Generally, I'd do this with outbound spam filtering. Use the reporting functionality to get counts of spam per user. You might even be able to alert if the rate goes above a certain number.

This the difference between an simple anti-spam service and a complete Email Security service. Vendors like Barracude, Fortinet, and Sonicwall do some very good solutions, not to pricey and cloud based.

MichaelNZ:

 

What systems are people using to detect and track down spamming accounts (usually compromised) on a multi-user mail server?

 

Um, make the accounts not compromised?

Probably difficult to help without knowing more. Are you running an ISP or is this a corporate mail server on the LAN? Are we talking SMTP?

I really think if you are relying on a spam filter for OUTBOUND mail, then you might want to re-architect how you are doing things.

gbwelly:

 

I really think if you are relying on a spam filter for OUTBOUND mail, then you might want to re-architect how you are doing things.

 

I'd be really interested to hear how to architect things for user-controlled mailboxes that will stop spam without filtering.

The host/owner of the IPs has a vested interest in stopping spam from going out from their IPs.

Selling mailboxes, shared hosting, servers etc means you give that control over to the users. Outbound spam filtering is a necessity in these cases as you can write all the terms of service you like, but you can send hundreds of thousands of emails in a few hours if you're not filtering somehow.

gbwelly:

 

MichaelNZ:

 

What systems are people using to detect and track down spamming accounts (usually compromised) on a multi-user mail server?

 

 

 

 

Um, make the accounts not compromised?

 

Probably difficult to help without knowing more. Are you running an ISP or is this a corporate mail server on the LAN? Are we talking SMTP?

 

I really think if you are relying on a spam filter for OUTBOUND mail, then you might want to re-architect how you are doing things.

 

 

 

Outbound antispam solutions are quite common (along with other features such as DLP, routing rules, encryption etc).

ELK Stack, love it

https://www.elastic.co/elk-stack

danielfaulknor:

 

Selling mailboxes, shared hosting, servers etc means you give that control over to the users.

 

That is why I asked if he's running an ISP. Corporate network it's quite easy to prevent this with only a sick with a nail in it or a HR lady.

Thanks for the responses.

This is for a customer who has a mail server which services lots of subscribers.

Their current method of looking for the source of problems is like needle in a haystack.