Strange E-Mail Logins from non existent account

jasgot

Well-Known Member
Mar 2, 2004
59
2
158
Please know, this account does NOT exist! Yet it can login!!!!!

I have found an account that is successfully logging in to imap from one IP and failing to log in from another IP. the strange thing is, the account doesn't exist!

Have a look at these two log entries and also at the Remote IP:

Code:
Mar  1 15:08:17 64 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=[Removed IP], lip=MYSERVERIP, mpid=60339, TLS, session=<ubq/9w2DxIVENzdf>

Mar  1 18:08:26 64 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=[Removed IP], lip=MYSERVERIP, TLS, session=<9bfhexCDNMpEPEey>

The rub is that the remote IPs are both end user locations, neither are listed in CFS Allow lists, and when the customer gets to the failed IP location, everyone behind that IP gets blocked and it is creating a problem.

What do you make of this?
 
Last edited by a moderator:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,940
630
263
Houston
cPanel Access Level
DataCenter Provider
That account isn't actually logging in though, the next line clearly states that the login failed:

Code:
Mar  1 18:08:26 64 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=[Removed IP], lip=MYSERVERIP, TLS, session=<9bfhexCDNMpEPEey>
This is just a failed auth attempt based on the log excerpt you're showing here.