Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Annoying Email Login attempts using Google IP Addresses

Discussion in 'E-mail Discussion' started by madamsplash, Mar 17, 2009.

  1. madamsplash

    madamsplash Member

    Joined:
    Mar 17, 2009
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    53
    :eek: Every day my dedicated server is attacked by somebody who attempts to login to an email account that has not been used for sometime on two of our web accounts using a variety of Google Addresses ... anywhere up to 5000 times a day

    The result is to block Google from spidering our servers and sites ... the offender obviously knows a little bit about the way our email works and is running a private server.

    Is it possible to stop a single email account login attempts and still set allow the IP Addresses in IP Allow? (See messages below)

    -----------------------------

    I'm also getting daily notification of suspicious process running under user (then proceeds through all websites on the server - only a few at the moment) /usr/sbin/pure-ftpd\00i686\00hp .......... (deleted)

    "This file system shows this process is running an executable file that has been deleted. This typically happens ..... See csf.conf and the PT_DELETED text for more information .... etc"

    Anything I should be concerned about with message like these?

    -------------------------------------------------

    **Unmatched Entries** Mostly Google IPs
    Disconnected, ip=[::ffff:127.0.0.1]: 287 Time(s)
    Disconnected, ip=[::ffff:209.85.200.161]: 2 Time(s)
    Disconnected, ip=[::ffff:209.85.200.162]: 2 Time(s)
    Disconnected, ip=[::ffff:209.85.200.165]: 2 Time(s)
    Disconnected, ip=[::ffff:209.85.200.168]: 8 Time(s)
    Disconnected, ip=[::ffff:209.85.200.169]: 4 Time(s)
    Disconnected, ip=[::ffff:209.85.200.170]: 2 Time(s)
    Disconnected, ip=[::ffff:209.85.200.171]: 3 Time(s)
    Disconnected, ip=[::ffff:209.85.200.172]: 3 Time(s)
    Disconnected, ip=[::ffff:209.85.200.173]: 4 Time(s)
    Disconnected, ip=[::ffff:209.85.200.174]: 5 Time(s)
    Disconnected, ip=[::ffff:209.85.200.175]: 5 Time(s)
    Disconnected, ip=[::ffff:72.29.95.155]: 1038 Time(s):mad:
    Disconnected, ip=[::ffff:72.29.95.172]: 1381 Time(s):mad:
    Disconnected, ip=[::ffff:74.125.46.141]: 4 Time(s)
    Disconnected, ip=[::ffff:74.125.46.144]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.148]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.150]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.152]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.154]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.155]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.157]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.158]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.160]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.161]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.162]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.164]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.165]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.166]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.24]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.25]: 3 Time(s)
    Disconnected, ip=[::ffff:74.125.46.26]: 4 Time(s)
    Disconnected, ip=[::ffff:74.125.46.27]: 3 Time(s)
    Disconnected, ip=[::ffff:74.125.46.28]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.30]: 5 Time(s)
    Disconnected, ip=[::ffff:74.125.46.31]: 3 Time(s)
    Disconnected, ip=[::ffff:74.125.46.32]: 1 Time(s)
    Disconnected, ip=[::ffff:74.125.46.33]: 2 Time(s)
    Disconnected, ip=[::ffff:74.125.46.34]: 7 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.161]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.162]: 2 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.168]: 2 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.171]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.172]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.173]: 2 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:209.85.200.175]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.141]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.144]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.152]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.155]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.157]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.160]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.166]: 2 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.24]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.26]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.27]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.30]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.33]: 1 Time(s)
    LOGIN FAILED, user=zoe+flairpersonnel.com, ip=[::ffff:74.125.46.34]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.168]: 2 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.170]: 2 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.171]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.172]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.173]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.174]: 2 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:209.85.200.175]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.141]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.148]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.155]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.161]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.26]: 3 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.30]: 2 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.31]: 2 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.32]: 1 Time(s)
    LOGIN FAILED, user=zoe+splash.net.au, ip=[::ffff:74.125.46.34]: 2 Time(s)
     
    #1 madamsplash, Mar 17, 2009
  2. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Gatineau, Quebec, Canada
    Hey there,

    Is it possible that - and I'm just speculating - this user has their webmail client open on GMail and the IMAP/POP is trying to get mail from your server, but their username/password is wrong? Just thinking out loud since really it seems to be the same user @ multiple domains that's failing... the user on Google's end may not even realize their password is incorrect.

    If not, then you may have a really awesome hacker on your hands with lots of rooted boxes in Google's server fleet... which I doubt. ;)

    If you think the idea of Webmail fetching mail and failing isn't quite right, I would suggest you e-mail abuse@google.com or something to that effect.

    Their whois data: http://who.is/whois-ip/ip-address/74.125.46.141/

    A company of that size probably has staff dedicated to this kind of thing.

    Warmest regards,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 LiNUxG0d, Mar 17, 2009
  3. madamsplash

    madamsplash Member

    Joined:
    Mar 17, 2009
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    53
    Lol - Probably an awesome hacker ...

    We had an employee named Zoe - she lasted one day - one of our former designers had/has a girlfriend named Zoe and I was approached by a Zoe to become a Web Designer.

    This person is probably a local dinasoar (bit like moire) from the days when we could all download the software to turn our pc's into internet servers and give it whatever IP address we liked ... Looks like I am alone in the Universe with this cretin :p

    Had hoped I could nullify login attempts to the email addresses without blocking from the server entirely ...

    Have advised Google - thanks for looking, and if you have any ideas - please advise.
     
    #3 madamsplash, Mar 17, 2009
(You must log in or sign up to post here.)
Loading...
Similar Threads - Annoying Email Login
  1. Strangiato

    New Thread Add new members to email forwarder

    Strangiato, Aug 21, 2018 at 11:38 AM, in forum: E-mail Discussion
    Replies:
    0
    Views:
    10
    Strangiato
    Aug 21, 2018 at 11:38 AM
  2. GQsm

    New Thread How do I stop these Return-path x-sender emails getting through.

    GQsm, Aug 21, 2018 at 9:01 AM, in forum: E-mail Discussion
    Replies:
    0
    Views:
    13
    GQsm
    Aug 21, 2018 at 9:01 AM
  3. jorge orejuela

    New Thread Restrict some email accounts from sending email?

    jorge orejuela, Aug 20, 2018 at 11:17 PM, in forum: E-mail Discussion
    Replies:
    0
    Views:
    17
    jorge orejuela
    Aug 20, 2018 at 11:17 PM
  4. Dionisios S. Mpolanis

    New Thread Cant connect to addon domains email

    Dionisios S. Mpolanis, Aug 20, 2018 at 5:39 PM, in forum: E-mail Discussion
    Replies:
    0
    Views:
    21
    Dionisios S. Mpolanis
    Aug 20, 2018 at 5:39 PM
  5. SamL

    New Thread Is there an alternative to email forwarding?

    SamL, Aug 20, 2018 at 5:41 AM, in forum: E-mail Discussion
    Replies:
    2
    Views:
    36
    sparek-3
    Aug 20, 2018 at 9:24 AM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice