My company created an internal system to detect compromised accounts in real time. We call it 'SMTPAudit' and we have released it as a free hosted service available at https://smtpaudit.com. It logs all of your authentication sessions to a web service, determines the IP address, the country the IP address is from, and allows you to query the data. You can then optionally configure the alerting feature that allows you to be notified of authentications from countries outside of your user base as well as alerts for accounts authenticating from too many unique IP addresses. 

 

The whole purpose of this project is to find compromised accounts that are in use by spammer botnets. The new tactic being used by spammers is to send very low volumes of spam so that it does not trigger other alerting methods. The only way we've found to catch these issues is to find accounts authenticating from countries outside of the user base or that use too many unique IP addresses.

 

The project is in active development and we look forward to any comments or feature requests that can help improve the usefulness to system admins.

 

Our software is different than other log analyzers in that logs are analyzed in near real time and reported to a hosted service for analyis against rules you have defined. It has provided our system admins with peace of mind and a huge time savings.