Re: Measures of detecting breached email accounts

[Valdis Kletnieks <valdis.kletnieks () VT EDU>]

On Tue, 05 Dec 2017 16:54:50 -0800, Joseph Tam said:

> Sounding the alarm on failed login attempt will have me looking at
> logs every minute, night and day.  Even at my modest installation,
> this happens far too frequently to be consider a useful trigger for
> notification: it's not anomolous, it's background radiation.

I did say *exception* analysis, didn't I? Look for stuff that doesn't
look like background radiation. ;)

> In the context of Email account, here are some anomolous things you
> could look for:
>
>       - unusual volume, especially at unusual times
>       - unusual volume of failed deliveries (e.g. unknown user).
>       - unusual login origin (Ukraine? Romania? Tunisia? etc.)
>               The larger and more diverse your userbase, the
>               harder this gets to discern.
>       - number of different successful login locale within a
>               time interval (*)
>       - blacklist monitoring
>       - egress spam filtering/statistics

See? We're on the same page. ;)

Attachment: _bin
Description: