Description: when the email password credentials are leaked from a mail server, an attacker may use that system to send millions of spam emails. The impact is on the reputation of the mail system which is reported in the global anti-spam engines (blacklists), after sending out a certain number of spam emails. We want to get a notification as soon as the problem arises which may be done by checking the retry queue length on the mail server. If it increases well out of normal values, quite surely an attack in happening.
Scenario: An attacker floods a mail server (SMTP) with spam emails, using leaked credentials, trying to send spam to his “1 millions email database”. The immediate effect on the mail system will be a fast increase in length of the retry queue, that happens mainly for two reasons:
- Many destination emails used by the spammer aren’t valid anymore (stale data).
- The major email providers will limit the connection rate.
Solution: Define a specific event to intercept the event linked to a script deployed on the instance(s) of interest which will count the number of files in the retry folder. Define an action so that an alert is generated when the event occurs.
