| ArGoStuff User to User Support Forums |
Hack attempts seem to be taking down POP3 Last Post 05 Feb 2012 11:46 AM by Steve Topilnycky. 5 Replies. | Sort: |
|  Prev Next | You are not authorized to post a reply. | |
| Author | Messages |  |
ub
New Member
Posts:8
 | | 06 Dec 2011 10:06 PM |
| So people try to attack my mail server pretty frequently, but it hasn't really been a problem in the past. Just recently it seems like they have started locking up/taking down the POP3 connection. A simple service restart resolves the problem but the outage is egg on my face. I just recently upgraded to 1.0.8.3 but that might have been coincidence. The logs look like this: They try to login three times and get locked out (note these are not real users) [POP3 000277 05-12-11 01:19:02] Received POP3 connection from 173.10.65.2
[POP3 000277 05-12-11 01:19:02] Number of current POP3 connections: 2
[POP3 000277 05-12-11 01:19:02] +OK ArGoSoft Mail Server POP3 Module v.1.0.8.3 at Mon, 05 Dec 2011 07:19:02 GMT
[POP3 000277 05-12-11 01:19:02] USER aaron
[POP3 000277 05-12-11 01:19:02] +OK Send password...
[POP3 000278 05-12-11 01:19:02] Received POP3 connection from 173.10.65.2
[POP3 000277 05-12-11 01:19:02] PASS XXXXXXXX
[POP3 000278 05-12-11 01:19:02] Number of current POP3 connections: 3
[POP3 000278 05-12-11 01:19:02] +OK ArGoSoft Mail Server POP3 Module v.1.0.8.3 at Mon, 05 Dec 2011 07:19:02 GMT
[POP3 000278 05-12-11 01:19:02] USER abigail
[POP3 000278 05-12-11 01:19:02] +OK Send password...
[POP3 000277 05-12-11 01:19:02] Incrementing the counter for IP address 173.10.65.2 in lockout manager: Current=3, Allowed=3 [POP3 000277 05-12-11 01:19:02] -ERR Invalid credentials
[POP3 000278 05-12-11 01:19:02] PASS XXXXXXXX
[POP3 000277 05-12-11 01:19:02] QUIT
[POP3 000277 05-12-11 01:19:02] +OK Goodbye Then they hammer the crap out of the server to no avail: [POP3 000283 05-12-11 01:19:04] Number of current POP3 connections: 1
[POP3 000285 05-12-11 01:19:04] Received POP3 connection from 173.10.65.2
[POP3 000284 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out...
[POP3 000284 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended
[POP3 000284 05-12-11 01:19:04] Number of current POP3 connections: 1
[POP3 000285 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out...
[POP3 000285 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended
[POP3 000285 05-12-11 01:19:04] Number of current POP3 connections: 1
[POP3 000286 05-12-11 01:19:04] Received POP3 connection from 173.10.65.2
[POP3 000286 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out...
[POP3 000286 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended
[POP3 000286 05-12-11 01:19:04] Number of current POP3 connections: 1
[POP3 000287 05-12-11 01:19:04] Received POP3 connection from 173.10.65.2
[POP3 000287 05-12-11 01:19:04] -ERR Sorry, your IP address has been locked out...
[POP3 000287 05-12-11 01:19:04] POP3 Connection with 173.10.65.2 ended
[POP3 000287 05-12-11 01:19:04] Number of current POP3 connections: 1
[POP3 000288 05-12-11 01:19:05] Received POP3 connection from 173.10.65.2
[POP3 000288 05-12-11 01:19:05] -ERR Sorry, your IP address has been locked out... Then these errors start to occur with greater and greater frequency [POP3 001483 05-12-11 01:25:26] -ERR Sorry, your IP address has been locked out...
[POP3 000945 05-12-11 01:25:26] POP3 Connection with 173.10.65.2 ended
[POP3 000945 05-12-11 01:25:26] Number of current POP3 connections: 1
[POP3 003433 05-12-11 01:25:27] Received POP3 connection from 173.10.65.2
[POP3 001484 05-12-11 01:25:27] POP3 Connection with 173.10.65.2 ended
[POP3 001484 05-12-11 01:25:27] Number of current POP3 connections: 1
[POP3 001484 05-12-11 01:25:27] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.
[POP3 003434 05-12-11 01:25:27] Received POP3 connection from 173.10.65.2
[POP3 003435 05-12-11 01:25:27] Received POP3 connection from 173.10.65.2
[POP3 001485 05-12-11 01:25:27] -ERR Sorry, your IP address has been locked out... Until they are returned on every call [POP3 005945 05-12-11 03:16:10] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.
