Detect mailbox user login from an unusual location
Compromised mailboxes, due to password leaks of IMAP or POP3 mailbox user credentials, is a very common cause of mail network disruption. The aim of the breach is typically to turn the mailserver into a spam relay. Such breaches harm the reputation of the sender, and congest the network, until the breach is identified and resolved. Monitor the logins to mailboxes hosted by the server for suspicious login activity, and notify the admin in case of potential breach detection. See Nextcloud's relatively simple ML system for reference.
- As an admin
- when a mailbox user has a suspicious profile during authentication
- then I should be notified of a possible security breach