The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csf LT_POP3D greater than 180

Discussion in 'General Discussion' started by jimboh, Dec 5, 2012.

  1. jimboh

    jimboh Registered

    Joined:
    Dec 5, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Not sure if I should be posting this here but ... I have an ecommerce website where the stores receive orders by email and use thunderbird pop set at retrieve messages every minute. I have just moved to a new server and all stores just got blocked for exceeding the limit (LT_POP3D set at 180). I dont know why they exceeded it and the fact that 8 different ips all got blocked within a couple of minutes of each other suggest maybe something else is wrong (besides the fact that being set at retrieve 1 a min should only result in 60 per hour).

    Can anyone give advice as to how to monitor this and see what access is actually being made? I have disabled the check altogether but dont think thats a good idea. On the other hand, as a fast food franchise stores cannot be blocked for upto an hour.
     
  2. STS Admin

    STS Admin Well-Known Member

    Joined:
    Jul 8, 2012
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Check the /var/log/maillog file and grep the IP 's with "pop3" string.

    Code:
    grep -i pop3 /var/log/maillog | grep XX.XX.XX.XX
     
  3. jimboh

    jimboh Registered

    Joined:
    Dec 5, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks that is just what I was looking for.
    The result was exactly what I expected, each store connecting exactly once every minute.
    I dont know how they managed to break the 180 connections per hour limit on that basis. I suppose I will have to re-enable the 180 limit and wait for it to be exceeded again so I have the log to look at (existing maillog only shows todays events). Thing is it went around 5 days before they all suddenly failed, and I have to react quickly to clear the blocks or there will be upset customers with late orders. I was wondering if there was a way to remove those email clients from the check (but as they are going to be dynamic IPS i guess thats not really workable). Is this a dangerous check to leave disabled?
     
Loading...

Share This Page