lfd question

[mdelacruz]

Hello guys,

My lfd service is sending me this email:

---
On Mon Feb 19 15:32:16 2007, the Login Failure Daemon detected name@domain.com logging into pop3d from 200.48.xx.xx (mail.anotherdomain.com.pe) 61 times within the last 1545 seconds. The maximum allowed login rate is 60/hour (3600 seconds).

name@domain.com will remain blocked from 200.48.xx.xx (mail.anotherdomain.com.pe) for pop3d connections for the next 2055 seconds.
---

I'm supposing that this is a spam issue, I was talked with the user and she is not sending spam so the problem could be a spam script infecting her pc.

The question is, how can I check the sent emails to validate content and know if this is a spam case or not?

Thank you all

[Lyttek]

Well, spam wouldn't be using POP, it'd be using SMTP, so I doubt that's the case.

Is that IP hers? (I'm guessing not, since you list it as 'anotherdomain')

[mdelacruz]

Well, spam wouldn't be using POP, it'd be using SMTP, so I doubt that's the case.

Is that IP hers? (I'm guessing not, since you list it as 'anotherdomain')

Lyttek,

Thank you, you're right, it would be SMTP for a Spam case, nice observation. I missed it.

The IP is the IP assigned by her ISP, this IP has the name of the ISP that's the reason why is different domain name. I blocked the IP and all her office can't access the site.

[bmcpanel]

Lyttek,

Thank you, you're right, it would be SMTP for a Spam case, nice observation. I missed it.

The IP is the IP assigned by her ISP, this IP has the name of the ISP that's the reason why is different domain name. I blocked the IP and all her office can't access the site.

From my experience, I have found that multiple users in the same office will all count towards the hourly limit set in cpanel if they are on the same ISP IP#.

Example
WHM limit is 60 POP connections per hour.

Jane's Office has 10 users who all check their email every 5 minutes, or 12 times per hour.

That means, all together, they will be checking POP email 120 times in an hour, which will exceed the maximum of 60 POPs per hour. The same applies to LFD, as far as I know.

[chirpy]

lfd actually counts per user logins per IP address. Only if the number of a given users POP3 attempts exceeds the trigger level is the IP blocked (temporarily or permanently depending on your settings).

[mdelacruz]

lfd actually counts per user logins per IP address. Only if the number of a given users POP3 attempts exceeds the trigger level is the IP blocked (temporarily or permanently depending on your settings).

Chirpy,

Thank you for your answer, May I add some questions please?

1. This is not necesary a SPAM case?
2. Per user per logins mean per user's email account (name@domain.com)? per cpanel's user account? Per mail domain (mail.domain.com)? If the count is per user's email account this means that my user is trying to login more than 60 times in an hour, this is unusual.
3. If there is no risk in this scenery is it possible to increment the count only for this cpanel account?

Thanks again

[chirpy]

1. It's probably a client with their settings set to retrieve their email too often

2. It's per email account - though the block will be on the IP address, which can affect more than one email account if the client uses a shared connection

3. You cannot increase the trigger value on a per account basis, only globally

[SageBrian]

I have one person who has his PC check email every minute. (it's default for many) I've suggested setting it to 5 minutes, since he doesn't really get that much. AND, if he's waiting on something, he can always check manually.

Then...against advice, he sets up a second PC to check the same mailbox (so he has a copy of everything on his notebook). Again, check every minute. Well, when he does this, he hits the limit in about a half hour, and is then without mail for the rest of the hour.

But wait, there's more. I believe he's setup a third PC to do the same thing. And, you guessed it, he gets shut out in about 20 minutes.

Think he wants to try to understand options, like imap or something? Nope, since he knows what he wants.

And then there is the constant clicker. They just sit there at their computer, click send/receive every second. Like the elevator is going to come any quicker?

The funny thing is, with their 'need' to have it every minute, they don't even realize that they suddenly go without for a stretch of time.

[serversphere]

I have one person who has his PC check email every minute. (it's default for many) I've suggested setting it to 5 minutes, since he doesn't really get that much. AND, if he's waiting on something, he can always check manually.

I feel your pain. I have a whole office full of people (I host their corporate site) who cold call businesses and get them to order over the web (which I don't host). They then sit there and either click send/receive over and over or they are already set to receive every minute until that order confirmation comes through. I get a call a week about how my email service is "so slow" because they haven't gotten the confirm email in the one and a half minutes that have passed since the customer ordered. The funny thing is, their system is set up so they can check IN THEIR OWN OFFICE SYSTEM if the order was placed. But they want that stinking email and they want it yesterday... ugh...