Pop service stops after invalid logins were used

leks · Post by **leks** » Tue Jan 09, 2007 11:05 am

Since last week I've noticed messages not being delivered to our clients or myself.

After checking the server, turns out the pop service has stopped serving.

For all these cases I can trace the following line in POP-debug-ddmmyy.log, just before the service stops...

mm/dd/yy hh:mm:ss User tried to log in, but not a valid username/password combination

The next entry is me restarting the service. This happens about once every day now.

The event viewer registers an application error in mepops.exe... faulting application.

What can I do to avoid the service stopping?

Any help is appreciated.

Post by **MailEnable-Ian** » Tue Jan 09, 2007 11:33 pm

Hi,

Ensure that you are running the latest version of MailEnable professional as there has been fixes in regards to the POP service.

Do you have POP before SMTP authentication enabled?

If you are unable to determine the cause of the service stopping then then best way to get a managed response is by submitting a support ticket with MailEnable and providing the relevant logs and details so a technician can diagnose the fault.

You can lodge the call here: https://www.mailenablecorp.com/support/step1.asp

regards,

MailEnable Support.

davex2cms · Post by **davex2cms** » Wed Jan 10, 2007 10:10 pm

Any update on this?

Having the exact same issue which started on the 7th.

It looks like a dictionary attack as they are trying to login with an account that doesnt exist, several failed login then the POP service crashes.

Restarted the service and next time the same IP tried to login and it crashed first time.

Ive been banning the IP's in the POP service which is working at the moment.

labsy · Post by **labsy** » Mon Jan 15, 2007 4:07 pm

Same issue here on ME PRO 2.36!

I think there are some issues related:
- other users are also reporting POP3 service stopping unexpectedly
- I noticed multiple failed logons to POP3 service
Seems related.

And the most weird thing is this:
in POP3 LOG file each connection has client IP logged. But only ONE user, which has regular failed logons exactly every 10 minutes non-stop, logfile says it is comming from MY SERVER!
But not from my WEB server IP, but from IP of my MAIL server! But my users do not have access to my MAIL server, except via POP3, SMTP and IMAP service. All other ports are blocked.

So, the questions are:
- How is it possible that, regarding to POP3 logs, somebody is checking exact ONE mail account FROM MY SERVER's IP?
- is this multiple POP3 logon failure somehow related to POP3 service crashing?

davex2cms · Post by **davex2cms** » Mon Jan 15, 2007 4:12 pm

I think this is caused by a dictionary / mail server attack.

You should block the IP address of the user which is causing it to crash in the pop service settings.

Update to the latest patch of ME too, december 18th. This fixed the problem for me.

labsy · Post by **labsy** » Mon Jan 15, 2007 5:03 pm

davex2cms wrote:You should block the IP address of the user which is causing it to crash in the pop service settings.

The IP address is the IP of mail server itself.

In ME Pro MMC console under
LOCALHOST -> SERVICES -> POP -> Log -> Activity Log
it looks like this:

01/15/07 00:19:04 POPS 608 193.95.219.119 +OK+Welcome+to+MailEnable+POP3+Server 39 0
01/15/07 00:19:04 POPS 608 193.95.219.119 CAPA CAPA +OK+Capability+list+follows 0 6
01/15/07 00:19:04 POPS 608 193.95.219.119 USER USER+user@domain.com +OK 0 30
01/15/07 00:19:04 POPS 608 193.95.219.119 PASS PASS+* +OK 0 14
01/15/07 00:19:04 POPS 608 193.95.219.119 STAT STAT +OK+0+0 0 6
01/15/07 00:19:04 POPS 608 193.95.219.119 QUIT QUIT +OK+Goodbye 0 6
01/15/07 00:19:32 POPS 632 193.77.89.2 +OK+Welcome+to+MailEnable+POP3+Server 39 0
01/15/07 00:19:32 POPS 632 193.77.89.2 CAPA CAPA +OK+Capability+list+follows 0 6
01/15/07 00:19:32 POPS 632 193.77.89.2 USER USER+user@domain.com +OK 0 20
01/15/07 00:19:33 POPS 632 193.77.89.2 PASS PASS+* +OK 0 14
01/15/07 00:19:33 POPS 632 193.77.89.2 STAT STAT +OK+0+0 0 6
01/15/07 00:19:33 POPS 632 193.77.89.2 QUIT QUIT +OK+Goodbye 0 6
01/15/07 00:19:53 POPS 620 89.212.29.49 +OK+Welcome+to+MailEnable+POP3+Server 39 0
01/15/07 00:19:54 POPS 620 89.212.29.49 USER USER+user@domain.com +OK 0 22
01/15/07 00:19:54 POPS 620 89.212.29.49 PASS PASS+* +OK 0 15
01/15/07 00:19:55 POPS 620 89.212.29.49 STAT STAT +OK+0+0 0 6
01/15/07 00:19:55 POPS 620 89.212.29.49 QUIT QUIT +OK+Goodbye 0 6
01/15/07 00:19:59 POPS 600 123.123.123.123 +OK+Welcome+to+MailEnable+POP3+Server 39 0
01/15/07 00:19:59 POPS 600 123.123.123.123 USER USER+the.user +OK 0 16
01/15/07 00:19:59 POPS 600 123.123.123.123 PASS PASS+* -ERR+Unable+to+log+on 0 14
01/15/07 00:19:59 POPS 600 123.123.123.123 QUIT QUIT +OK+Goodbye 0 6

As you see:
- problematic user the.user ALWAYS logs from MAIL server's IP (which is here listed as 123.123.123.123)
- problematic user ALWAYS logs in at exactly xx:x9:59 hours (every 10 minutes)
- all users login with FULL username, while problematic one ALWAYS logs only with the part before @, without domain part of email
- and my WEB server is on different IP, so users cannot put a script there to check email, because if that would be true, request would come from WEB server's IP

What do I think?
Since on this IP there is ONLY MAIL server, and this problematic user the.user has a mailbox + redirect to gmail.com, I think there must be something within MailEnable itself, which causes all those troubles.
And finally, after so many failed logins, POP3 service dies every day at least once.

Anyone any idea?

labsy · Post by **labsy** » Mon Jan 15, 2007 5:38 pm

Sjit!
I just resolved this issue!

Somehow user did setup POP retreival info for the.user account to check itself (the.user again)! ME then checked every 10 minutes itself, and seems this broke down POP3 service after a while.