Hi,

re: #2  g_breakin_n and the window setting g_breakin_window are your 
friends here.

--Ed

On 08/03/2015 09:31 AM, Frank Bulk wrote:
> We had another compromised account this weekend, but the spammer used over 130 different IPs, sent them slowly, faked the from on every message, sent them to just one recipient per message, had only few bad email addresses per sending IP, and the only reason we discovered it this morning was because of ~20 pending messages in the outbound queue.  We have some scripts that check the queues and message logs every five minutes, but because of the diversity we never had a match on any of them.  And G_SPAM_USER_BADTO didn't kick in this time, either.
>
> I came up with two ideas:
> 1. correlate every failed messages to the authenticated account (which G_SPAM_USER_BADTO does, but it only shows up under higher volume situations)
> 2. count up the number of different IP addresses an authenticated users uses in a day and if it exceeds a certain limit (say 3 or 5) then assume the account is compromised and change the password.
>
> Before I invent that second idea in a script, does SurgeMail have that limit built-in?
>
> Frank
>
>
>

-- 
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
IPv6 ready today for your needs of tomorrow!
Ask us about dual-stacking your site
www.easent.net