Service: dovecot and mail protection

toplisek

• June 26, 2025 06:21
• Edited

How to protect mail abuses and attacks which use Service:dovecot.

Source: https://www.dovecot.org/

It is very malicious as it is found as Germany (country) and IP XX.XXX.XXX.XXX (Germany:DE) but found as 

"country_code" which is not realistic: 

"as_name":

"LT",

"country":

"Lithuania"

• 

  William Del Piero cPanel Staff

  • June 26, 2025 15:08
  • Edited

  Hi,

   

  In some cases the IP location can be mismatched due to allocation changes that have not been taken into account within the GeoIP database. For example, you can use the following command to check where the GeoIP database believes the IP is located:

   

  /usr/local/cpanel/3rdparty/perl/536/bin/perl -MCpanel::GeoIPfree -E 'use Test::More; note explain [ Cpanel::GeoIPfree->new()->LookUp( q{1.1.1.1} ) ]'

   

  *You would replace 1.1.1.1 with the IP you want to look up. Depending on your cPanel version, you may need to change the path to the perl binary in the command but this is the path used on my v118 server.

   

  If the GeoIP database is also showing the IP as from Lithuania, then this indicates that the database needs to be updated. We periodically update the GeoIP database with newer cPanel versions. To work around a mismatch such as this you would need to manually block the offending IP in your firewall until an update to the GeoIP database is released.

  0

Please sign in to leave a comment.