I'm a bit perplexed.
You notice anomalous traffic from a user, it ends up in throttling, or you notice that the spool queue is longer than usual.
In message search I go to see what the user is sending but it's useless because the user has done the auth but then the message has a different from.
Ok let's go to see in spool in order to realize what is sending, but here too I only see the sender in from, for green the auth I have to open the single message and go to see the hdr.
Going to look in the logs does not allow me to understand what type of message it is.
It would be nice to have.
1) The spool the column with the auth address that is in hdr and the possibility of doing the search on that value.
2) In message search the possibility to do a search by auth and not by from
3) A report with the accounts that have a traffic higher than xx% compared to their average
4) I think this has been discussed before.
Allow country-specific IP blocking at user level, not just domain level
5 )
In the log line where it says
Authentication failed - login failed
6) Also at user level it would be nice to be able to prevent him from changing the from with respect to the auth or have a report of who does it and how often they do it
Change with
Authentication failed - login failed
user@domain.tld so you can filter with Only Matching Row
It would be much easier to do the checks