Got it, thanks!
LHTek wrote:
Sorry about that. We did a site change and that file got moved. It's
back in place now. Try the link again.
------------------------------------------------------------------------
*From:* South Computers <[email protected]>
*To:* [email protected]
*Sent:* Tuesday, June 4, 2013 10:25 PM
*Subject:* Re: [qmailtoaster] Detecting compromised accounts
Had a thought driving around today about this. Yes, been a while, my
apologies. Life gtes in the way.
Thinking a crude & simple way to notice this might be just to monitor
the queue. Whenever one of my users / clients gets owned, the
queue goes
crazy. It's rare to have more than 10-20 stuck there. Maybe when the
queue hits 50 (or any other chosen amount), send an email to a
specified
address, and grep the queue for any user with over x number of
messages
in the queue, and change their password. Hell, just a cron job that
checks the queue every 5 / 10 /15 / whatever minutes, greps the
number
of messages in the queue, etc..
Denny, thanks, but been too busy to keep up here. The link seems
to be
broken, could you kindly put it back up when you have a chance?
Mr Denny Jones wrote:
> I like this idea. I too have struggled with finding out that one
of my
> customers computer is sending out hundreds of emails only after
they
> have spewed out 500+ messages.
>
> I decided to modify a python script I have that creates a daily
> senders report to show me the top 10 number of senders. It only
> required a small change to add a check to fire off an email
notifying
> me that a user is sending out emails in access of the threshold.
>
> Pythng Script:
> http://www.lhtek.com/scripts/qmailsenders_threshold_rpt.txt
>
> I offer this only as a start. Let me know your thoughts.
>
> Thanks,
> Denny
>
>
>
>
>
------------------------------------------------------------------------
> *From:* South Computers <[email protected]
<mailto:[email protected]>>
> *To:* [email protected]
<mailto:[email protected]>
> *Sent:* Sunday, February 3, 2013 11:59 AM
> *Subject:* [qmailtoaster] Detecting compromised accounts
>
> Looking for ideas on detecting compromised accounts, especially
> for smtp submission. While there are programs available to detect
> failed login attempts (fail2ban, etc), what if the person already
> has / knows the correct password, such as from a keylogger, or
> another account hacked elsewhere (for example twitter a couple of
> days ago). I had a user whose account was being used to sending
> spam today, managed to find it & shut it down, but wondering if
> there might be a good way to attempt to find / prevent things
> before they get out of hand. I manually checked their
computer for
> trojans / rootkits, found nothing, and it was not an easy
> password, so must have been the same passwrod they used elsewhere
> that was hacked. Hopefully anyway...
>
> Just random initial thoughts:
>
> Track the different ips a user is connecting from. If there are
> over x number of logins within x period of time from x number of
> ip addresses, then disable the account, or generate a random new
> password for it, and maybe add a block in iptables. Perhaps also
> adding ip location to it on some way, so if logins are coming
from
> multiple countries in a short period of time, it could also be
> detected.
>
> Just thinking out loud to the group... Thoughts welcomed, or
> suggestions if there is already something out there like this.
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> For additional commands, e-mail:
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]
<mailto:[email protected]>
For additional commands, e-mail:
[email protected]
<mailto:[email protected]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
