Hi guys. I've asked SM several times to improve the log reporting, but I understand they have other priorities.
I've found some time to dedicate to the project and now I have a first draft.
The current goal is to identify anomalies such as:
1) IPs that have many or only few authentication failures (to be blacklisted)
Among these, there could be IPs that have many failures on many emails and few successes on some emails (compromised email?)
You'll say, "But there are ID rules." Yet I've seen many IPs that are slowly trying to detect ID rules.
I still have a lot to do:
- blacklisting IPs via API.
- IP normalization, meaning looking for ranges of IPs instead of individual IPs to blacklist.
I'll show you some screenshots to give you an idea.
It's a web app in DoNet Core 10.
Currently tested only in IIS.
Ideas for new reports are welcome.
Another thing I'll definitely do is real-time log analysis.
That is, a screen that collects an SMTP session in a single view, which then becomes a delivery, passing through an anti-spam check.
Perhaps with IP filtering.
Imagine, a user calls who's having problems: give me your IP, we'll see what happens.
And I can track it in real time in a single screen.