Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 30 Jan 2009 13:20:17 +1300
On 22/01/2009, at 3:59 AM, Richard Miller wrote:
Detection --------- - Monitor queue lengths. - What else can be monitored?
I have some ruby code that attempts to detect spam runs from local address by monitoring postfix logs on our out going mail servers. Currently I have tested/tuned it on historical data but have not run it 'live' and wired into Nagios and scripts that will block email based on From: headers. Current idea is to send back a non fatal 450. We have not had many compromised accounts (3 in the last 12 months) but the most recent was an account on an exchange server rather than our Horde system which I already had monitored. So I decided to move the monitoring to the gateway. Russell.
Attachment:
smime.p7s
Description:
Current thread:
- Compromise Email Accounts Richard Miller (Jan 21)
- <Possible follow-ups>
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)