Hey, By monitoring my send queue I actually noticed the issue in the first place. As soon as it exceeds a threshold I look for suspicious activity.
Having this build in qmail-remote (frequency check) would also help. I will still check how one could handle a per user check for baselining. I'd guess you'd have to monitor accounts over a course of X hours to get a good result. If an account was already spamming this would fail of course unless you also add soft limits that'd notify you of very active accounts. Cheers, Sebastian On 03.02.2013, at 21:50, Eric Shubert <[email protected]> wrote: > Nice thinking. > > I like the way Gmane.org controls submissions. They restrict the frequency > that a given user can send out messages. This is done by throttling the send > queue to only allow one message to go out every so often (a minute or so I'm > thinking) per user. If a user submits more messages than they're allowed, > excess messages simply sit in the send queue and trickle out at the > acceptable rate. > > I'd very much like to see a throttle put on qmail-remote which would allow a > per-user interval to be specified. When abuse occurs, the send queue would > grow noticably, which could easily be monitored. > > This doesn't address compromised accounts specifically, but it controls a > common bad thing that happens when an account is compromised. > > Thoughts? > > -- > -Eric 'shubes' > > On 02/03/2013 11:14 AM, Sebastian Grewe wrote: >> Hey, >> >> How about doing a threshold scan for users. See what their baseline is and >> then start reporting when you see some unexpected high amount of mails going >> out. I'd think that's usually a good sign for spammy behavior. Even with an >> already high amount of mails the baseline would still help to see if their >> is an usual peak. >> >> Just my two cents but I'd be interested in this too because it just recently >> happened to me as well. Come to think of it I might go and try to write a >> Nagios plugin for it some day... I guess with are large amount of users this >> will get difficult. >> >> Cheers, >> Sebastian >> >> On 03.02.2013, at 18:59, South Computers <[email protected]> wrote: >> >>> Looking for ideas on detecting compromised accounts, especially for smtp >>> submission. While there are programs available to detect failed login >>> attempts (fail2ban, etc), what if the person already has / knows the >>> correct password, such as from a keylogger, or another account hacked >>> elsewhere (for example twitter a couple of days ago). I had a user whose >>> account was being used to sending spam today, managed to find it & shut it >>> down, but wondering if there might be a good way to attempt to find / >>> prevent things before they get out of hand. I manually checked their >>> computer for trojans / rootkits, found nothing, and it was not an easy >>> password, so must have been the same passwrod they used elsewhere that was >>> hacked. Hopefully anyway... >>> >>> Just random initial thoughts: >>> >>> Track the different ips a user is connecting from. If there are over x >>> number of logins within x period of time from x number of ip addresses, >>> then disable the account, or generate a random new password for it, and >>> maybe add a block in iptables. Perhaps also adding ip location to it on >>> some way, so if logins are coming from multiple countries in a short period >>> of time, it could also be detected. >>> >>> Just thinking out loud to the group... Thoughts welcomed, or suggestions >>> if there is already something out there like this. >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
