Apple, iPhone, iPad email & LFD Blocks

unco

Active Member
Jun 17, 2010
35
6
58
Southern Pines, NC
Hi -

I have a user who is ceaselessly sending bad passwords while checking email. In logs, I see POP & IMAP auth errors from her. I am constantly whitelisting her IP addresses out of frustration. She travels, so that complicates matters. I have had her shut off all devices and turn them on one by one so we can try to isolate which is doing it. I think there is more than one device failing authentication. I am spending about 2 hours a week supporting her, which makes me sad. Life is way too short, and I really mean that because I have to spend several hours a week getting chemo!

Back to the matter at hand... the devices want to "repair" the accounts, which only seem to make matters worse. I have been doing this since 1996, and have never had this issue with any other customer. I am considering requiring her to pay $10/mailbox and moving her mail to gsuite or something.

Does anyone have any other suggestions?

Thanks for letting me rant. I don't know why I can't let this customer go!

Thanks,
B
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello @unco,

Let's see if we can help you get this sorted out!

My first thought is that it's probably a good idea to verify if an unauthorized person is modifying the passwords to the email accounts. Here's an example of a command you can execute via SSH as the root user:

grep $username /usr/local/cpanel/logs/access_log|grep passwd_pop

Replace $username with the username of the cPanel user that owns the email accounts. In the output, you'll see a list of IP addresses that recently changed an email account's password from the cPanel >> Email Accounts interface, along with information about the user agent associated with those IP addresses.

Do you notice any password changes from IP addresses you do not recognize?

If not, the next step to take is to verify if cPHulk is enabled in WHM >> cPHulk Brute Force Protection. If it's enabled, and the username-based protection or IP-based protection is triggered for an email account or the email user's IP address, then authentication will fail for email (and from the email user's perspective, it will appear as though it failed due to a wrong password). You can browse to the History Reports tab to search for blocked logins associated with the user's email accounts or the user's IP addresses.

Let me know if this helps.

Thank you.
 

Infopro

Well-Known Member
May 20, 2003
17,112
513
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Whitelisting is out of the question, IMO. I think we know how annoying it can be to get locked out, but it can be used for educating too, depending on how you look at it. (and how long it takes you to remove the block after the second or third time.) :-p
 

unco

Active Member
Jun 17, 2010
35
6
58
Southern Pines, NC
Hi @cPanelMichael , No results are returned for grep [email protected] /usr/local/cpanel/logs/access_log|grep passwd_pop (actual username not displayed, of course).

cpHulk is disabled in this case.

The user definitely has some device (she has 2 iPads, 2 macbooks, one iphone) sending a bad password. I sent someone to her house to check them all. I think I will have to go there myself, or I will have to ask her to bring them to me one day. I even installed a mod for WHMCS that allows a user to login and remove her own IP from CSF's block list, but she isn't able to manage it.

It's 2019, but I still have so many users who find all of this so difficult.

I appreciate the help. I think I will need to see her in person.

Thanks very much everyone!

Take care,
B