Hey, How about doing a threshold scan for users. See what their baseline is and then start reporting when you see some unexpected high amount of mails going out. I'd think that's usually a good sign for spammy behavior. Even with an already high amount of mails the baseline would still help to see if their is an usual peak.
Just my two cents but I'd be interested in this too because it just recently happened to me as well. Come to think of it I might go and try to write a Nagios plugin for it some day... I guess with are large amount of users this will get difficult. Cheers, Sebastian On 03.02.2013, at 18:59, South Computers <i...@southcomputers.com> wrote: > Looking for ideas on detecting compromised accounts, especially for smtp > submission. While there are programs available to detect failed login > attempts (fail2ban, etc), what if the person already has / knows the correct > password, such as from a keylogger, or another account hacked elsewhere (for > example twitter a couple of days ago). I had a user whose account was being > used to sending spam today, managed to find it & shut it down, but wondering > if there might be a good way to attempt to find / prevent things before they > get out of hand. I manually checked their computer for trojans / rootkits, > found nothing, and it was not an easy password, so must have been the same > passwrod they used elsewhere that was hacked. Hopefully anyway... > > Just random initial thoughts: > > Track the different ips a user is connecting from. If there are over x number > of logins within x period of time from x number of ip addresses, then disable > the account, or generate a random new password for it, and maybe add a block > in iptables. Perhaps also adding ip location to it on some way, so if logins > are coming from multiple countries in a short period of time, it could also > be detected. > > Just thinking out loud to the group... Thoughts welcomed, or suggestions if > there is already something out there like this. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
