Request: GeoLocate SASL logins and suspend account if connecting from more than N countries
Sometimes, user credentials are stolen. Then, in many cases, botnets slowly start bombing mail servers with messages using that stolen account. Sometimes spammers are smart enough to send just 1 message every 3 to 5 minutes, to no more than 3-5 recipients. In those cases unless there's someone 24h/day checking the mail server log and queue, it's hard to see the account has been compromised until you finally get the block in RBL lists. Rate limiters and throttlers help but don't fully solve the problem.
I believe there's a simple approach to mitigate this problem. A person won't usually login to his account from more than 1, 2 countries, 3 at most in a period of 12/24 hours. If ispconfig could check against the geoip database and score different country logins for the, let's say, the last 24 hours, and check that score is > 2 (or whatever value the user/admin wants), disable sending or suspending that particular account, we could solve the problem at its very early stages.
I'm sorry I'm not a programmer (I wish I was), and I suppose you guys hate when we tell you "hey, that's for sure easy to implement", but the gaining from that I think it's quite worth it, and that's why I had to propose it and I wish you could consider it.
Thanks so much for such an awesome piece of software.
Ignacio