Sorry about that. We did a site change and that file got moved. It's back in place now. Try the link again.
>________________________________ > From: South Computers <i...@southcomputers.com> >To: qmailtoaster-list@qmailtoaster.com >Sent: Tuesday, June 4, 2013 10:25 PM >Subject: Re: [qmailtoaster] Detecting compromised accounts > > >Had a thought driving around today about this. Yes, been a while, my >apologies. Life gtes in the way. > >Thinking a crude & simple way to notice this might be just to monitor >the queue. Whenever one of my users / clients gets owned, the queue goes >crazy. It's rare to have more than 10-20 stuck there. Maybe when the >queue hits 50 (or any other chosen amount), send an email to a specified >address, and grep the queue for any user with over x number of messages >in the queue, and change their password. Hell, just a cron job that >checks the queue every 5 / 10 /15 / whatever minutes, greps the number >of messages in the queue, etc.. > > >Denny, thanks, but been too busy to keep up here. The link seems to be >broken, could you kindly put it back up when you have a chance? > >Mr Denny Jones wrote: >> I like this idea. I too have struggled with finding out that one of my >> customers computer is sending out hundreds of emails only after they >> have spewed out 500+ messages. >> >> I decided to modify a python script I have that creates a daily >> senders report to show me the top 10 number of senders. It only >> required a small change to add a check to fire off an email notifying >> me that a user is sending out emails in access of the threshold. >> >> Pythng Script: >> http://www.lhtek.com/scripts/qmailsenders_threshold_rpt.txt >> >> I offer this only as a start. Let me know your thoughts. >> >> Thanks, >> Denny >> >> >> >> >> ------------------------------------------------------------------------ >> *From:* South Computers <i...@southcomputers.com> >> *To:* qmailtoaster-list@qmailtoaster.com >> *Sent:* Sunday, February 3, 2013 11:59 AM >> *Subject:* [qmailtoaster] Detecting compromised accounts >> >> Looking for ideas on detecting compromised accounts, especially >> for smtp submission. While there are programs available to detect >> failed login attempts (fail2ban, etc), what if the person already >> has / knows the correct password, such as from a keylogger, or >> another account hacked elsewhere (for example twitter a couple of >> days ago). I had a user whose account was being used to sending >> spam today, managed to find it & shut it down, but wondering if >> there might be a good way to attempt to find / prevent things >> before they get out of hand. I manually checked their computer for >> trojans / rootkits, found nothing, and it was not an easy >> password, so must have been the same passwrod they used elsewhere >> that was hacked. Hopefully anyway... >> >> Just random initial thoughts: >> >> Track the different ips a user is connecting from. If there are >> over x number of logins within x period of time from x number of >> ip addresses, then disable the account, or generate a random new >> password for it, and maybe add a block in iptables. Perhaps also >> adding ip location to it on some way, so if logins are coming from >> multiple countries in a short period of time, it could also be >> detected. >> >> Just thinking out loud to the group... Thoughts welcomed, or >> suggestions if there is already something out there like this. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> qmailtoaster-list-unsubscr...@qmailtoaster.com >> <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> >> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> <mailto:qmailtoaster-list-h...@qmailtoaster.com> >> >> >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > >
