I have a client who regularly gets IP blocked by CSF when attempting to access his email. The following are some of the notifications that I have received:
This block winds up preventing him from receiving email on his device until the offending IP is whitelisted in CSF and CPHUlk. This continues to pop up every few months, though, it seems, I'm guessing as his office likely has a non-static IP. I'd obviously rather not keep whitelisting things if his system has been compromised, though, and short of a virus and general security scan of his systems (which I've already suggested) I'm not sure how else to advise him on how to rectify things without just locking him out.
Alternatively is it possible that this is due to a poor configuration on my end? His is the only one of about 15 accounts on the server to experience this issue, though.
Code:
Time: Fri Nov 13 11:38:42 2015 +1100
Account: [email protected]
Application: pop3d
IP: xx.xxx.xxx.xxx (AU/Australia/-)
Logins: 61
Interval: 2297
Allowable: 60 logins per hour in 3600 second interval
Flushed in: 1303 seconds
Code:
Time: Thu Nov 12 16:22:56 2015 +1100
IP: xx.xxx.xxx.xxx (AU/Australia/CPE-xxx-xxx-x-xxx.lns10.cht.bigpond.net.au)
Failures: 10 (imapd)
Interval: 1800 seconds
Blocked: Permanent Block (IP match in csf.allow, block may not work)
Log entries:
Nov 12 16:12:19 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<hKeS/FAk9AB8uAhw>
Nov 12 16:12:26 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<pkfB/FAk9QB8uAhw>
Nov 12 16:12:27 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<APrd/FAk9gB8uAhw>
Nov 12 16:12:41 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<z5zm/VAk+AB8uAhw>
Nov 12 16:22:20 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<AMFtIFEkFgB8uAhw>
Nov 12 16:22:29 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<HT28IFEkGgB8uAhw>
Nov 12 16:22:29 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<Tfu1IFEkGQB8uAhw>
Nov 12 16:22:47 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<Z3e+IVEkHAB8uAhw>
Nov 12 16:22:47 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<xTwOIlEkHQB8uAhw>
Nov 12 16:22:54 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<S3ZxIlEkIQB8uAhw>This block winds up preventing him from receiving email on his device until the offending IP is whitelisted in CSF and CPHUlk. This continues to pop up every few months, though, it seems, I'm guessing as his office likely has a non-static IP. I'd obviously rather not keep whitelisting things if his system has been compromised, though, and short of a virus and general security scan of his systems (which I've already suggested) I'm not sure how else to advise him on how to rectify things without just locking him out.
Alternatively is it possible that this is due to a poor configuration on my end? His is the only one of about 15 accounts on the server to experience this issue, though.
