We used to have that problem regularly and with increasing frequency and it was a MAJOR issue for us. While Declude's Hijack filter kept the messages from going out, the overhead of filtering all of those messages (often 100k or more) put too much load on our server & firewall (too many open ports for all those DNS lookups) and we would have periods where messages backed up in the Declude proc folder - backlogs of hundreds of thousands of messages. That would result in delay of legit mail (I'd have to create a new spool, clean up the Hold2 folder, then move messages in batches into the spool). Delayed delivery, as you can imagine, infuriated clients.
I had Declude hijack configured to send me a message when an IP hit the Hold2 threshold, and I'd review those messages to find the account and disable it. However, if the event occurred when I wasn't on hand, or if they had already sent 100k messages from various IP's... it was a problem. On newer versions of Imail, there is a feature called HAMR (hacked account mail regulator). This feature works differently. It doesn't look at volume originating on a given IP, but rather from a given account. When the threshold you have set is exceeded, the account is automatically disabled. However, the messages sent before that threshold is triggered are still relayed. So, I use both, so that the first messages get held by Declude. My Declude settings are: RELAYTHRESHOLD1 10 50 RELAYTHRESHOLD2 20 200 My default HAMR settings are 500 messages from an account in a day (HAMR can be configured at the per user level). Since it can be configured per account, those businesses, like banks sending monthly statements or vet clinics sending monthly appointment due reminders or whatever can be configured for higher thresholds. I just increase their threshold for the account they use for that purpose, and just for that day. The Declude threshold is still occasionally hit first, and messages get held, but that has been the case with decreasing frequency. Because spammers IP hop so frequently, and Declude is based on IP, the Imail HAMR feature is more often the one that brings the hammer down on the spammer first. Once the HAMR threshold is exceeded, the hijacked account is disabled - and Declude doesn't have to process any more messages from that account. And, if it happens in the middle of night or while I'm away, the account gets disabled automajically instead of the spammer just using a new IP every few minutes and the backlog building. There have been periods (often a few weeks before news breaks of a big hack somewhere else where people used the same password - so much so that I can pretty much guess some big system has been hacked) when dozens of accounts might be disabled by HAMR in a day and only rarely has an account been HAMR'd for legit mail. The Imail Account Harvensting Prevention Options have helped, too, to prevent accounts from being hijacked. At any given time, there are dozens of IP's on my Imail SMTP control access list that have been temporarily blocked (duration is 60 minutes) for too many failed login attempts and only once (last week, as it so happens) has that been due to a user with a forgotten password. I haven't found a silver bullet, but a series of features/systems all together are getting it done. Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Sunday, July 20, 2014 6:22 AM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts I am running Imail 8.22 on Windows Server 2003. These are different accounts each time, as once I identify one account, I disable that account to fix the issue for the time being. I do not have my logs enabled. Daniel -----Original Message----- From: Heimir Eidskrem [mailto:hei...@i360.net] Sent: Friday, July 18, 2014 5:06 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts Are you using smartermail or Imail?ere Version? Are they using the same account every time? What does your log files say? Cordially, Heimir Eidskrem i360 Consulting 11152 Westheimer Suite 147 Houston, TX 77042 Ph: 713-981-4900 hei...@i360.net www.i360.net www.smart-it-services.com Houston's Leading Internet Consulting Company -----Original Message----- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Friday, July 18, 2014 3:42 PM To: community@mailsbestfriend.com Subject: [MBF] hijacked accounts I am having an issue with one of my mail servers where a SPAMMER is hijacking an email account and then is causing my webmail interface to quit working because they are logged in X number of times sending SPAM. I have HiJack turned on and the thresholds set very low and these SPAMMERS keep getting under my thresholds. Has anyone else had this issue and if so, what was the fix? Thanks, Daniel ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>
