Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

User being blocked because of repeated email login attempts

Discussion in 'E-mail Discussion' started by 1968gtcs, Jun 18, 2018.

  1. 1968gtcs

    1968gtcs Registered

    Joined:
    Jun 18, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Website Owner
    I have a user who used to host his web site on my server. Several months ago he moved to a different server.

    The problem is that his IP keeps getting automatically blocked on my server because of repeated failed login attempts. I believe what's going on is his email software is still constantly trying to access his email from my server even though he's moved to another server.

    I get several email notices a day saying that his IP has been blocked with log entries like the following:
    Code:
    Jun 17 21:43:39 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<hisname@example.com>, method=PLAIN, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS, session=<CX25seBuXsNFBDxA>
    
    What I'm trying to figure out is how to explain to him what setting changes to make in his email so it will stop attempting to connect to my server.

    Part of the problem is that I don't really understand how his email software could still be pinging my server instead of his new server. His domain name is definitely pointed to his new server and has been for months. I completely removed his account from my server when he moved hosts. When he goes to check email is should be using his domain, so it should be checking his new server, not mine, correct? Unless maybe his email is set to check my server IP address instead of his domain name.

    Any help understanding what's going on would be much appreciated.
     
    #1 1968gtcs, Jun 18, 2018
    Last edited by a moderator: Jun 18, 2018
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    992
    Likes Received:
    41
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I could only suggest that maybe he has some manual DNS entries in a registrar control panel maybe.
    Possible manual entries in his hosts file or an IP address in his email client software, but I'm not even sure if that would work ??

    MXToolBox.com has all sorts of free tools that may help trace the issue, see if mail.whateverdomain.com resolves to you or his new server, if it resolves to his new server then you know the issue must be on his computer somewhere.
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,341
    Likes Received:
    57
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Well, with AutoSSL these days, people can use SSL on their own mail.theirdomain.com. But what if this person had configured their email client to use SSL before autoSSL was available -- they probably would have set it up so that their email application is connecting to your hosting server's primary hostname (to avoid certificate warnings) rather than mail.theirdomain.com. And if they did that, then when they moved to another provider naturally they would still be connecting to your server unless they bothered to change their email settings.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    76
    Likes Received:
    11
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    I had this same issue with someone useing mail.myservername just as @mtindor mentioned.. The culprit turned out to be an iphone that they rarely use so never changed/updated - every time they turned it on I started getting these warnings.

    But, if he's no longer on your server, why not just put in a permanent block on his IP and be done with it?
     
  5. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,814
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @1968gtcs

    Having the IP rather than the domain name is a possibility, or he might have mail.yourhostname.tld set or he might have mail.hisdomain.tld set but mail.hisdomain.tld is still pointing to your server.

    What @Tearabite is saying here is most likely the cause of the issue - if this is someone you want to have access to your server you may need to explain to him that any email client he may have set up needs to be changed, it could be a phone, a laptop anything he'd set up before and possibly doesn't use often.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. 1968gtcs

    1968gtcs Registered

    Joined:
    Jun 18, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Website Owner
    Thank you everyone for the suggestions.

    I definitely want this person to still access my server. He's a customer of one of my other sites. So just blocking him isn't an option.

    I will try to walk him through checking his phone and email settings. The problem is he's not very savvy with technology so it may be hard.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,814
    Likes Received:
    133
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @1968gtcs

    You might be able to find a walkthrough tutorial online that will help him depending on the mail client/phone he has. Let us know if the issue continues after you help him.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice