Re: Compromise Email Accounts

[Joe Vieira <jvieira () CLARKU EDU>]

Currently we have a python script to detect compromised accounts(runs
once an hour). it runs thru postfix logs looking for bounces, and at a
certain threshold will lock out your account.

Basically the idea is that, NO ONE actually generates 100+ bounces in
one hour, and if they do, they are probably spamming people.

This doesn't stop the spam as it goes out, but it does stop it from
sending MORE. It also enables us to FIND the account in an automated
way, which is key.

Joe Vieira
Manager Systems Administration
Clark University - Information Technology Services
Carlson Hall
508.793.7287



Sabo, Eric wrote:
> We are seeing this also.    How is everyone handling this?
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell 
> Fulton
> Sent: Thursday, January 29, 2009 7:20 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Compromise Email Accounts
>
>
> On 22/01/2009, at 3:59 AM, Richard Miller wrote:
>
> > Detection
> > ---------
> > - Monitor queue lengths.
> > - What else can be monitored?
>
> I have some ruby code that attempts to detect spam runs from local
> address by monitoring postfix logs on our out going mail servers.
> Currently I have tested/tuned it on historical data but have not run
> it 'live' and wired into Nagios and scripts that will block email
> based on From: headers.   Current idea is to send back a non fatal 450.
>
> We have not had many compromised accounts (3 in the last 12 months)
> but the most recent was an account on an exchange server rather than
> our Horde system which I already had monitored.  So I decided to move
> the monitoring to the gateway.
>
> Russell.