Spammer sending detected on <ip> from multiple ip addresses (8), change users password urgently, or set g_breakin_white <Email> or disable by setting to *, use tellmail breakin_release to unlock the account
I've been getting a lot of these messages lately. I'm guessing there have been some compromised accounts recently and now we are finally being targeted. I usually just change the person's password, force them to clean up their computer(s) and reactivate. One customer has actually been turned back on after a full cleaning and it still was able to crack the password somehow. It didn't stop until we had him change his password and his outgoing port to 587. I'm thinking this is some form of virus that is monitoring port 25 for open passwords. So I'm looking at making SSL a requirement but I'm not sure if that would stop a local virus.
Anyway after reviewing the settings for g_breakin_white, I was wondering if there was something similar but reversed? A list of email addresses NOT to allow multiple connections from in the meantime until the situation is resolved? We had to use trial and error for this person by waiting for their IT to finish their work and say it was clean only to find it was not again. I can't see adding a list of everyone who needs to send from different locations, it could be hundreds. So lets reverse it, so we can monitor compromised accounts.
Problem is many people use mobile devices and their home computers possibly even their work computers. So I can't disable this setting to * it would lock out people like me who have mobile devices etc. So you could theoretically even make a default setting for the threshold of allowable exterior or different IP addresses within a certain time period. I can't see most people going past 3 or 4 IP's. Phone, tablet, home and work.
I'm just wondering if there is another way we can combat this that I'm not aware of.