I like this idea. I too have struggled with finding out that one of my customers computer is sending out hundreds of emails only after they have spewed out 500+ messages.
I decided to modify a python script I have that creates a daily senders report to show me the top 10 number of senders. It only required a small change to add a check to fire off an email notifying me that a user is sending out emails in access of the threshold. Pythng Script: http://www.lhtek.com/scripts/qmailsenders_threshold_rpt.txt I offer this only as a start. Let me know your thoughts. Thanks, Denny >________________________________ > From: South Computers <[email protected]> >To: [email protected] >Sent: Sunday, February 3, 2013 11:59 AM >Subject: [qmailtoaster] Detecting compromised accounts > >Looking for ideas on detecting compromised accounts, especially for smtp >submission. While there are programs available to detect failed login attempts >(fail2ban, etc), what if the person already has / knows the correct password, >such as from a keylogger, or another account hacked elsewhere (for example >twitter a couple of days ago). I had a user whose account was being used to >sending spam today, managed to find it & shut it down, but wondering if there >might be a good way to attempt to find / prevent things before they get out of >hand. I manually checked their computer for trojans / rootkits, found nothing, >and it was not an easy password, so must have been the same passwrod they used >elsewhere that was hacked. Hopefully anyway... > >Just random initial thoughts: > >Track the different ips a user is connecting from. If there are over x number >of logins within x period of time from x number of ip addresses, then disable >the account, or generate a random new password for it, and maybe add a block >in iptables. Perhaps also adding ip location to it on some way, so if logins >are coming from multiple countries in a short period of time, it could also be >detected. > >Just thinking out loud to the group... Thoughts welcomed, or suggestions if >there is already something out there like this. > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: [email protected] > > > >
