> From: Alessio Cecchi <ales...@skye.it> > we are an email hosting provider, and as you know many users use weak > passwords, or have trojan on their PC that stolen their password that > are used to sent spam or doing some kinds of fraud. > > We already have a "script" that checks, from log files, the country of > the IP address and "do something" to detect if is an unusual login. But > is not really sufficient.
I suspect that stealing passwords with trojans is more successful than brute-forcing passwords via POP, IMAP or SMTP. Therefore, detecting logins for brute-forcing is not enough. You need to detect when stolen passwords are used to send spam via your server. One approach is to check rate of attempts to send to non-existent recipient email addresses, because spammers usually send to dirty lists of email addresses full of message-ids, truncated email addreses or prepended with garbage. I wrote an implementation for Exim: https://github.com/Exim/exim/wiki/BlockCracking It also detects some brute-forcing, but the main is automatic blocking of accounts used for spamming with trojan-stolen passwords. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop