Hello,
I'm running csf+lfd and it helps me pretty good with brute-force attacks and tracking relays but, when a spammer captures one of the mail accounts' password with a virus or trojan on client side, it can send spam mails with little pieces, like sending to 20 or 30 recipients by logging in with a different ip address everytime. This can't be caught by a firewall because firewalls' prior purpose is to find individual ip addresses trying to make something harmful. Also, blocking the ip addresses doesn't do any good because the ip addresses won't be used for the second time and it already did it's job.
I can only see this kind of activity next day as directadmin warns me about which account sent more then 1000 e-mails yesterday. What I want to do is parsing log files like lfd does, not counting the same ip address which is failed to login multiple times but, selecting different ip addresses logged in successfuly to one account.
I can write this to custom logs in csf but it only expects an ip address as the result. I wonder if I can do this with directadmin. I know there is a new brute-force defender in directadmin, does it allow to be customized and can it block a specific mail account.
Thanks
Engin
I'm running csf+lfd and it helps me pretty good with brute-force attacks and tracking relays but, when a spammer captures one of the mail accounts' password with a virus or trojan on client side, it can send spam mails with little pieces, like sending to 20 or 30 recipients by logging in with a different ip address everytime. This can't be caught by a firewall because firewalls' prior purpose is to find individual ip addresses trying to make something harmful. Also, blocking the ip addresses doesn't do any good because the ip addresses won't be used for the second time and it already did it's job.
I can only see this kind of activity next day as directadmin warns me about which account sent more then 1000 e-mails yesterday. What I want to do is parsing log files like lfd does, not counting the same ip address which is failed to login multiple times but, selecting different ip addresses logged in successfuly to one account.
I can write this to custom logs in csf but it only expects an ip address as the result. I wonder if I can do this with directadmin. I know there is a new brute-force defender in directadmin, does it allow to be customized and can it block a specific mail account.
Thanks
Engin