User being blocked because of repeated email login attempts

1968gtcs

Registered
Jun 18, 2018
2
0
1
US
cPanel Access Level
Website Owner
I have a user who used to host his web site on my server. Several months ago he moved to a different server.

The problem is that his IP keeps getting automatically blocked on my server because of repeated failed login attempts. I believe what's going on is his email software is still constantly trying to access his email from my server even though he's moved to another server.

I get several email notices a day saying that his IP has been blocked with log entries like the following:
Code:
Jun 17 21:43:39 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, TLS, session=<CX25seBuXsNFBDxA>
What I'm trying to figure out is how to explain to him what setting changes to make in his email so it will stop attempting to connect to my server.

Part of the problem is that I don't really understand how his email software could still be pinging my server instead of his new server. His domain name is definitely pointed to his new server and has been for months. I completely removed his account from my server when he moved hosts. When he goes to check email is should be using his domain, so it should be checking his new server, not mine, correct? Unless maybe his email is set to check my server IP address instead of his domain name.

Any help understanding what's going on would be much appreciated.
 
Last edited by a moderator:

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
I could only suggest that maybe he has some manual DNS entries in a registrar control panel maybe.
Possible manual entries in his hosts file or an IP address in his email client software, but I'm not even sure if that would work ??

MXToolBox.com has all sorts of free tools that may help trace the issue, see if mail.whateverdomain.com resolves to you or his new server, if it resolves to his new server then you know the issue must be on his computer somewhere.
 

mtindor

Well-Known Member
Sep 14, 2004
1,431
92
178
inside a catfish
cPanel Access Level
Root Administrator
Part of the problem is that I don't really understand how his email software could still be pinging my server instead of his new server. His domain name is definitely pointed to his new server and has been for months. I completely removed his account from my server when he moved hosts. When he goes to check email is should be using his domain, so it should be checking his new server, not mine, correct? Unless maybe his email is set to check my server IP address instead of his domain name.

Any help understanding what's going on would be much appreciated.
Well, with AutoSSL these days, people can use SSL on their own mail.theirdomain.com. But what if this person had configured their email client to use SSL before autoSSL was available -- they probably would have set it up so that their email application is connecting to your hosting server's primary hostname (to avoid certificate warnings) rather than mail.theirdomain.com. And if they did that, then when they moved to another provider naturally they would still be connecting to your server unless they bothered to change their email settings.

Mike
 

Tearabite

Well-Known Member
Nov 28, 2010
83
12
58
Southern California
cPanel Access Level
Root Administrator
I had this same issue with someone useing mail.myservername just as @mtindor mentioned.. The culprit turned out to be an iphone that they rarely use so never changed/updated - every time they turned it on I started getting these warnings.

But, if he's no longer on your server, why not just put in a permanent block on his IP and be done with it?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,273
1,282
313
Houston
Hi @1968gtcs

Part of the problem is that I don't really understand how his email software could still be pinging my server instead of his new server. His domain name is definitely pointed to his new server and has been for months. I completely removed his account from my server when he moved hosts. When he goes to check email is should be using his domain, so it should be checking his new server, not mine, correct? Unless maybe his email is set to check my server IP address instead of his domain name.
Having the IP rather than the domain name is a possibility, or he might have mail.yourhostname.tld set or he might have mail.hisdomain.tld set but mail.hisdomain.tld is still pointing to your server.

I had this same issue with someone useing mail.myservername just as @mtindor mentioned.. The culprit turned out to be an iphone that they rarely use so never changed/updated - every time they turned it on I started getting these warnings.

But, if he's no longer on your server, why not just put in a permanent block on his IP and be done with it?
What @Tearabite is saying here is most likely the cause of the issue - if this is someone you want to have access to your server you may need to explain to him that any email client he may have set up needs to be changed, it could be a phone, a laptop anything he'd set up before and possibly doesn't use often.
 

1968gtcs

Registered
Jun 18, 2018
2
0
1
US
cPanel Access Level
Website Owner
Thank you everyone for the suggestions.

I definitely want this person to still access my server. He's a customer of one of my other sites. So just blocking him isn't an option.

I will try to walk him through checking his phone and email settings. The problem is he's not very savvy with technology so it may be hard.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,273
1,282
313
Houston
Hi @1968gtcs

You might be able to find a walkthrough tutorial online that will help him depending on the mail client/phone he has. Let us know if the issue continues after you help him.

Thanks!