Nice thinking.
I like the way Gmane.org controls submissions. They restrict the
frequency that a given user can send out messages. This is done by
throttling the send queue to only allow one message to go out every so
often (a minute or so I'm thinking) per user. If a user submits more
messages than they're allowed, excess messages simply sit in the send
queue and trickle out at the acceptable rate.
I'd very much like to see a throttle put on qmail-remote which would
allow a per-user interval to be specified. When abuse occurs, the send
queue would grow noticably, which could easily be monitored.
This doesn't address compromised accounts specifically, but it controls
a common bad thing that happens when an account is compromised.
Thoughts?
--
-Eric 'shubes'
On 02/03/2013 11:14 AM, Sebastian Grewe wrote:
Hey,
How about doing a threshold scan for users. See what their baseline is and then
start reporting when you see some unexpected high amount of mails going out.
I'd think that's usually a good sign for spammy behavior. Even with an already
high amount of mails the baseline would still help to see if their is an usual
peak.
Just my two cents but I'd be interested in this too because it just recently
happened to me as well. Come to think of it I might go and try to write a
Nagios plugin for it some day... I guess with are large amount of users this
will get difficult.
Cheers,
Sebastian
On 03.02.2013, at 18:59, South Computers <[email protected]> wrote:
Looking for ideas on detecting compromised accounts, especially for smtp
submission. While there are programs available to detect failed login attempts
(fail2ban, etc), what if the person already has / knows the correct password, such
as from a keylogger, or another account hacked elsewhere (for example twitter a
couple of days ago). I had a user whose account was being used to sending spam
today, managed to find it & shut it down, but wondering if there might be a
good way to attempt to find / prevent things before they get out of hand. I
manually checked their computer for trojans / rootkits, found nothing, and it was
not an easy password, so must have been the same passwrod they used elsewhere that
was hacked. Hopefully anyway...
Just random initial thoughts:
Track the different ips a user is connecting from. If there are over x number
of logins within x period of time from x number of ip addresses, then disable
the account, or generate a random new password for it, and maybe add a block in
iptables. Perhaps also adding ip location to it on some way, so if logins are
coming from multiple countries in a short period of time, it could also be
detected.
Just thinking out loud to the group... Thoughts welcomed, or suggestions if
there is already something out there like this.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
