Cpanel blacklisting itself

[jeffschips]

Hello and wishing everyone health.

I've been reviewing my cpanel cPHulk history and see frequent repeating entries at specific time periods with a correct username but with an incorrect, mangled domain name and a rip ip address that is my correct server domain ip address.

Example: "inquiry@server-existing-domain-name-but-without-dot" meaning it's like, for example "valid-user@microsoftcom" no "." between correct domain and top level domain.

I do have an email form on a web page that sends me inquiries - so that explains part of it, but how can I troubleshoot this? To see from what originating IP address the offender is coming from.

Dec 24 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<3O0GEDe3UtgtT77e>

Jan 1 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<YMnG/te3bpQtT77e>

Jan 2 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<VlWfHOy3PLQtT77e>

Jan 3 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<e4N2OgC4wtMtT77e>

Jan 4 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<L9hJWBS4wIUtT77e>

Jan 7 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<2e3SsVC4TIMtT77e>

Jan 9 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@server-existing-domain-name-but-without-dot>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<GTaB7Xi4YMQtT77e>

Thank you.

 

[cPRex]

Hey there! The data you've provided in /var/log/maillog would be everything the system has related to that transaction. Usually there are 3-4 lines per attempt though that look something like this, the following being an example of the cPanel monitoring system checking the dovecot tool:

Jan 11 02:10:49 host dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Q3IJm5q47pd/AAAB>
Jan 11 02:10:49 host dovecot: lmtp(3972928): Connect from local
Jan 11 02:10:49 host dovecot: lmtp(3972928): Disconnect from local: Client has quit the connection (state=READY)
Jan 11 02:10:49 host dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__xpkvdj8ehmsyfu9avfzk1zlfcds15cpyhnsutqu76qebin...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3972936, secured, session=<W3ENm5q4sMp/AAAB>
Jan 11 02:10:49 host dovecot: imap(__cpanel__service__auth__imap__xpkvdj8ehmsyfu9avfzk1zlfcds15cpyhnsutqu76qebinfpdbkphlihii_f8e2s)<3972936><W3ENm5q4sMp/AAAB>: Logged out in=11, out=502, bytes=11/502

Are there any other details in those additional lines that might help?

 

[jeffschips]

All I'm seeing are hundreds of entries like this:

Jan 15 11:00:06 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<inquiry@mangled-local-domain-name>, method=PLAIN, rip=server-ip-address, lip=server-ip-address, TLS, session=<Newld/K47qItT77e>

 

[jeffschips]

The login name is always valid-user@mangleddomainname (example: valid-user@mydomaincom (note: no "." between "mydomain" and "com")

 

[jeffschips]

This is what I'm seeing in the cPHulk history reports. A snippet thereof:

inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:00:04 2021-01-15 16:00:04 254
inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:10:02 2021-01-15 16:10:02 264
inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:20:02 2021-01-15 16:20:02 274
inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:30:02 2021-01-15 16:30:02 284
inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:40:02 2021-01-15 16:40:02 294
inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 10:50:02 2021-01-15 16:50:02 304
inquiry@mangleddomain server-ip-address US mail dovecot 2021-01-15 11:00:04 2021-01-15 17:00:04 314

 

[jeffschips]

Maybe there is a user on my system as "inquiry@mangled-domain" somewhere? I can't find them.

 

[cPRex]

Thanks for the additional details. I can't say that's something I've seen before in those logs with the domain name not being included properly there. Since the IP address is from the server itself it would make the most sense that a script is causing this on the user account, especially if this is happening exactly every 10 minutes as your timestamps indicate.

If you suspend that user account, does the issue stop?

 

[jeffschips]

good suggestion - I'll try suspending the account and report back.

 

[jeffschips]

Is there a server-wide deep search I can use to scan the server for any file containing the string "mangleddomain" as it's a unique string and perhaps I can dig down into it?

 

[jeffschips]

SOLVED.

Ran:

find . -type f -exec grep -l "mangleddomain" {} +

and discovered an entry in a config file for a web app with the mangled domain name.

Thank you!

 

[cPRex]

I was just going to say, "find" would be your best friend for that.

I'm glad that helped you track it down!