ub
 New Member
 Posts:13
 | | 06 Dec 2011 10:06 PM |
| So people try to attack my mail server pretty frequently, but it hasn't really been a problem in the past. Just recently it seems like they have started locking up/taking down the POP3 connection. A simple service restart resolves the problem but the outage is egg on my face. I just recently upgraded to 1.0.8.3 but that might have been coincidence. The logs look like this: They try to login three times and get locked out (note these are not real users) [POP3 000277 05-12-11 01:19:02] Received POP3 connection from 173.10.65.2 [POP3 000277 05-12-11 01:19:02] Number of current POP3 connections: 2 [POP3 000277 05-12-11 01:19:02] +OK ArGoSoft Mail Server POP3 Module v.1.0.8.3 at Mon, 05 Dec 2011 07:19:02 GMT [POP3 000277 05-12-11 01:19:02] USER aaron [POP3 000277 05-12-11 01:19:02] +OK Send password... [POP3 000278 05-12-11 01:19:02] Received POP3 connection from 173.10.65.2 [POP3 000277 05-12-11 01:19:02] PASS XXXXXXXX [POP3 000278 05-12-11 01:19:02] Number of current POP3 connections: 3 [POP3 000278 05-12-11 01:19:02] +OK ArGoSoft Mail Server POP3 Module v.1.0.8.3 at Mon, 05 Dec 2011 07:19:02 GMT [POP3 000278 05-12-11 01:19:02] USER abigail [POP3 000278 05-12-11 01:19:02] +OK Send password... [POP3 000277 05-12-11 01:19:02] Incrementing the counter for IP address 173.10.65.2 in lockout manager: Current=3, Allowed=3 [POP3 000277 05-12-11 01:19:02] -ERR Invalid credentials [POP3 000278 05-12-11 01:19:02] PASS XXXXXXXX [POP3 000277 05-12-11 01:19:02] QUIT [POP3 000277 05-12-11 01:19:02] +OK Goodbye Then they hammer the crap out of the server to no avail: [POP3 000283 05-12-11 01:19:04] Number of current POP3 connections: 1 [POP3 000285 05-12-11 01:19:04] Received POP3 connection from 173.10.65.2 [POP3 000284 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out... [POP3 000284 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended [POP3 000284 05-12-11 01:19:04] Number of current POP3 connections: 1 [POP3 000285 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out... [POP3 000285 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended [POP3 000285 05-12-11 01:19:04] Number of current POP3 connections: 1 [POP3 000286 05-12-11 01:19:04] Received POP3 connection from 173.10.65.2 [POP3 000286 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out... [POP3 000286 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended [POP3 000286 05-12-11 01:19:04] Number of current POP3 connections: 1 [POP3 000287 05-12-11 01:19:04] Received POP3 connection from 173.10.65.2 [POP3 000287 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out... [POP3 000287 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended [POP3 000287 05-12-11 01:19:04] Number of current POP3 connections: 1 [POP3 000288 05-12-11 01:19:05] Received POP3 connection from 173.10.65.2 [POP3 000288 05-12-11 01:19:05] -ERR Sorry, your IP address has been locked out... Then these errors start to occur with greater and greater frequency [POP3 001483 05-12-11 01:25:26] -ERR Sorry, your IP address has been locked out... [POP3 000945 05-12-11 01:25:26] POP3 Connection with 173.10.65.2 ended [POP3 000945 05-12-11 01:25:26] Number of current POP3 connections: 1 [POP3 003433 05-12-11 01:25:27] Received POP3 connection from 173.10.65.2 [POP3 001484 05-12-11 01:25:27] POP3 Connection with 173.10.65.2 ended [POP3 001484 05-12-11 01:25:27] Number of current POP3 connections: 1 [POP3 001484 05-12-11 01:25:27] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. [POP3 003434 05-12-11 01:25:27] Received POP3 connection from 173.10.65.2 [POP3 003435 05-12-11 01:25:27] Received POP3 connection from 173.10.65.2 [POP3 001485 05-12-11 01:25:27] -ERR Sorry, your IP address has been locked out... Until they are returned on every call [POP3 005945 05-12-11 03:16:10] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. [POP3 005944 05-12-11 03:16:12] POP3 Connection with 173.10.65.2 ended [POP3 005944 05-12-11 03:16:12] Number of current POP3 connections: 0 [POP3 005944 05-12-11 03:16:12] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. [POP3 005946 05-12-11 03:16:13] -ERR Sorry, your IP address has been locked out... [POP3 005947 05-12-11 03:16:15] POP3 Connection with 173.10.65.2 ended [POP3 005947 05-12-11 03:16:15] Number of current POP3 connections: 0 [POP3 005947 05-12-11 03:16:15] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine. [POP3 005948 05-12-11 03:16:17] POP3 Connection with 173.10.65.2 ended [POP3 005948 05-12-11 03:16:17] Number of current POP3 connections: 0 [POP3 005948 05-12-11 03:16:17] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.
