Hi Daniel,
thanks a lot for your insights ;)
Still collecting thoughts and strategies how other admins solve the
issue of a hacked email account.
Anyone?
Thanks & greetings
Becki
Am 19.02.2019 um 12:09 schrieb Daniel Armengod:
Hi Becki,
At our site we have a log monitoring script (ad-hoc) which warns us
about "mass" authenticated smtp sessions, and also automatically
triggers a user disable on certain criteria, in this case:
- That sent emails exceed a threshold on a given time interval,
- *That there are numerous originating IP addressess*, and,
- That those IP addressess do not reverse-resolve to a hostname.
The 2nd rule is quite effective at catching botnets. *The last rule is
there because certain huge providers (e.g. gmail) send in parallel from
multiple IPs, and can register as a false positive by the 2nd rule.*
Automatically taking action based on geo-ip data + a connection number
threshold can also be an effective tool if you're mostly in a local
(national) environment. Anything coming from outside your country can
get extra attention if your userbase mostly communicates in-country. Of
course, if your operations are global in scope, this heuristic can
trigger many false positives and thus be worthless.
It's not a perfect solution (some hundred spam e-mails *do* get sent
until the auto-ban kicks in) and its short integrating interval (1 hour
by default) means that "trickle"-rate spam can get through.
All in all it is a somewhat effective mitigating strategy, and as they
say, perfect is the enemy of serviceable.
I'd love to hear how other site admins manage this problem :)
Kind regards,
Daniel
On 19/02/2019 11:56, Admin Beckspaced wrote:
Dear Postfix Users,
just recently the computer of a client got infected with malware and
the email password was compromised.
The bad guys immediately started sending out spam emails via our mail
servers.
We got notified by our monitoring system a bit later ... and fixed things
But lots and lots of spam emails have been sent via out mail server.
How do you protect your mail system against a compromised password and
mass spam mail sending?
Thanks & greetings
Becki
