The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Imap Logwatch Email

Discussion in 'E-mail Discussions' started by allwebnow, Mar 15, 2007.

  1. allwebnow

    allwebnow Well-Known Member

    Joined:
    Jan 8, 2007
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    I keep getting a whole bunch of these messages in regards to 2 users in my email everyday and it's worrying me:

    --------------------- IMAP Begin ------------------------

    **Unmatched Entries**
    DISCONNECTED, user=xxx@xxx.com, ip=[::ffff:216.9.253.212], headers=0, body=0, time=0, starttls=1: 1 Time(s)
    LOGIN FAILED, user=xxx, ip=[::ffff:216.196.241.182]: 2 Time(s)
    LOGIN, user=xxx@xxx.com, ip=[::ffff:216.9.249.15], protocol=IMAP: 47 Time(s)
    ""
    ""
    ""
    ""
    .........

    It's like they tried to login and then
    I looked up thoses ips and it looks like they're from Canada. That doesn't seem right since my users are from ohio and new york. Any thoughts?

    I'm running config server's LFD and CSF. So I'm sure there's a way to block these ips' however, Like I said, there are hundreds of different ip's logging into these two user's email accounts....i think.

    Can someone shed some light on this for me and for anyone else maybe having this problem?
     
  2. allwebnow

    allwebnow Well-Known Member

    Joined:
    Jan 8, 2007
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Any idea on this? I blocked the range of ips using 216.196.241.0\24 in csf. Nothing happened.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Blocking them in your firewall is the best idea. If you literally used 216.196.241.0\24 it won't work as the slash needs to be the other way, i.e.:

    216.196.241.0/24

    If you did do that right, then you'll have to wait for the following days logwatch as the day immediately after will still have the failures from the same day that you blocked the IP range.
     
  4. allwebnow

    allwebnow Well-Known Member

    Joined:
    Jan 8, 2007
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Oh my, yes, I did put it in correctly in whm but not on the posts sorry about my typo. Yes, I think it worked because I haven't gotten the email tonight. We'll see though. Thanks!
     
  5. allwebnow

    allwebnow Well-Known Member

    Joined:
    Jan 8, 2007
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Ok, I received the logwatch email again. It's a similar but different problem. That 216.9.253.214 is listed even though I manually denied 216.9.253.0/24. It is still there but just once vs. many times. But now they've been replaced by localhost ip. Doesn't look right to me.


    **Unmatched Entries**
    /usr/lib/courier-imap/etc/shared/index: No such file or directory: 2 Time(s)
    DISCONNECTED, user=xxx@email1.com, ip=[::ffff:127.0.0.1], headers=0, body=0, time=0: 4 Time(s)
    LOGIN, user=xxx@email1.com, ip=[::ffff:127.0.0.1], protocol=IMAP: 33 Time(s)
    LOGIN, user=xxx@email2.com, ip=[::ffff:127.0.0.1], protocol=IMAP: 8 Time(s)
    LOGIN, user=xxx@email3.com, ip=[::ffff:216.9.253.214], protocol=IMAP: 1 Time(s)
    LOGOUT, user=xxx@email1.com, ip=[::ffff:127.0.0.1], headers=0, body=0, time=0: 11 Time(s)
    ""
    ""
    ""
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    127.0.0.1 is normal, it's chkservd making sure that the IMAP service is up and running.
     
Loading...

Share This Page