On 5 Jul 2021, at 14:00, Cyborg via Exim-users wrote:
Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users:
The problem is the identification because you usually get to know it
only, when the accounts are actively misused. If I get to know that
users where specifically targeted I inform them. And at 2am in the
night it might already be too late (you landed yourself on
blacklists) - even though you still kick them from the system.
If you don't wanne use a form of 2FA, it could be impossible to
identify hacked accounts before they spam.
The nature of a hacked account is, that the attacker has obtained the
credentials from a PC and it's mailprogram oder via phising. In both
cases, they have a valid set of credentials, do not produce any login
error ( bruteforcing ) and their first login is most likely the moment
they start spamming.
A 2FA could add the IP to a database(file) and you only accept mails
from ips in this list + credentials. The 2FA could be a Website to
login or an android app.
I know that I can only detect them after the fact - actually after they
started and I can act on it then. I want to automate the acting upon it.
This is about damage mitigation when the preventive measures didn’t
help.
Niels
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/