Compromised mail user and early detection

Today I got a message from one of the users of my Miab box. He was complaining about receiving a lot of “weird” mails from my mail server.

When I looked, I saw he was being bombarded with reject messages from lots of other mail servers. When I looked closer, I got a bit confused, because some of the bounced messages seemed to have originated from my Miab box and others did not. Apparently, someone got a hold of his password (which was 20 characters long, randomly generated by Keepass) and was sending mail through my Miab box but was also using his address as the ‘from’ address in mail sent from different server at the same time.

When I changed his password, things went a bit quieter, but of course I’m still receiving bounced for mails which were sent from other server (Still lots of servers that ignore SPF records).

My Miab box had been sending mails for a couple of hours before I was notified and I think it might be a good idea to have admins automatically notified when weird behavior occurs. When I look at the logs now, I see lots of postfix/submission/smtpd entries for this mail user (roughly 20 per minute, at the time), all originating from different client IPs. Something that should be easy to detect.

Any thoughts?

This topic was automatically closed after 61 days. New replies are no longer allowed.