Educause Security Discussion mailing list archives
Re: Compromise Email Accounts
From: Joe Vieira <jvieira () CLARKU EDU>
Date: Fri, 30 Jan 2009 11:23:27 -0500
Currently we have a python script to detect compromised accounts(runs once an hour). it runs thru postfix logs looking for bounces, and at a certain threshold will lock out your account. Basically the idea is that, NO ONE actually generates 100+ bounces in one hour, and if they do, they are probably spamming people. This doesn't stop the spam as it goes out, but it does stop it from sending MORE. It also enables us to FIND the account in an automated way, which is key. Joe Vieira Manager Systems Administration Clark University - Information Technology Services Carlson Hall 508.793.7287 Sabo, Eric wrote:
We are seeing this also. How is everyone handling this? -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton Sent: Thursday, January 29, 2009 7:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromise Email Accounts On 22/01/2009, at 3:59 AM, Richard Miller wrote:Detection --------- - Monitor queue lengths. - What else can be monitored?I have some ruby code that attempts to detect spam runs from local address by monitoring postfix logs on our out going mail servers. Currently I have tested/tuned it on historical data but have not run it 'live' and wired into Nagios and scripts that will block email based on From: headers. Current idea is to send back a non fatal 450. We have not had many compromised accounts (3 in the last 12 months) but the most recent was an account on an exchange server rather than our Horde system which I already had monitored. So I decided to move the monitoring to the gateway. Russell.
Current thread:
- Re: Compromise Email Accounts, (continued)
- Re: Compromise Email Accounts Mike Iglesias (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Zach Jansen (Jan 21)
- Re: Compromise Email Accounts Roger Safian (Jan 21)
- Re: Compromise Email Accounts Mike Porter (Jan 21)
- Re: Compromise Email Accounts Schumacher, Adam J (Jan 21)
- Re: Compromise Email Accounts Jesse Thompson (Jan 21)
- Re: Compromise Email Accounts Russell Fulton (Jan 29)
- Re: Compromise Email Accounts Sabo, Eric (Jan 29)
- Re: Compromise Email Accounts Joe Vieira (Jan 30)
- Re: Compromise Email Accounts Russell Fulton (Feb 02)
- Re: Compromise Email Accounts Daniel Bennett (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 03)
- Re: Compromise Email Accounts Steven Tardy (Feb 03)
- Re: Compromise Email Accounts Jeremy Mooney (Feb 04)
- Re: Compromise Email Accounts Kellogg, Brian D. (Feb 04)