Lähettäjä: Cyborg Päiväys: Vastaanottaja: exim-users Aihe: Re: [exim] Better way to deal with phished users?
Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users: > The problem is the identification because you usually get to know it only, when the accounts are actively misused. If I get to know that users where specifically targeted I inform them. And at 2am in the night it might already be too late (you landed yourself on blacklists) - even though you still kick them from the system.
>
If you don't wanne use a form of 2FA, it could be impossible to identify
hacked accounts before they spam.
The nature of a hacked account is, that the attacker has obtained the
credentials from a PC and it's mailprogram oder via phising. In both
cases, they have a valid set of credentials, do not produce any login
error ( bruteforcing ) and their first login is most likely the moment
they start spamming.
A 2FA could add the IP to a database(file) and you only accept mails
from ips in this list + credentials. The 2FA could be a Website to login
or an android app.
I i.e. used something different: an ip-account-timeframe threshold to
detect botnets, which kicks them reliable at 2 AM before they can spam ;)