I know this is probably off topic but I'm getting desperate enough to ask.
I run a commercial mailserver that regularly seems to have spammers
relay mail through it that have obtained stolen credentials for a user.
Many years ago I stopped allowing users to change passwords on it and
I setup passwords for all users added to it, and the passwords are
random strings of 8 characters or more.
The problem is of course that since the passwords are difficult to
remember, once the users do remember them they merrily proceed to use
this "highly secure password that I can now remember" on every stupid
website out on the Internet that they care to login to. The problem
isn't really the people using Thunderbird or Outlook or their cell
phones or whatever, because they save the password in the email client
and then immediately forget it, which is what I want. It is the people
who use the webmail interface on multiple different systems, kiosk
computers and the like, who are the problem. When hosts out on the
Internet get busted into, the spammers get their passwords and
email addresses and start relaying. I've confirmed this with several
users I've called and it's always the same story.
By the time I see what's going on the server is blacklisted everywhere
and I have to waste time delisting it, and asskissing all of the
little tiny blacklists run by little pricks who want me to pay money
or wait a month to be delisted, etc. (no I'm NOT talking about
spamcop, or barracuda or anyone professional - THEY know what they are
doing and don't look at this as a chance for a shakedown)
I estimate that last year this happened around 5 times and I just
lost an afternoon today answering the passle of help requests from
users because it happened again.
What I am wondering is how to tighten up my monitoring on my servers to
more rapidly identify when this starts happening. What I'm doing now is
a kludge but I run mailq (this is a sendmail system) and when I see the
number of pending mail mesages in there exceed a threshold I send an
alert to my cell. It is a kludge and the problem is that
the mailq doesn't start filling up until my server gets blacklisted.
I've considered several ideas like running a script out of cron that
checks the number of authid's per hour but all of these seem like even
worse kludges. The only idea that I have come up with that I really
like is taking an AK-47 to the spammers but unfortunately spammers
know that they are unloved and cowardly hide away in Russia and scummier
places and I can't reach 'em. (maybe I could offer a bounty? A nickle
a head? That would pay for the bullet at least. I don't think those
people are worth even that, though)
I do run a daily sendmail statistics report but by the time I read that
and see the bump in traffic it's too late.
What do other people do for this problem?
Ted
