On Friday 08 August 2014 14:11:21 Alex did opine And Gene did reply:
Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
Depends on how they are accessing it. I use fetchmail here, without any working imap (so I am still a lurker trying to figure out this imap thing), and I have fetchmail set to scan each of 3 ISP accounts, sleeping 3 minutes after the scan is complete before starting the next scan. No ISP has complained in the about 8 years I have been doing it 24/7/365.25
Anybody hitting it at a noticeably higher rate should be encouraged to reconfigure their agent for a friendlier scan interval. If that doesn't work, I'd study up on tar pitting. Many email agents are essentially locked for the user while they scan for new mail, so I'm reasonably sure that would "get their attention".
I just noticed the rip address and the local address aren't even in the same network block, that would make me check your network as NO 192.168.xx.xx address is supposed to be accessible from a world wide address beyond your router unless you've enabled a port forward rule in the router.
That would make me get out the scanner (I use the clamav kit here) looking for evidence of a "powned" machine.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS