I have a significant problem with users giving out access to their webmail account unsuspectedly. We have had a few Phish messages arrive with a link, The link delivers a page that looks exactly like my webmail login page. When my users visit the link and login they have given their login credintials to a SPAM source.
The SPAM source is using the account access to relay mail from other sources. In some cases the compromised accounts have been logged into and setup to send mail.
I am tightening up my rules to prevent the original phish.
The easy answer to this is to have my users change their password(s).
I'm looking for the hard answer:
1. Can I search all mailboxes for a message containing a string? Then if I find the string can I delete this from all mailboxes? For example, if the culprit Phish message contains "login to webmail for maintenance", I want to find that string and delete before my users "CLICK".
2. Can I throttle how many messages are sent from accounts? Once an account is compromised we find it trying to send thousands of messages to 10-20 accounts. Is there a way to tell my MTA's to alert me when an account is trying to send to X number of accounts or X number of messages?
3. We setup a script to look for the number of authentications to the audit.log file. This gives a quick look to find compromised accounts. Is there a better way?
4. The accounts are setup to send mail from a different domain with a reply to the different domain. Can I block my server from sending from a different domain? i.e. the email message came from
abc@xyz.com, but my domain is 123.com.
Thanks for any assistance. Since we have to have webmail access from anywhere, it is difficult to block this from happening (users not checking carefully when logging into a site).
Bugzilla
Wiki
Source
Max messages 
Linear Mode
