Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromise Email Accounts

From: "Sabo, Eric" <Eric.Sabo () CUP EDU>
Date: Thu, 29 Jan 2009 20:15:33 -0500
We are seeing this also.    How is everyone handling this?



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell 
Fulton
Sent: Thursday, January 29, 2009 7:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Compromise Email Accounts


On 22/01/2009, at 3:59 AM, Richard Miller wrote:


Detection
---------
- Monitor queue lengths.
- What else can be monitored?


I have some ruby code that attempts to detect spam runs from local  
address by monitoring postfix logs on our out going mail servers.    
Currently I have tested/tuned it on historical data but have not run  
it 'live' and wired into Nagios and scripts that will block email  
based on From: headers.   Current idea is to send back a non fatal 450.

We have not had many compromised accounts (3 in the last 12 months)  
but the most recent was an account on an exchange server rather than  
our Horde system which I already had monitored.  So I decided to move  
the monitoring to the gateway.

Russell.
Previous By Date Next
Previous By Thread Next

Current thread: