On Tue, Jul 13, 2010 at 12:24, Bolser, Scott <scott.bol...@childrens.harvard.edu> wrote: > I’ve been searching around for logical solution to monitor and throttle > Exchange accounts if a user has unknowingly given up their username/password > in a phishing attack. The typical attack utilizes OWA to start sending SPAM > shortly afterwards. Environment is Exchange 2007 SP2. > > I’m attempting to find a solution that would trigger an alert if a user is > sending ‘x’ number of messages in a 30 minute to 1 hour window. > > Has anyone found a simple solution? > > Thanks, > > Scott
MBS says a third party app. I wonder if, for instance, nagios/syslog/MOM/OSSEC/OSSIM/whatever can monitor the logs and keep a count of SMTP transactions by IP address and if a threshold is exceeded raise an alarm. Kurt
