Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

pop3 attack flood

Discussion in 'E-mail Discussions' started by jlucho, Oct 26, 2017.

  1. jlucho

    jlucho Active Member

    Joined:
    Aug 5, 2006
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    156
    hi friends


    I'm getting these kind of attacks

    [
    Code:
    2017-10-26 23:08:58 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51955: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:09:04 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51964: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:09:06 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51971: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:09:08 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51977: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:09:10 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51984: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:09:12 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51985: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:11:57 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34001: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:12:08 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34006: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:12:14 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34029: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:12:19 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34042: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    2017-10-26 23:12:25 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34044: 535 Incorrect authentication data (set_id=info@mailXXX.com)
    
    
    with hundreds of attempts being made, in very short time

    my firewall csf is setting to:
    LF_POP3D = 10
    LF_POP3D_PERM = 1
    LF_SMTPAUTH = 5
    LF_SMTPAUTH_PERM = 1


    Home »Service Configuration »Mailserver Configuration is :
    Maximum Number of Mail Processes = 512
    Maximum IMAP Connections Per IP Address =20
    Maximum POP3 Connections per IP Address = 3
    Number of Spare Authentication Processes = 2
    Maximum Number of Authentication Processes = 50



    How can I stop this type of attacks ??
     
    #1 jlucho, Oct 26, 2017
    Last edited by a moderator: Oct 27, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,802
    Likes Received:
    1,714
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The best approach to address this issue would be to block the offending IP addresses in your firewall, or ensure that your firewall is automatically blocking the IP addresses. Can you review your CSF Firewall logs to see if it's blocking them?

    Thank you.
     
  3. jlucho

    jlucho Active Member

    Joined:
    Aug 5, 2006
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    156
    Hello,

    Yes, so far the firewall is blocking IPs
    every day is added between 2000 to 2500 new blocked IPs

    I see that, the flood connections are made every 4 seconds,

    is there any option to prevent them from generating connection attempts, every 4 seconds? , if the connection interval is every 10 or 15 seconds, I think it could mitigate the attack
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,802
    Likes Received:
    1,714
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I don't believe there are any mail server settings that will help, as nothing will really prevent the connection request itself besides blocking the IP address in your firewall. You could check with the CSF support forums to see if there are any options within CSF that you could alter to help detect the attach more efficiently.

    Thank you.
     
Loading...

Share This Page