I run a Zimbra mail server at the K-12 school district where I work. Overall I really like the system, but my user base is very susceptible to phishing spam so once a month or so someone will give up their password to a spammer who then proceeds to use our mail server to send out their spam. Since 2011 I have had a script that tails the log files and disables an account if it sees 7 messages or more in a 2 minute window that include more than 20 non company addresses in the header fields. This has worked very well until about 3 weeks ago when we got hit by a spammer that sent out spams with only 5 – 6 addresses in the header fields so it was not caught. Then this week I was hit by a spammer that within 1 hour logged in 14491 times from 17 different machines scattered around the world (Indonesia, Serbia, Mexico, Pakistan, Portugal, Turkey, Saudi Arabia, Slovakia, India, Peru, and Poland) sending to 1 or 2 addresses each time. Because of this, I now have a second script watching the log file that will disable an account if there are more than 5 logins within 1 minute. I am wondering what other folks do when spammers get credentials on your mail server and start using it to spam everyone?
by