Hi, we are scanning our logs every hour and are searching for accounts which are sending mails from different foreign ip's. Normally our accounts are sending only from one or two different ip's located in the same country.
We generate an alert if some account is sending mails from different class B networks located in different countries. This indicates that it is most likely crap. It helps us fo find out spammers which are sending only a small amount of crap. best Urban On 16.04.2013 06:45, CSS wrote:
I'm curious what other people are doing to deal with this… We have policyd running on our smtp relay hosts that customers use. We get an alert when any username sends more than X messages in an hour and deal with it on a case by case basis. For some time, this has worked well. We've had a few cases where the end user's pc is part of a botnet and sending directly, but most of the time it's foreign IPs that have either brute-forced or stolen the user's credentials (presumably by phishing). In the past month or so though, I've been seeing more and more instances where I get no alerts, and then a few feedback loop reports. If I look at the policyd stats, I'll see some user sitting just below the alert threshold has been sending crap out for hours. I'm not seeing any obvious solution here… Any suggestions? Thanks, Charles _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
_______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
