compromised account. But these
are all temporal solutions until a real solution could be implemented,
like an accounting module to qmail, which can limit the numbers of
mails being sent from an IP or an authenticated user.
Googling a bit I found an accounting module for qmail, but I could't
test it:
http://www.gplhost.com/old_stuff/index.php?rub=softwares&sousrub=mysqmail
<http://www.gplhost.com/old_stuff/index.php?rub=softwares&sousrub=mysqmail>
Has Anyone used it?
Natalio.
I seen where Yahoo webmail does this.
I have cacti setup with Thold to alert me when concurrency goes above
certain threshold because even for an ISP if it ever goes above 12 for a
certain amount of time there something wrong.
So far all is quiet.
--Dave