What are signs of internal compromise in an ESP or MTA?
Traffic anomalies: sudden volume increases, sending to unusual destinations, activity at unusual hours, and new or modified campaigns appearing without authorized changes.
Authentication changes: new **API** keys created, permissions modified, user accounts added, and **DNS record** changes. Review audit logs for unauthorized administrative actions.
External reports: spam complaints about your sending, blocklist notifications, bounce increases, and contacts reporting suspicious messages from your addresses. External signals often reveal compromise before internal detection.
Was this answer helpful?
Thanks for your feedback!