[unisog] FYI - dictionary attack on Squirrelmail
s.shipway at auckland.ac.nz
Tue Mar 2 03:48:01 GMT 2010
> It so happened that someone had set up a couple of multi-user role
> accounts with, yes, username=password, so that the attacker was able to
> send a bunch of spam out on the weekend before we noticed.
In order to catch this sort of thing, we have a periodic (every 15mins) script on the webmail host which eats the log and identifies any accounts which have sent an excessive number of messages, or messages to an excessive number of recipients, in the last hour. If any are found, it uses NSCA to send an alert into Nagios (of course, you could send alerts to whatever monitoring package you use, or even just send an email).
It doesn't stop people having their accounts compromised, but it catches spammers much faster and helps prevent out mail servers from being listed on the various internet mail blacklists.
More information about the unisog