I have two IDS rules in place to catch an internal spammer. One is a notify (5 minutes/50 messages). The other is a block (5 minutes, 150 messages, block for 1440 minutes). In the past, this has worked on two accounts that were compromised.
Yesterday, I had a spammer gain access to a little-used account. I never received a notify, and the block was never placed. Did not show up in abuse detection violations and mail never stopped.
Our overall server throttling plan did catch it, but I wonder why the IDS rule failed.
Server logs show this activity (I've removed the IP and account names):
Delivery log looked like this:
[56637] Delivery started for spammer@spam.com (via comprised-account) at 7:48:46 AM
Smtp log looked like this:
07:47:54 [spammer-ip-address][19249994] Authenticating as compromised-account
07:47:54 [spammer-ip-address][19249994] rsp: 235 Authentication successful
07:47:54 [spammer-ip-address][19249994] Authenticated as compromised-account
07:47:54 [spammer-ip-address][19249994] cmd: MAIL FROM: <spammer@spam.com>
07:47:54 [spammer-ip-address][19249994] senderEmail(1): spammer@spam.com parsed using: <spammer@spam.com>
07:47:54 [spammer-ip-address][19249994] rsp: 250 OK <spammer@spam.com> Sender ok
I'm wondering if I've misconfigured something. Any thoughts?