Michael put forth on 6/24/2010 3:07 AM: > I want to be able to monitor SASL users to get quick notification if > something > is out of the ordinary - like a spammer using a compromised account to send > emails. > > What tool(s) can be used to achieve this?
Given the nature of your requirement, you're probably not going to find a Postfix tool or set of tools that will "notify" you when an account has been hijacked. How would software be able to determine when a user password has been phished? A very remote possibility would be analyzing user connecting IP heuristics, but I know of no tool for this. And given the number of roaming users with laptops and smartphones, this wouldn't really work. If you are _that_ concerned about spamming from hijacked accounts due to successful phishing attacks on your user base, what I would recommend is setting up rate limiting on your submission daemon and signing up for the feedback loops at the major (free)mailers and ISPs. If brute force attacks against weak passwords is the problem, there are well documented methods for dealing with that, such as a fail2ban implementation. The most extreme measure may be fraught with legal issues or organizational policy issues. This would be to use a content filter such as Spamassassin on your outbound mail stream. If you choose to go this route, absolutely _do not_ tag outbound mail with a spam header and still send it to the recipients. That can and will get you blacklisted in various quarters of the net. -- Stan
