This plugin prevents an authenticated user (via SMTP AUTH) from sending their username and password out in a message (e.g. like replying to a phish).
If their username and password are detected inside the message body, then the message is rejected with the message:
Credential leak detected: never give out your username/password to anyone!
Note that if the username is qualified e.g. user@domain.com - then the
plugin will search for both user and user@domain.com for maximum
effectiveness.
No configuration is required. Simply add the plugin to your config/plugins
file. It should be added before any other plugins that run on hook_data_post
for maximum efficiency.