Am 15.11.2016 um 14:09 schrieb Volker Cordes: Good afternoon Volker, dear List.
We had a similar incident last year. What I then did was to parse the logfiles on a daily basis to check where the logins occur from. We have a customer base from Germany mainly (except business travelling people), so I compiled a list of most probable ip ranges/dyn dialup domains, against whom I grep -v the logfile entries and then get a mail each midnight of the ones not matching those expectations. I can see that geo blocking may be a solution, but with globally travelling people it's not really an option. Same applies to a lot of changes of ips (if they come from the same range, e.g. provider). I know it's far from perfect, but from an 80:20 approach a good one. You can probably put in (much) more effort to produce a maybe more reliable, automated approch of some kind. And yes, it was a pure reactive measure and ofcourse did not prevent setting off spams until we noticed (actually it never happened since then, so I can't really tell)... > Hello, > > I just stopped our server from sending out spam mails. A password from > one of our customers was hacked or somehow leaked so that the mails were > sent by an authenticated user. Now I was wondering if it is possible to > block users that authenticate themselves from a lot of different IP > addresses in a short timespan or to implement blocking using > geoip-services (99% of our customers are based in germany). > > Thanks, > Volker > > =========================================================================== Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx!
signature.asc
Description: OpenPGP digital signature
