Community Discussions and Support
43925 password failures

[quote user="Sr. Grumpy Bear"]Thanks for the  suggestion of Petr's daemon.  Will check into that.   Still thought though that Mercury has (had) something built into it.  

[/quote]

I think all Mercury server modules do have limits built in - but they only auto blacklist on multiple failures during the same connection.  It doesn't count attempts made on new connections.

[quote user="Sr. Grumpy Bear"]Thanks for the  suggestion of Petr's daemon.  Will check into that.   Still thought though that Mercury has (had) something built into it.   <P mce_keep="true">[/quote]</P> <P mce_keep="true">I think all Mercury server modules do have limits built in - but they only auto blacklist on multiple failures during the same connection.  It doesn't count attempts made on new connections.</P>

I am wondering if I should stop looking at the logs. 

My mail statistics report showed that I had 43925 password failures on my POP3 Server.  I am going to go out on a limb here and think that is a bit excessive.  In reading the release notes, starting in v4.73 there is a "Extended POP3 lockout detection".  I am using v4.80 and I sure can not find anywhere for this setting.  The statistics report shows a couple of entries for Multiple password failures, Short-term blacklist - current, and peak.  Which leads me to believe that there is something that I should be able to configure.  Yupp the more I think about it 44 thousand  password failures is a bit much. 

Is there somebody that can point me in the proper direction?

 

Thanks

 

<p>I am wondering if I should stop looking at the logs.  My mail statistics report showed that I had <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:Calibri;mso-fareast-theme-font:
minor-latin;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;mso-ansi-language:EN-CA;mso-fareast-language:
EN-US;mso-bidi-language:AR-SA'>43925 password failures on my POP3 Server.  I am going to go out on a limb here and think that is a bit excessive.  In reading the release notes, starting in v4.73 there is a "Extended POP3 lockout detection".  I am using v4.80 and I sure can not find anywhere for this setting.  The statistics report shows a couple of entries for <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:Calibri;mso-fareast-theme-font:
minor-latin;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;mso-ansi-language:EN-CA;mso-fareast-language:
EN-US;mso-bidi-language:AR-SA'>Multiple password failures, <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:Calibri;mso-fareast-theme-font:
minor-latin;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;mso-ansi-language:EN-CA;mso-fareast-language:
EN-US;mso-bidi-language:AR-SA'>Short-term blacklist - current, and peak.  Which leads me to believe that there is something that I should be able to configure.  Yupp the more I think about it 44 thousand  password failures is a bit much.  </span></span></span></p><p>Is there somebody that can point me in the proper direction?</p><p> </p><p>Thanks</p><p> </p>

We normally have quite few POP3 password failures in our logs. When there is an excessive number it's usually because of some misconfigured client (most often on a mobile device) trying to download messages very frequently, maybe every minute.

In case of an ongoing attack you could consider using Petr Jaklin's POPWatch daemon: http://community.pmail.com/files/folders/community_add-ons_for_mercury/entry39303.aspx  

<p>We normally have quite few POP3 password failures in our logs. When there is an excessive number it's usually because of some misconfigured client (most often on a mobile device) trying to download messages very frequently, maybe every minute.</p><p>In case of an ongoing attack you could consider using Petr Jaklin's <b style="font-family: Tahoma, Arial, Helvetica; font-size: 12.096px;">POPWatch</b><span style="font-family: Tahoma, Arial, Helvetica; font-size: 12.096px;"> daemon: </span><font face="Tahoma, Arial, Helvetica"><span style="font-size: 12.096px;">http://community.pmail.com/files/folders/community_add-ons_for_mercury/entry39303.aspx</span></font><span style="font-size: 10pt;">  </span></p>

From Jan7 21:05:00 to Jan8 00:09:24, there was over 44 thousand all from the same IP.  Was it an attack?   Will never know as I placed that IP on the refuse connection on the connection control for POP.  I know, it is shutting the door after the horses are out, but hey, I feel better about it. 

 

Thanks for the  suggestion of Petr's daemon.  Will check into that.   Still thought though that Mercury has (had) something built into it.  

 

Thanks again!

 

 

<p>From Jan7 21:05:00 to Jan8 00:09:24, there was over 44 thousand all from the same IP.  Was it an attack?   Will never know as I placed that IP on the refuse connection on the connection control for POP.  I know, it is shutting the door after the horses are out, but hey, I feel better about it.  </p><p> </p><p>Thanks for the  suggestion of Petr's daemon.  Will check into that.   Still thought though that Mercury has (had) something built into it.   </p><p> </p><p>Thanks again!</p><p> </p><p> </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft