Lähettäjä: Niels Kobschätzki Päiväys: Vastaanottaja: Cyborg Kopio: exim-users Aihe: Re: [exim] Better way to deal with phished users?
On 5 Jul 2021, at 14:00, Cyborg via Exim-users wrote:
> Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users:
>> The problem is the identification because you usually get to know it
>> only, when the accounts are actively misused. If I get to know that
>> users where specifically targeted I inform them. And at 2am in the
>> night it might already be too late (you landed yourself on
>> blacklists) - even though you still kick them from the system.
>>
>
> If you don't wanne use a form of 2FA, it could be impossible to
> identify hacked accounts before they spam.
>
> The nature of a hacked account is, that the attacker has obtained the
> credentials from a PC and it's mailprogram oder via phising. In both
> cases, they have a valid set of credentials, do not produce any login
> error ( bruteforcing ) and their first login is most likely the moment
> they start spamming.
>
> A 2FA could add the IP to a database(file) and you only accept mails
> from ips in this list + credentials. The 2FA could be a Website to
> login or an android app.
I know that I can only detect them after the fact - actually after they
started and I can act on it then. I want to automate the acting upon it.
This is about damage mitigation when the preventive measures didn’t
help.