[POP3 005944 05-12-11 03:16:12] POP3 Connection with 173.10.65.2 ended
[POP3 005944 05-12-11 03:16:12] Number of current POP3 connections: 0
[POP3 005944 05-12-11 03:16:12] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.
[POP3 005946 05-12-11 03:16:13] -ERR Sorry, your IP address has been locked out...
[POP3 005947 05-12-11 03:16:15] POP3 Connection with 173.10.65.2 ended
[POP3 005947 05-12-11 03:16:15] Number of current POP3 connections: 0
[POP3 005947 05-12-11 03:16:15] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.
[POP3 005948 05-12-11 03:16:17] POP3 Connection with 173.10.65.2 ended
[POP3 005948 05-12-11 03:16:17] Number of current POP3 connections: 0
[POP3 005948 05-12-11 03:16:17] ERROR: Unable to write data to the transport connection: An established connection was aborted by the software in your host machine.
At this point, no users are able to use POP3 until the service is restarted. This is true even after the hack attempts stop. It's just out to lunch after that which is pretty effective DOS attack. (SMTP seems to still work as does the web interface) I unfortunately don't really know how to Repro this without getting attacked. Any advice or hope for me? Thanks, Uriah | | |
|
|
ub
New Member
Posts:8
| | 24 Jan 2012 08:26 PM |
| still happening... bump | | | |
| TheOtherBob
New Member
Posts:1
| | 25 Jan 2012 03:01 PM |
| How about denying that ip address at your firewall? | | | |
| ub
New Member
Posts:8
| | 25 Jan 2012 07:56 PM |
| I wish it was that easy but unfortunately the attacks seems to be coming from different addresses every time and they are from completely differnet subnets (I assume some botnet). | | | |
| ub
New Member
Posts:8
| | 04 Feb 2012 04:52 PM |
| Still happening. Every week or two these attacks take out my POP3 connection. Any ideas? It would be nice if auto lockout could be configured to just deny connections from the address at all rather than accepting the connection and providing a response. | | | |
| Steve Topilnycky
Forum Administrator
Veteran Member
Posts:1278
| | 05 Feb 2012 11:46 AM |
| I have already reported this to Archie and he is looking into it. I actaually experienced this on Friday. First time ever. | | - - - - - - -
Regards,
Steve Topilnycky
Top Cat Computing
http://www.topcatcomputing.com/ | |
|
| You are not authorized to post a reply. |
|
|
|  | | Mail Server v1.0.8.3 |
- Added support of STARTTLS (STLS) command for SMTP, POP3, IMAP, and SMTP relay and delivery, which will
allow secure, fully encrypted connections, when possible;
| | 11/6/2011 1:10:34 PM |
| Mail Server v1.0.8.2 |
- Optimized delivery speed. In earlier versions each "tick" which was checking whether messages were
in the outbox queue, was picking up only one message at a time. Now it will attempt to pick MaximumAllowedThreads-ActiveDelivery threads
messages, which should considerably increase deliver speed;
- Optimized SEARCH and STATUS IMAP commands. They appear to be used very extensively by Android, and (not that extensively, but still) by
iPhone. Now users who use mobile phones to access their IMAP accounts will see considerable improvement;
- Optimized STORE IMAP command. Before storing of IMAP flags was occuring one message at a time, which seemed to be fine
with SQL server, but proved to be slow for SQLite... Now it happens with single SQL call.
| | 10/8/2011 7:59:35 PM |
| ArGoSoft Mail Server v1.0.8.1 | -
Fixed a bug: when using IMAP via Firefox with "When I delete a message, move it
to Trash folder" option, marking messages in the trash folder was causing high CPU usage,
and was taking some time, making the server pretty much non-responsive. The problem was
happening only when using SQLite.
| | 6/6/2011 9:33:36 PM |
| ArGoSoft Mail Server v1.0.8.0 |
- Fixed a problem with web interface - was showing only first page of messages, and would not
switch to other pages; In order to fix the web interface, mail server itself has to be updated;
- When installint initially, was still using SQLite, even when SQL was requested;
- There was a problem with switching from SQLite database engine to SQL server database engine:
the SQL database was not being created;
| | 5/23/2011 5:53:55 PM |
| ArGoSoft Mail Server .NET v1.0.7.9 |
- The server no longer requires Microsoft SQL Server. If SQL server is not found, it will use
SQLite engine, which does not require separate installation. If SQL server is found, then user will be
prompted whether he wants to use it;
- Made other improvements, such as, now mailbox rebuild indexes orphaned records, rather then deleting them,
also added an opotion to increment UIDL validity of folder (both on the Mailbox viewer box);
- Made minor improvements on web interface;
| | 4/26/2011 9:47:25 PM |
| |
|  |  | |  |
|