Throttling pop3-login connections
Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
On Friday 08 August 2014 14:11:21 Alex did opine And Gene did reply:
Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
Depends on how they are accessing it. I use fetchmail here, without any working imap (so I am still a lurker trying to figure out this imap thing), and I have fetchmail set to scan each of 3 ISP accounts, sleeping 3 minutes after the scan is complete before starting the next scan. No ISP has complained in the about 8 years I have been doing it 24/7/365.25
Anybody hitting it at a noticeably higher rate should be encouraged to reconfigure their agent for a friendlier scan interval. If that doesn't work, I'd study up on tar pitting. Many email agents are essentially locked for the user while they scan for new mail, so I'm reasonably sure that would "get their attention".
I just noticed the rip address and the local address aren't even in the same network block, that would make me check your network as NO 192.168.xx.xx address is supposed to be accessible from a world wide address beyond your router unless you've enabled a port forward rule in the router.
That would make me get out the scanner (I use the clamav kit here) looking for evidence of a "powned" machine.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
Am 08.08.2014 um 22:40 schrieb Gene Heskett:
On Friday 08 August 2014 14:11:21 Alex did opine
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
i would ask the user to change at least to 3 minutes instead 1 44000 loglines per month and user is a lot if everybody would do that
I just noticed the rip address and the local address aren't even in the same network block, that would make me check your network as NO 192.168.xx.xx address is supposed to be accessible from a world wide address beyond your router unless you've enabled a port forward rule in the router
that's why it is the *local* IP just normal in any case of proxying
Hi,
Depends on how they are accessing it. I use fetchmail here, without any working imap (so I am still a lurker trying to figure out this imap thing), and I have fetchmail set to scan each of 3 ISP accounts, sleeping 3 minutes after the scan is complete before starting the next scan. No ISP has complained in the about 8 years I have been doing it 24/7/365.25
Anybody hitting it at a noticeably higher rate should be encouraged to reconfigure their agent for a friendlier scan interval. If that doesn't work, I'd study up on tar pitting. Many email agents are essentially locked for the user while they scan for new mail, so I'm reasonably sure that would "get their attention".
Okay, that makes sense, and is in line with what I was also thinking. This is like 30 concurrent requests, then nothing for a minute or two, then another 30 concurrent requests.
I just noticed the rip address and the local address aren't even in the same network block, that would make me check your network as NO 192.168.xx.xx address is supposed to be accessible from a world wide address beyond your router unless you've enabled a port forward rule in the router.
My apologies; this was my attempt at not disclosing the network range. It's a public range, with legitimate users accessing it from around the world.
Reindl Harald wrote:
i would ask the user to change at least to 3 minutes instead 1 44000 loglines per month and user is a lot if everybody would do that
We're in the process of updating the user docs, so we'll add this to it.
Thanks so much. Alex
Am 08.08.2014 um 20:11 schrieb Alex:
Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
depends if this are your users, or if its brute force pop3 has not much overhead, to fight brute force use fail2ban
or you may have a look here
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
but be aware with NAT by blocking ips
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi,
I have a fedora20 system with dovecot-2.2.13 running various services, including pop3. I'm noticing some users are frequently hamming pop3, and wondered if this was normal, or something I should be investigating?
Aug 8 14:05:20 email dovecot: pop3-login: Login: user=<user1>, method=PLAIN, rip=97.77.115.121, lip=192.168.1.1, mpid=30509, session=<DnRtDCIAUQBhTXN5> Aug 8 14:05:21 email dovecot: pop3(user1): Disconnected: Logged out top=0/0, retr=0/0, del=0/15, size=5693601
So it is immediately followed by a logout, but when there are 50 of them successively in a five minute period, I wondered if it is creating unnecessary overhead on the system?
I suppose this most likely is how they have their email client configured, but wondered if some throttling would be necessary?
Any advice would be most appreciated. Thanks, Alex
depends if this are your users, or if its brute force pop3 has not much overhead, to fight brute force use fail2ban
Yes, I've implemented fail2ban, and it's working pretty well. It does now look like brute force.
When/if they complain to the helpdesk, we'll deal with it then.
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
This is also helpful, thanks.
Thanks, Alex
participants (4)
-
Alex
-
Gene Heskett
-
Reindl Harald
-
Robert Schetterer