Looking for ideas on detecting compromised accounts, especially for smtp
submission. While there are programs available to detect failed login
attempts (fail2ban, etc), what if the person already has / knows the
correct password, such as from a keylogger, or another account hacked
elsewhere (for example twitter a couple of days ago). I had a user whose
account was being used to sending spam today, managed to find it & shut
it down, but wondering if there might be a good way to attempt to find /
prevent things before they get out of hand. I manually checked their
computer for trojans / rootkits, found nothing, and it was not an easy
password, so must have been the same passwrod they used elsewhere that
was hacked. Hopefully anyway...
Just random initial thoughts:
Track the different ips a user is connecting from. If there are over x
number of logins within x period of time from x number of ip addresses,
then disable the account, or generate a random new password for it, and
maybe add a block in iptables. Perhaps also adding ip location to it on
some way, so if logins are coming from multiple countries in a short
period of time, it could also be detected.
Just thinking out loud to the group... Thoughts welcomed, or
suggestions if there is already something out there like this.
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com