The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd question

Discussion in 'General Discussion' started by mdelacruz, Feb 19, 2007.

  1. mdelacruz

    mdelacruz Member

    Joined:
    Apr 24, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Hello guys,

    My lfd service is sending me this email:

    ---
    On Mon Feb 19 15:32:16 2007, the Login Failure Daemon detected name@domain.com logging into pop3d from 200.48.xx.xx (mail.anotherdomain.com.pe) 61 times within the last 1545 seconds. The maximum allowed login rate is 60/hour (3600 seconds).

    name@domain.com will remain blocked from 200.48.xx.xx (mail.anotherdomain.com.pe) for pop3d connections for the next 2055 seconds.
    ---

    I'm supposing that this is a spam issue, I was talked with the user and she is not sending spam so the problem could be a spam script infecting her pc.

    The question is, how can I check the sent emails to validate content and know if this is a spam case or not?

    Thank you all
     
    #1 mdelacruz, Feb 19, 2007
    Last edited: Feb 19, 2007
  2. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    Well, spam wouldn't be using POP, it'd be using SMTP, so I doubt that's the case.

    Is that IP hers? (I'm guessing not, since you list it as 'anotherdomain')
     
  3. mdelacruz

    mdelacruz Member

    Joined:
    Apr 24, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    It's her IP

    Lyttek,

    Thank you, you're right, it would be SMTP for a Spam case, nice observation. I missed it.

    The IP is the IP assigned by her ISP, this IP has the name of the ISP that's the reason why is different domain name. I blocked the IP and all her office can't access the site.
     
    #3 mdelacruz, Feb 20, 2007
    Last edited: Feb 20, 2007
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    From my experience, I have found that multiple users in the same office will all count towards the hourly limit set in cpanel if they are on the same ISP IP#.

    Example
    WHM limit is 60 POP connections per hour.

    Jane's Office has 10 users who all check their email every 5 minutes, or 12 times per hour.

    That means, all together, they will be checking POP email 120 times in an hour, which will exceed the maximum of 60 POPs per hour. The same applies to LFD, as far as I know.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    lfd actually counts per user logins per IP address. Only if the number of a given users POP3 attempts exceeds the trigger level is the IP blocked (temporarily or permanently depending on your settings).
     
  6. mdelacruz

    mdelacruz Member

    Joined:
    Apr 24, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Per user login

    Chirpy,

    Thank you for your answer, May I add some questions please?

    1. This is not necesary a SPAM case?
    2. Per user per logins mean per user's email account (name@domain.com)? per cpanel's user account? Per mail domain (mail.domain.com)? If the count is per user's email account this means that my user is trying to login more than 60 times in an hour, this is unusual.
    3. If there is no risk in this scenery is it possible to increment the count only for this cpanel account?

    Thanks again
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    1. It's probably a client with their settings set to retrieve their email too often

    2. It's per email account - though the block will be on the IP address, which can affect more than one email account if the client uses a shared connection

    3. You cannot increase the trigger value on a per account basis, only globally
     
  8. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    I have one person who has his PC check email every minute. (it's default for many) I've suggested setting it to 5 minutes, since he doesn't really get that much. AND, if he's waiting on something, he can always check manually.

    Then...against advice, he sets up a second PC to check the same mailbox (so he has a copy of everything on his notebook). Again, check every minute. Well, when he does this, he hits the limit in about a half hour, and is then without mail for the rest of the hour. :)

    But wait, there's more. I believe he's setup a third PC to do the same thing. And, you guessed it, he gets shut out in about 20 minutes.

    Think he wants to try to understand options, like imap or something? Nope, since he knows what he wants.

    And then there is the constant clicker. They just sit there at their computer, click send/receive every second. Like the elevator is going to come any quicker?

    The funny thing is, with their 'need' to have it every minute, they don't even realize that they suddenly go without for a stretch of time.
     
  9. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I feel your pain. I have a whole office full of people (I host their corporate site) who cold call businesses and get them to order over the web (which I don't host). They then sit there and either click send/receive over and over or they are already set to receive every minute until that order confirmation comes through. I get a call a week about how my email service is "so slow" because they haven't gotten the confirm email in the one and a half minutes that have passed since the customer ordered. The funny thing is, their system is set up so they can check IN THEIR OWN OFFICE SYSTEM if the order was placed. But they want that stinking email and they want it yesterday... ugh...
     
Loading...

Share This Page