Compromised Account Detection MailSite 9.4 and later provides compromised account detection/blocking features.

If a spammer is able to obtain the username and password of a mailbox, they will use those credentials to relay an unlimited number of messages through your server. By the time the Administrator is aware of a problem, the server is likely to have been blacklisted and the Spool folder saturated causing delays and rejections for genuine emails.

MailSite 9.4 and later has the ability to detect and lock out compromised accounts. MailSite tracks the number of messages sent by authenticated users by counting the number of RCPT: commands issued. If this number exceeds more than 5000 in a 24 hour period then MailSite will block the account from sending any further emails with the following message:

552 5.5.3 Account has exceeded permitted number of recipients

The postmaster mailbox in the default domain will be notified.

Verifying Detection is Enabled

To verify Compromised account detection is enabled on your server load the MailSite Console > Security > Security Properties. Under the General tab, the checkbox 'Enable Compromised Account Detection' should be selected.

Changing the default values

The default values for this feature can be configured within the MailSite Console under Server > Security > Security Properties > General.

• To turn on/off: Select/de select the option 'Enable compromised Account Detection'
• You can set the maximum number of RCPT commands (Messages) and also the interval.

If an account has reached this limit then the user will need to wait until the interval has expired before they can send again. The administrator can also reset the counter for that mailbox from within the MailSite Console under the Properties > Statistics tab, for that mailbox.

Resetting of Counters

MailSite determines when to reset the RCPT: counter for a given mailbox when that that mailbox logs in. For example:

When user logs in, if it has been more than 24 hours (or the per interval period specified) since the last logged in, then the counter will be reset. If not then the counter will increment for each message that has been sent, until it reaches the maximum value.

Based on the above principle, if a user logs in and sends 1000 emails and then never logs in again, then the counter will remain at 1000. The administrator can manually reset the counter via the MailSite Console

Generating Counter Reports

It is possible at any time to generate a report to view the current counters. This can give you a indication of the heaviest users on the system:

In the MailSite Console, click on Server > Traffic Counters. The 'SMTP RCPT Commands' will already be enabled if you have Compromised Account Detection enabled. You can select other counters if you wish to log these. Under the Report section, enter a value in the box for 'RCPT TO Commands', for example 100. Then hit Save Report. This will create a CSV file and list all the users which have a RCPT TO: counter value of 100 or more. If you see the number in the thousands, then this could indicate a compromised account which should be investigated.