At this point, no users are able to use POP3 until the service is restarted. This is true even after the hack attempts stop. It's just out to lunch after that which is pretty effective DOS attack. (SMTP seems to still work as does the web interface) I unfortunately don't really know how to Repro this without getting attacked. Any advice or hope for me? Thanks, Uriah | | |
|
|
ub
 New Member
 Posts:13
 | | 24 Jan 2012 08:26 PM |
| still happening... bump | | | |
|
TheOtherBob
 New Member
 Posts:1

 | | 25 Jan 2012 03:01 PM |
| How about denying that ip address at your firewall? | | | |
|
ub
 New Member
 Posts:13
 | | 25 Jan 2012 07:56 PM |
| I wish it was that easy but unfortunately the attacks seems to be coming from different addresses every time and they are from completely differnet subnets (I assume some botnet). | | | |
|
ub
 New Member
 Posts:13
 | | 04 Feb 2012 04:52 PM |
| Still happening. Every week or two these attacks take out my POP3 connection. Any ideas? It would be nice if auto lockout could be configured to just deny connections from the address at all rather than accepting the connection and providing a response. | | | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 05 Feb 2012 11:46 AM |
| I have already reported this to Archie and he is looking into it. I actaually experienced this on Friday. First time ever. | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|
ub
 New Member
 Posts:13
 | | 23 Feb 2012 08:49 AM |
| Happened again today. Still hopeful that there will be some resolution, my business depends a lot on regular email though. I'm going to have to switch platforms soon which bum me out because I have been a loyal support of argosoft for years. | | | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 11 Mar 2012 04:06 PM |
| This issue has happened with me also. I have been in contact with Archie. He had me turn off POP3 Logging, however, it happened again. I have followed up with him on this and I am awaiting an answer. | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|
ub
 New Member
 Posts:13
 | | 11 Mar 2012 06:11 PM |
| I think the ideal fix would be to have it not accept the connections from the banned IP at all or at least have a configuration option for that. I'm still holding out hope for a fix, it is just infrequent enough to be survivable but losing a lot of face with my users. | | | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 12 Mar 2012 12:03 PM |
| If you can set aside logs of the days when this happens, and after March 20th we can submit them to Archie. Also try with POP3 logging enabled and disabled. | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 21 Mar 2012 09:55 AM |
| Ub. Can you send me your logs of the attacks. I will forward them on to Archie for analysis. Email me at stevet at argostuff.com | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|
ub
 New Member
 Posts:13
 | | 21 Mar 2012 09:05 PM |
| It's pretty labor intensive to redact them. I think the above is a pretty good representation. They've been hammering me every couple days but I haven't locked up recently (nothing changed really so just luck of the draw I think). If you really think it will help, I can go through them and trim important information. | | | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 22 Mar 2012 07:13 AM |
| If you could provide them as I will be forwarding them on to Archie, so he can try to figure out how to correct this issue. thanks. | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|
Michael -
 New Member
 Posts:4
 | | 23 Mar 2012 02:39 PM |
| The original poster indicated that his problem started somewhat around the same time he upgraded to 1.0.8.3. I also had some similar problems requiring multiple reboots per day after I upgraded to 1.0.8.3 running on Windows XP. It got to be so much of a problem that I went back to 1.0.8.2. The problems went away and I've stayed on that level ever since. We have both internal and external POP3 access available via two different NICs, if that helps diagnose the issue. Mike in Ohio | | | |
|
emkry
 New Member
 Posts:4
 | | 22 Apr 2012 11:14 AM |
| Hello I have 1.0.8.3 on ( Windows server 2003) and the same problem with pop3. I didnt write anything before because i thought this problem occurs only on my server. With version 1.0.8.1 and 1.0.8.2 the same error occured, i have logs from my server. Best regards, Marek. | | | |
|
ub
 New Member
 Posts:13
 | | 23 Apr 2012 09:14 PM |
| I'm still waiting for it to happen again. I couldn't isolate which logs were the pertinent ones. I'll send them as soon as it happens, but thankfully it's been pretty smooth recently. | | | |
|
emkry
 New Member
 Posts:4
 | | 09 May 2012 01:18 PM |
| problem occured 1st, 3rd and 9th of may. in log it looks like auto lockout doesnt work, after longer attack it blocks attackers ip and simultaneously its locking pop3 connection (auto lockout doesnt delete blocked ips after the set time) | | | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 09 May 2012 02:03 PM |
| If you can send me the Argo logs from the affected dates, I will forward them to Archie. | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|
emkry
 New Member
 Posts:4
 | | 09 May 2012 02:09 PM |
| where do you want me do upload the argo logs? | | | |
|
Steve Topilnycky Forum Administrator
 Veteran Member
 Posts:1300

 | | 09 May 2012 02:36 PM |
| email them to me stevet@argostuff.com. 10 MB max per email. | | - - - - - - -
Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com/ | |
|