Just an FYI on this subject.  We had problems with certain accounts 
getting their password stolen.  All cell phone users.

After we added an SSL certificate and converted those users to using SSL 
for both SMTP and IMAP, this problem seemed to disappear on it's own.

Kinda points to compromises via public WiFi points...

Lyle

On 04/18/16 09:52, Ed wrote:
> Hi,
>
> Try g_from_check and g_from_noforgeme    there are some other 
> strategies but this will get you started.
>
> --Ed
>
> On 04/18/2016 10:36 AM, David Camm wrote:
>> every once in a while - luckily not too often, a user's machine picks up
>> some malware and the result is that their smtp credentials are stolen
>> and then used by the bad guys to send a bunch of spam.
>>
>> apparently they can log in but then send with a completely different
>> 'from' address.
>>
>> since we require the complete email address as part of smtp login (ie
>>HIDDEN@advwebsys.com), is there some setting or some rule which would
>> reject any attempt to log in as HIDDEN@validdomain.com' with a from
>> address of, say HIDDEN@nny@invaliddomain.eu'?
>>
>> david camm
>> advanced web systems
>> keller, tx
>>
>>
>>
>