I had an interesting problem over night. I was notified via email by the system indicating "Auto Spam Notification."
This is fine and the rule worked as expected. The user was throttled and I began remediation.
The first thing I did is go into the user and change the password. The user was still connected and sending spam at a high rate. I then went in and turned off SMTP and IMAP access under the specific user. Again, I saved that and went back to the logs. I was still getting emails coming through.
It took an hour or so to see Authentication Failed in the log files. This should have been immediate. And how, if I disabled SMTP and IMAP access for the user, were emails being accepted by the mail server? It seems something is wrong there. The only thing I found to work 100% and almost immediately was blacklisting the IP addresses.
Anyway, I just wanted to see if any others have seen similar issues and if I have done something wrong in order to keep the spam flowing.
On another note, I think we should be able to have a rule that automatically changes a users password, temporarily blacklists IP addresses, or temporarily blocks a user if they make multiple connections within 1 minute from greater than 2 countries or something like that. Once an account is compromised, the credentials are rapidly shared.