This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

protect smtp from compromised account.

Thanks in advance and sorry if the question is already solved.

I am not very expert in sophos.

Now I have the latest version of utm 9 filtering incoming mail and it performs very well

From behind I have an Exchange server.

Recently an account was compromised (guessed the password) and we have sent thousands of mail. a classic !!!

I wonder if there is any option in the smtp output proxy that detects a considerable mail increment for an account, or any other type of related solution to protect smtp, in case an account is compromised.

Thank you !!!



This thread was automatically locked due to age.
Parents
  • Hi, Joaquin, and welcome to the UTM Community!

    On the 'Advanced' tab of 'SMTP', at the bottom of the page, you can adjust 'Max connections/host' and 'Max mails/connection'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Joaquin, and welcome to the UTM Community!

    On the 'Advanced' tab of 'SMTP', at the bottom of the page, you can adjust 'Max connections/host' and 'Max mails/connection'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Those settings are mostly intended to prevent incoming mail attacks, by limiting how much traffic is allowed from a single server.  I don't think they are very useful because they are not time-based.   Other systems that I have used limit the number of connections or number of messages per 30 minutes, or something similar.

    If a server is allowed to control N simultaneous connections, and has the ability to immediately reconnect, how does that limit anything?

    For the original problem, the one thing that might help is to lower the number of recipients per message, since the infection is likely to send messages with large numbers of recipients.   You need to have some grasp of whether your company uses mass mailings that might be affected by this limit.   Keep in mind that UTM only sees outbound mail, so mass mailing to other internal users will not trigger this quota.

    Overall, I don't think it has a feature like you were envisioning.