Tracking multi logins to one account from different ip addresses

Hello,

I'm running csf+lfd and it helps me pretty good with brute-force attacks and tracking relays but, when a spammer captures one of the mail accounts' password with a virus or trojan on client side, it can send spam mails with little pieces, like sending to 20 or 30 recipients by logging in with a different ip address everytime. This can't be caught by a firewall because firewalls' prior purpose is to find individual ip addresses trying to make something harmful. Also, blocking the ip addresses doesn't do any good because the ip addresses won't be used for the second time and it already did it's job.

I can only see this kind of activity next day as directadmin warns me about which account sent more then 1000 e-mails yesterday. What I want to do is parsing log files like lfd does, not counting the same ip address which is failed to login multiple times but, selecting different ip addresses logged in successfuly to one account.

I can write this to custom logs in csf but it only expects an ip address as the result. I wonder if I can do this with directadmin. I know there is a new brute-force defender in directadmin, does it allow to be customized and can it block a specific mail account.

Thanks
Engin

Hello,

The Brute Force Monitor (BFM) in DA does count the number of failed logins on individual accounts (all types, email, ftp, etc..), regardless of the IP used.
So check your settings in:
Admin Level -> Admin Settings -> Notify Admins after a User has X login failures from any IP.

However, this really only applies to their BF attack to get the password in the first place. (notifying you that the specific User is under attack)

Once they already have the password, then you'd relay on some of the newer features in DA that help you defend against spammers:
http://help.directadmin.com/item.php?id=81

However, there are new feature with the exim.pl version 9 and 10 (just download 10)
http://www.directadmin.com/features.php?id=1246
http://www.directadmin.com/features.php?id=1277

So get the exim.pl.10 and save it to /etc/exim.pl.
Get DA version 1.40.1 and you'll get the new goodies.

The per-email send limit would be the tool prevent spammers from getting carries away, no matter where they're sending from.

Eg, after you get exim.pl.10 and DA 1.40.1, to set all email accounts such that they cannot send more than 50 emails per day, per account, use: Note that this is different than /etc/virtual/limit, in that it's not a DA user limit, where all email accounts are summed together for the the limit. This is a [email protected] limit for each account.

Then, with DA 1.40.1 and the realtime email usage stats you can see what each User is doing for that day, previous days, or all days. (the previous days or all days uses the bandwidth.tally, which can be huge, so might be slow if you have many accounts sending a lot of email)

John

Thank you very much.

I was looking to find a way to find the e-mail user who has been hacked by parsing logs and running scripts but it looks like there is no need for that much effort, limiting the daily sent e-mails helps with everything. I didn't know it was blocking the user to send more e-mails right away, I thought it was only alerting.

Thanks again, that helped very much.