Had a thought driving around today about this. Yes, been a while, my
apologies. Life gtes in the way.
Thinking a crude & simple way to notice this might be just to monitor
the queue. Whenever one of my users / clients gets owned, the queue goes
crazy. It's rare to have more than 10-20 stuck there. Maybe when the
queue hits 50 (or any other chosen amount), send an email to a specified
address, and grep the queue for any user with over x number of messages
in the queue, and change their password. Hell, just a cron job that
checks the queue every 5 / 10 /15 / whatever minutes, greps the number
of messages in the queue, etc..
Denny, thanks, but been too busy to keep up here. The link seems to be
broken, could you kindly put it back up when you have a chance?
Mr Denny Jones wrote:
I like this idea. I too have struggled with finding out that one of my
customers computer is sending out hundreds of emails only after they
have spewed out 500+ messages.
I decided to modify a python script I have that creates a daily
senders report to show me the top 10 number of senders. It only
required a small change to add a check to fire off an email notifying
me that a user is sending out emails in access of the threshold.
Pythng Script:
http://www.lhtek.com/scripts/qmailsenders_threshold_rpt.txt
I offer this only as a start. Let me know your thoughts.
Thanks,
Denny
------------------------------------------------------------------------
*From:* South Computers <[email protected]>
*To:* [email protected]
*Sent:* Sunday, February 3, 2013 11:59 AM
*Subject:* [qmailtoaster] Detecting compromised accounts
Looking for ideas on detecting compromised accounts, especially
for smtp submission. While there are programs available to detect
failed login attempts (fail2ban, etc), what if the person already
has / knows the correct password, such as from a keylogger, or
another account hacked elsewhere (for example twitter a couple of
days ago). I had a user whose account was being used to sending
spam today, managed to find it & shut it down, but wondering if
there might be a good way to attempt to find / prevent things
before they get out of hand. I manually checked their computer for
trojans / rootkits, found nothing, and it was not an easy
password, so must have been the same passwrod they used elsewhere
that was hacked. Hopefully anyway...
Just random initial thoughts:
Track the different ips a user is connecting from. If there are
over x number of logins within x period of time from x number of
ip addresses, then disable the account, or generate a random new
password for it, and maybe add a block in iptables. Perhaps also
adding ip location to it on some way, so if logins are coming from
multiple countries in a short period of time, it could also be
detected.
Just thinking out loud to the group... Thoughts welcomed, or
suggestions if there is already something out there like this.
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]
<mailto:[email protected]>
For additional commands, e-mail:
[email protected]
<mailto:[email protected]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
