This needs to be looked into promptly Nick
During this apparent attack it was evident that there needed to be some kind of control of pop sessions in cpanels pop server to prevent this flooding from occurring and to turn off the logging.
I'm not sure if it is possible Nick but some more people will fall fate to what happened to us the other night if this hole is not blocked.
Our server was being flooded with pop connects and rapidly filled up the maillog and var partition within very little time. The partition is not the biggest on most systems, we have like 1-gig free space, which is plenty, but it was not enough in this situation. I will probably be moving these logs to a larger partition to give more time for us, if this happens again.
A popular Windows chat program called Trillian, I'm sure many of you are familiar with, went crazy for a user on our system after installing a module for it, to check their pop mail account.
The user had no idea what was going on but it was connecting to our pop server at a very rapid rate, the server showed no signs of an attack, it was handling the sessions just fine. The first sign we had, was our disk partition flew up to 98% useage within the hour, I just happened to check at the right time!!
After scrambling to see where the problem was occuring, I first looked at the logs and found the maillog filling up rapidly and connections coming from the user.
I promptly suspended the account, since there is no way to stop pop sessions at the server level with the cpanel pop software, at least I have no idea how? It runs outside of the hosts.deny, I could have easily banned his IP in there but not just pop3.
Even after suspending the account, his system was still trying to connect and filling up the log with connections but I had a control on it at that time and wanted to see if he would stop. I figured it was some kind of software error, did not fit the usual type of attack.
So, could we have a limit on pop3 connects per minute or some kind of control here to prevent this from happening. Stop logging the connects if possible too at the maillog when this occurs.
This is an easy way to bring down any cpanel server, just keep flooding them with pop connects, doesn't matter if you have an account there or not, you will fill their log up quickly with a good flood rate.
Any ideas are appreciated..