Educause Security Discussion mailing list archives

Re: Compromise Email Accounts

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 30 Jan 2009 13:20:17 +1300


On 22/01/2009, at 3:59 AM, Richard Miller wrote:


Detection
---------
- Monitor queue lengths.
- What else can be monitored?


I have some ruby code that attempts to detect spam runs from local
address by monitoring postfix logs on our out going mail servers.
Currently I have tested/tuned it on historical data but have not run
it 'live' and wired into Nagios and scripts that will block email
based on From: headers.   Current idea is to send back a non fatal 450.

We have not had many compromised accounts (3 in the last 12 months)
but the most recent was an account on an exchange server rather than
our Horde system which I already had monitored.  So I decided to move
the monitoring to the gateway.

Russell.

Attachment: smime.p7s
Description:

Current thread:

Compromise Email Accounts Richard Miller (Jan 21)
- <Possible follow-ups>
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)