Interesting thing about these attacks.  The POP attacks trying to brute 
force password come from IP's all over the place, ARIN, RIPE, and APNIC 
and they happen all at the same time.  Can we say bot-net ?

We enforce strong passwords on email accounts.

We had one account "compromised" ..  We caught this before any damage 
was done.  An ID 10 T customer uses his email address and his actual 
email password on sites all over the net.

The spam attack was also coordinated -- obvious bot-net.  Interesting 
how each bot doesn't duplicate the email addresses.

We disabled his account and made him call us.  We explained the absolute 
absurdity of doing that and made him pick a really awkward password and 
warned him not to do that ever again.

Key loggers and other local malware are another issue all together.  3 
cheers for redmond!

--Ed

On 12/20/2011 12:05 PM, Steve wrote:
> Yeah I get all the test weak notifications and if I get them at all I
> disable the account until the customer calls in and we force them to
> change it. Sometimes though even the customer gets a virus or a
> keylogger there isn�t much we can do. The account will be compromised no
> matter what password we set it to.
>
> Great post though � do some of those features exist in v4? We are going
> to be upgrading our account soon possibly move to v5 as well. I don�t
> recognize some of those.
>
> ------------------------------------------------------------------------
>
> *From:*Support [mailto:surgemailHIDDEN@t@netwinsite.com]
> *Sent:* Monday, December 19, 2011 4:01 PM
> *To:* surgemailHIDDEN@etwinsite.com
> *Subject:* [SurgeMail List] Please take the time to secure your server
> from hackers! (settings to check)
>
> In recent months a lot of email accounts worldwide are being broken into
> and used to send spam. This is done using thousands of automated robots
> probing for accounts with 'obvious' passwords. And no doubt also using
> phising techniques as well to trick users into giving out details. The
> spammer then starts sending email from your server and it will get
> blacklisted (this is usually when people notice the problem!)
>
> If this hasn't happenned to your server yet, you can be sure it will
> happen in the near future. Here are some settings you should at least
> consider and or adjust to limit the damage when this occurs.
>
> Some of these settings may confuse or annoy your real users, so set as
> appropriate for your situation!
>
> ChrisP.
>
> # Find any local accounts with really really obvious passwords!
> tellmail test_weak
>
> # Login guesses per IP before it is automatically and permenently locked
> out. Use tellmail unlock ip.address to fix...
> G_HACKER_MAX "10"
>
> # this won't stop them as they use so many robots to guess from, but it
> might
>
> # slow them down or stop simple attacks.
>
> # If hacker attempts to login to one of these then the ip is instantly
> locked out. (Don't use accounts that really exist)
> G_HACKER_POISON HIDDEN@,administrator@*"
>
> # Only allow smtp logins if the user has previously logged in via
> imap/pop from the same address
> G_SAFE_SMTP "true"
>
>
> # Max messages an authenticated user can send per 30 minutes, e.g. 5000
> G_SPAM_USER_MAX "2000"
>
> # Max outgoing messages per ipaddress/return path pair, 30 minutes, e.g.
> 5000
> G_SPAM_FROM_MAX "2000"
>
> # Detect local users sending 'spam like' email and send a report to the
> manager.
> G_OUTGOING_N "5"
>
> # White list for people you know send mail that looks a bit dodgy. :-)
> G_OUTGOING_WHITE HIDDEN@re.com,1.2.3.4"
>
>
> # send manager an email if a local user sends more than 300 message in a
> day...
> G_USER_SEND_WARNING "300"
> g_user_send_ip "300"
>
> ChrisP
>
> ------------------------------------------------------------------------
>
> Sent with YesImOnline email client http://yesimonline.com/yes (free client)
>

-- 
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
IPv6 ready today for your needs of tomorrow!
Ask us about dual-stacking your site
www.easent.net