cppop exploit + attack

Today my server started going extremly slowly and when I went to check it out it turned out that there were a ton of instances of cppop all from a single IP flood. 1000+ instances. In the tweak settings I have time per hour set to 60 and prevent pop3 flood enabled yet I had 1000+ isntances of cppop started. It's only when I banned the IP that the server returned back to normal.

Furthermore it seemed like these cppop were handing around still processing so when I pulled up maillog I found entries such as this.

How do you prevent something like this?

 

What am I supposed to be running?

 

If you're machine's running Cpanel, then you really want to consider upgrading to Courier. Although you really want to search the Cpanel forums and read everything you can about Courier / maildir / upgrading / etc. before attempting it.

The link below is a good starting point...

http://forums.cpanel.net/showthread.php?t=44941&highlight=courier+upgrade

Mike

 

Unfortunately there are still many individuals running their servers on the outdated mbox format :/

 

I'm surprised it doesn't come standard with courier then. This server is about a year and a half old and I had configservers set it up once I got it but I'm a bit dissapointed that we never find out from cpanel that using cppop is dangerous.

 

Courier-imap is installed by default now and if you're running cPanel v11 then the daily upcp email includes a warning if you still run the deprecated cppop advising to migrate to the new configuration.

Word is that cPanel v12 will drop support for cppop and force an update to courier-imap - I hope it does.

 

How can I make sure we are not running cppop?
I did upgrade to maildir, so would that also mean not running cppop now?

Sorry for lame question.

- Vince

 

Correct, cppop is not used on systems running maildir.

 

Thanks very much David.

Someday you guys will have the spammers licked - I hope.

- Vince

 

I don't think we wanna go licking them, God knows where those guys have been.

 

I'd lick em, or do just about anything else to them, in exchange for a percentage of the money that those guys make. At least I'd do that with the top 10 ROKSO spammers

M

 

I agree. CSF/LFD has been an invaluable tool for my Linux servers. It works very well.

 

i was just wondering that having an old server, a populated one, with some serious companys using neomail and old cppop format (as the name says cp-pop or cpanel pop i mean) is not a real sin

i do have one cpanel11 still with cppop because i cannot simply impose horde or squirell over neomail or other imap based webmails over pop3 ones

so my server is suffering this POP3 FLOOD ATTACKS

Mar 18 20:56:08 main cpanelpop[8973]: Connection from host=141.157.27.182 to ip=x.x.x.1
Mar 18 20:56:09 main cpanelpop[8993]: Connection from host=141.157.27.182 to ip=x.x.x.2
Mar 18 20:56:10 main cpanelpop[8980]: Connection from host=141.157.27.182 to ip=x.x.x.3

as i could also realise inside of Tweak Settings there is no more the pop3 limit per hour that users could check their mailboxes, how can i manually configure this?

in fact this guy cannot connect because he is trying to guess the user and password and he is not getting this

is there any place to avoid this i mean manually configure cppop ?