Re: Compromise Email Accounts

[Daniel Bennett <dbennett () PCT EDU>]

We currently have a similar script that I created in vb.net.  It reads our syslogs of our spam filter every 15 minutes 
and based on a threshold passed to the program it will alert our sysadmins of accounts that sent over x amount of 
emails in that time frame.  The log files are then archived every hour.

I need to build functionality into it that takes another threshold to disable accounts.

Daniel Bennett
IT Security Analyst
Security+

PA College of Technology
One College Ave
Williamsport PA 17701
(P) 570.329.4989

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell 
Fulton
Sent: Tuesday, February 03, 2009 2:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Compromise Email Accounts


On 31/01/2009, at 5:23 AM, Joe Vieira wrote:

> Currently we have a python script to detect compromised accounts(runs
> once an hour). it runs thru postfix logs looking for bounces, and at a
> certain threshold will lock out your account.
>
> Basically the idea is that, NO ONE actually generates 100+ bounces in
> one hour, and if they do, they are probably spamming people.

BIngo!  why didn't I think of that!

Will modify my script to do that and see how it goes...

Thanks, Russell