Email Security Feature

I would like to see a configurable email feature that counts that number of failed password attemps and at a defined limit, can optionally freeze the account and email both the domain tech contact the email account owner that there had been a possible hacking attempt. The reason to email both is that if the email account is dormant, owner on holidays etc, the issue can still be caught quickly.

Just recently I had one of my emails hacked by a spammer. They did not interfere with my email, but they did use it to send out a whack of spam. I never noticed until I started getting “undeliverable” messages. I initially ignored them because I have had other email addresses used as the ‘return to’ address. When I got a few more undeliverables I took a close look at the headers and discovered that the sender had authenticated themselves as me. I immediately changed the password and that seemed to halt the use of my email account to send out spam. There has been no repeat.

I don’t know how the spammer managed to hack the email account, but I suspect that he used a brute force attack. That also suggests to me that he probably has a limit to the number of characters he is willing to go in hacking an email account.

Dreamhost’s IMAP server does lock an account after some threshold of failed login attempts is exceeded. I ran into this when I implemented a bunch of post-Heartbleed password changes, and had overlooked updating the credentials on some mobile devices that kept polling frequently with the old credentials.

I got the impresion that it was a pretty high threshold to trigger the lockout.

Keep in mind that there are at least 4 other ways for someone to access your email credentials (POP, web mail, password change web form, SMTP relay), and they may nnot implement lockouts or the same thresholds.

Your best defense is to use strong passwords, and make sure all your mail clients are using encrypted connections (TLS, SLL, HTTPS).