IDS Rule Didn't Catch Internal Spammer
Question asked by Peter Konshak - 11/8/2019 at 3:49 AM
I have two IDS rules in place to catch an internal spammer.  One is a notify (5 minutes/50 messages).  The other is a block (5 minutes, 150 messages, block for 1440 minutes).  In the past, this has worked on two accounts that were compromised.

Yesterday, I had a spammer gain access to a little-used account.  I never received a notify, and the block was never placed.  Did not show up in abuse detection violations and mail never stopped.

Our overall server throttling plan did catch it, but I wonder why the IDS rule failed.

Server logs show this activity (I've removed the IP and account names):

Delivery log looked like this:

[56637] Delivery started for spammer@spam.com (via comprised-account) at 7:48:46 AM

Smtp log looked like this:

07:47:54 [spammer-ip-address][19249994] Authenticating as compromised-account 
07:47:54 [spammer-ip-address][19249994] rsp: 235 Authentication successful 
07:47:54 [spammer-ip-address][19249994] Authenticated as compromised-account 
07:47:54 [spammer-ip-address][19249994] cmd: MAIL FROM: <spammer@spam.com>
07:47:54 [spammer-ip-address][19249994] senderEmail(1): spammer@spam.com parsed using: <spammer@spam.com>
07:47:54 [spammer-ip-address][19249994] rsp: 250 OK  <spammer@spam.com> Sender ok

I'm wondering if I've misconfigured something.  Any thoughts?

Reply to Thread