Cpanel blacklisting itself

jeffschips

Well-Known Member
Jun 5, 2016
196
20
68
new york
cPanel Access Level
Root Administrator
Hello and wishing everyone health.

I've been reviewing my cpanel cPHulk history and see frequent repeating entries at specific time periods with a correct username but with an incorrect, mangled domain name and a rip ip address that is my correct server domain ip address.

Example: "[email protected]" meaning it's like, for example "[email protected]" no "." between correct domain and top level domain.

I do have an email form on a web page that sends me inquiries - so that explains part of it, but how can I troubleshoot this? To see from what originating IP address the offender is coming from.

Dec 24 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<3O0GEDe3UtgtT77e>

Jan 1 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<YMnG/te3bpQtT77e>

Jan 2 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<VlWfHOy3PLQtT77e>

Jan 3 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<e4N2OgC4wtMtT77e>

Jan 4 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<L9hJWBS4wIUtT77e>

Jan 7 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<2e3SsVC4TIMtT77e>

Jan 9 10:00:05 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=my-server-domain-ip-address, lip=my-server-domain-ip-address, TLS, session=<GTaB7Xi4YMQtT77e>

Thank you.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,425
697
313
cPanel Access Level
Root Administrator
Hey there! The data you've provided in /var/log/maillog would be everything the system has related to that transaction. Usually there are 3-4 lines per attempt though that look something like this, the following being an example of the cPanel monitoring system checking the dovecot tool:

Code:
Jan 11 02:10:49 host dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Q3IJm5q47pd/AAAB>
Jan 11 02:10:49 host dovecot: lmtp(3972928): Connect from local
Jan 11 02:10:49 host dovecot: lmtp(3972928): Disconnect from local: Client has quit the connection (state=READY)
Jan 11 02:10:49 host dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__xpkvdj8ehmsyfu9avfzk1zlfcds15cpyhnsutqu76qebin...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3972936, secured, session=<W3ENm5q4sMp/AAAB>
Jan 11 02:10:49 host dovecot: imap(__cpanel__service__auth__imap__xpkvdj8ehmsyfu9avfzk1zlfcds15cpyhnsutqu76qebinfpdbkphlihii_f8e2s)<3972936><W3ENm5q4sMp/AAAB>: Logged out in=11, out=502, bytes=11/502
Are there any other details in those additional lines that might help?
 

jeffschips

Well-Known Member
Jun 5, 2016
196
20
68
new york
cPanel Access Level
Root Administrator
All I'm seeing are hundreds of entries like this:

Jan 15 11:00:06 buckets dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=server-ip-address, lip=server-ip-address, TLS, session=<Newld/K47qItT77e>
 

jeffschips

Well-Known Member
Jun 5, 2016
196
20
68
new york
cPanel Access Level
Root Administrator
This is what I'm seeing in the cPHulk history reports. A snippet thereof:

[email protected] server-ip-address US mail dovecot 2021-01-15 10:00:04 2021-01-15 16:00:04 254
[email protected] server-ip-address US mail dovecot 2021-01-15 10:10:02 2021-01-15 16:10:02 264
[email protected] server-ip-address US mail dovecot 2021-01-15 10:20:02 2021-01-15 16:20:02 274
[email protected] server-ip-address US mail dovecot 2021-01-15 10:30:02 2021-01-15 16:30:02 284
[email protected] server-ip-address US mail dovecot 2021-01-15 10:40:02 2021-01-15 16:40:02 294
[email protected] server-ip-address US mail dovecot 2021-01-15 10:50:02 2021-01-15 16:50:02 304
[email protected] server-ip-address US mail dovecot 2021-01-15 11:00:04 2021-01-15 17:00:04 314
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
5,425
697
313
cPanel Access Level
Root Administrator
Thanks for the additional details. I can't say that's something I've seen before in those logs with the domain name not being included properly there. Since the IP address is from the server itself it would make the most sense that a script is causing this on the user account, especially if this is happening exactly every 10 minutes as your timestamps indicate.

If you suspend that user account, does the issue stop?
 

jeffschips

Well-Known Member
Jun 5, 2016
196
20
68
new york
cPanel Access Level
Root Administrator
Is there a server-wide deep search I can use to scan the server for any file containing the string "mangleddomain" as it's a unique string and perhaps I can dig down into it?