How to identify the fact of hacking a user's mailbox?

B

beetlezilla2017-09-13 10:45:10

postfix

beetlezilla, 2017-09-13 10:45:10

There is a postfix + dovecot + spamassassin mail server. Periodically, by brute force, they select a password for mailboxes. After several hacking facts, the following parameters were configured

anvil_rate_time_unit 24h
smtpd_client_message_rate_limit 1000

The number of sent letters and the chippers that came to them has been significantly reduced. But at the same time, it has now become more difficult to record the facts of hacking.

Is it possible to notify mail server administrators about reaching the limit of sent emails for a given period?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2017-09-13
@Tabletko

Set fail2ban to monitor the mail log and ban those IPs from which more than 5-10 incorrect login attempts per minute were made.

A

alexander, 2017-09-13
@beza2000

It's not pretty, but it's stupid to parse the log and count the necessary numbers. After analyzing the numbers, send a letter to the admins.