On 2014-05-27, Paul Warren <pdw@???> wrote: > We're seeing a growing problem of spam being sent through our servers
> using compromised authenticated SMTP credentials.
>
> We suspect that the credentials are being stolen using malware on the
> users' computers (over which we have no control).
>
> Obviously we block the accounts as quickly as possible once we become
> aware of the problem, but typically by this point we'll be on multiple
> blacklists.
>
> Does anyone have any suggestions for detecting and blocking, or at least
> limiting the impact of, such attacks?
Some sort of rate-limit on the credential.
You could start compiling a list of spamtrap domains. (but you'll only
find them the hard way)
> We're currently considering rate-limiting, or trying to detect where a
> single user is using multiple IPs in quick succession.
Multi ips could be valid if they used the same creds for their laptop,
phone, and document scanner. or if it's shared amongst a team.