Client has constant IP blocks when accessing email.

LiamN

• November 12, 2015 19:57

I have a client who regularly gets IP blocked by CSF when attempting to access his email. The following are some of the notifications that I have received:
Time: Fri Nov 13 11:38:42 2015 +1100 Account: xxxx@domain.com Application: pop3d IP: xx.xxx.xxx.xxx (AU/Australia/-) Logins: 61 Interval: 2297 Allowable: 60 logins per hour in 3600 second interval Flushed in: 1303 seconds

Time: Thu Nov 12 16:22:56 2015 +1100 IP: xx.xxx.xxx.xxx (AU/Australia/CPE-xxx-xxx-x-xxx.lns10.cht.bigpond.net.au) Failures: 10 (imapd) Interval: 1800 seconds Blocked: Permanent Block (IP match in csf.allow, block may not work) Log entries: Nov 12 16:12:19 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:12:26 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:12:27 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:12:41 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:22:20 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:22:29 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:22:29 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:22:47 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 7 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:22:47 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session= Nov 12 16:22:54 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=
This block winds up preventing him from receiving email on his device until the offending IP is whitelisted in CSF and CPHUlk. This continues to pop up every few months, though, it seems, I'm guessing as his office likely has a non-static IP. I'd obviously rather not keep whitelisting things if his system has been compromised, though, and short of a virus and general security scan of his systems (which I've already suggested) I'm not sure how else to advise him on how to rectify things without just locking him out. Alternatively is it possible that this is due to a poor configuration on my end? His is the only one of about 15 accounts on the server to experience this issue, though.

• 

  cPanelMichael

  • November 13, 2015 01:32

  Hello :) The output suggests this is related to the end user's system. You may need to push the end-user to review their email client or their system to ensure there are no viruses or invalid email configuration settings in their email client. Thank you.

  0
• 

  quizknows

  • November 13, 2015 20:22

  ^^ What Michael said. Most likely they have thunderbird or outlook (or another mail client) configured with an old password, and it's repeatedly trying to refresh their inbox.

  0
• 

  Peoplespaces

  • November 17, 2015 08:19

  The first shows that they have exceeded the maximum allowable sign -ins per hour that you established in the csf configuration (60). You can change that. The second may be from an improperly configured device like a phone but you need the check the offending ip to determine this.

  0

Please sign in to leave a comment.