If password rotating is out of the question, you might want to check your IPs against blacklists multiple times at a day, it wouldn't stop it but it may notify you earlier to stop an outbreak.
Other thing that comes to mind is, you may try rate limiting your users and setup a cron to monitor the number of outgoing messages and notify you if there's a sudden surge of mail requests. M. Omer GOLGELI --- AS202365 https://as202365.peeringdb.com https://bgp.he.net/AS202365 NOC: Phone: +90-533-2600533 Email: o...@chronos.com.tr March 3, 2020 10:26 AM, "Ted Mittelstaedt" <t...@ipinc.net> wrote: > I know this is probably off topic but I'm getting desperate enough to ask. > > I run a commercial mailserver that regularly seems to have spammers relay > mail through it that have > obtained stolen credentials for a user. Many years ago I stopped allowing > users to change passwords > on it and I setup passwords for all users added to it, and the passwords are > random strings of 8 > characters or more. > > The problem is of course that since the passwords are difficult to remember, > once the users do > remember them they merrily proceed to use > this "highly secure password that I can now remember" on every stupid > website out on the Internet that they care to login to. The problem > isn't really the people using Thunderbird or Outlook or their cell phones or > whatever, because they > save the password in the email client and then immediately forget it, which > is what I want. It is > the people who use the webmail interface on multiple different systems, kiosk > computers and the like, who are the problem. When hosts out on the > Internet get busted into, the spammers get their passwords and > email addresses and start relaying. I've confirmed this with several > users I've called and it's always the same story. > > By the time I see what's going on the server is blacklisted everywhere > and I have to waste time delisting it, and asskissing all of the > little tiny blacklists run by little pricks who want me to pay money > or wait a month to be delisted, etc. (no I'm NOT talking about > spamcop, or barracuda or anyone professional - THEY know what they are > doing and don't look at this as a chance for a shakedown) > > I estimate that last year this happened around 5 times and I just > lost an afternoon today answering the passle of help requests from > users because it happened again. > > What I am wondering is how to tighten up my monitoring on my servers to > more rapidly identify when this starts happening. What I'm doing now is > a kludge but I run mailq (this is a sendmail system) and when I see the > number of pending mail mesages in there exceed a threshold I send an alert to > my cell. It is a > kludge and the problem is that > the mailq doesn't start filling up until my server gets blacklisted. > > I've considered several ideas like running a script out of cron that > checks the number of authid's per hour but all of these seem like even > worse kludges. The only idea that I have come up with that I really > like is taking an AK-47 to the spammers but unfortunately spammers > know that they are unloved and cowardly hide away in Russia and scummier > places and I can't reach 'em. (maybe I could offer a bounty? A nickle a head? > That would pay for > the bullet at least. I don't think those people are worth even that, though) > > I do run a daily sendmail statistics report but by the time I read that > and see the bump in traffic it's too late. > > What do other people do for this problem? > > Ted