Monitoring SASL authenticated users
in [Postfix]
|
Prev: Stop spammers using outdated MX records.
Next: trouble on my rules check_client_access hash:/etc/postfix/acces_client
From: Michael on 24 Jun 2010 04:07 I want to be able to monitor SASL users to get quick notification if something is out of the ordinary - like a spammer using a compromised account to send emails. What tool(s) can be used to achieve this? Thanks, Michael
From: Stan Hoeppner on 24 Jun 2010 04:41 Michael put forth on 6/24/2010 3:07 AM: > I want to be able to monitor SASL users to get quick notification if something > is out of the ordinary - like a spammer using a compromised account to send > emails. > > What tool(s) can be used to achieve this? Given the nature of your requirement, you're probably not going to find a Postfix tool or set of tools that will "notify" you when an account has been hijacked. How would software be able to determine when a user password has been phished? A very remote possibility would be analyzing user connecting IP heuristics, but I know of no tool for this. And given the number of roaming users with laptops and smartphones, this wouldn't really work. If you are _that_ concerned about spamming from hijacked accounts due to successful phishing attacks on your user base, what I would recommend is setting up rate limiting on your submission daemon and signing up for the feedback loops at the major (free)mailers and ISPs. If brute force attacks against weak passwords is the problem, there are well documented methods for dealing with that, such as a fail2ban implementation. The most extreme measure may be fraught with legal issues or organizational policy issues. This would be to use a content filter such as Spamassassin on your outbound mail stream. If you choose to go this route, absolutely _do not_ tag outbound mail with a spam header and still send it to the recipients. That can and will get you blacklisted in various quarters of the net. -- Stan
From: Patrick Ben Koetter on 24 Jun 2010 04:48 * Stan Hoeppner <stan(a)hardwarefreak.com>: > Michael put forth on 6/24/2010 3:07 AM: > > I want to be able to monitor SASL users to get quick notification if something > > is out of the ordinary - like a spammer using a compromised account to send > > emails. > > > > What tool(s) can be used to achieve this? > > Given the nature of your requirement, you're probably not going to find a > Postfix tool or set of tools that will "notify" you when an account has been > hijacked. How would software be able to determine when a user password has Maybe he will. The OP could install the policyd policy server (v1) and impose sender restrictions von sasl authenticated senders. If that is heavyweight, the OP can write a small policy service that tracks SASL authenticated users, the message volume and trigger an alarm when an account goes beyond 'normal', where 'normal' is either a global or user-specific threshold or a value learned by messaging habit observation. p(a)rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
From: Michael on 24 Jun 2010 04:51 On Thu, 24 Jun 2010 20:41:59 Stan Hoeppner wrote: > Michael put forth on 6/24/2010 3:07 AM: > > I want to be able to monitor SASL users to get quick notification if > > something is out of the ordinary - like a spammer using a compromised > > account to send emails. > > > > What tool(s) can be used to achieve this? > > Given the nature of your requirement, you're probably not going to find a > Postfix tool or set of tools that will "notify" you when an account has > been hijacked. How would software be able to determine when a user > password has been phished? What happens in these instances is the spammers start sending *lots* of email, and it was on this basis I wanted to sound an alarm. > feedback loops at the major (free)mailers and ISPs. If brute force attacks > against weak passwords is the problem, there are well documented methods > for dealing with that, such as a fail2ban implementation. There is a system already in place to lockout where the password is incorrect. Unfortunately users are sometimes stupid and through social engineering they part with the details.
From: Michael on 24 Jun 2010 05:47
On Thu, 24 Jun 2010 20:48:04 Patrick Ben Koetter wrote: > * Stan Hoeppner <stan(a)hardwarefreak.com>: > > Michael put forth on 6/24/2010 3:07 AM: > > > I want to be able to monitor SASL users to get quick notification if > > > something is out of the ordinary - like a spammer using a compromised > > > account to send emails. > > > > > > What tool(s) can be used to achieve this? > > > > Given the nature of your requirement, you're probably not going to find a > > Postfix tool or set of tools that will "notify" you when an account has > > been hijacked. How would software be able to determine when a user > > password has > > Maybe he will. The OP could install the policyd policy server (v1) and > impose sender restrictions von sasl authenticated senders. I will look into this thanks. Is there a reason that v1 is better then v2 for this application? |