ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Disable notification for a specific mail box or better solution?

https://mail.forum.configserver.com/viewtopic.php?t=11812

Page 1 of 1

Disable notification for a specific mail box or better solution?

Posted: 07 Jun 2020, 22:59
by diegoweb
Hey guys!

I'm hosting a domain for a friend who used to use other hosting provider.
One of his employee is not longer working for him, but this person still have in her smartphone (Actually not her anymore, since she sold it to someone else, but didn't factory reset the smartphone) her old old mail account "connected". But this mail box no longer exist, so lfd treats this as a imapd attack.
This mean that everyday I receive tons of mails alerting from imapd attack, since her smartphone get new ip every now and then from the isp.

My question is: Is it possible to disable specific mail accounts to not count as imapd attack? So I could disable notification for this type of situation. Or perhaps there's a better solution for this type of case, is there?

The messages I receive is pretty much like this:
Mail title: lfd on ns1.myserver.tld: blocked distributed imapd attack on account [usermailbox@domain.tld]
Time: Sun Jun 7 18:18:38 2020 -0300
IP: distributed imapd attack on account [usermailbox@domain.tld]
Failures: 5
Interval: 3600 seconds
Blocked: Temporary Block for 3600 seconds [LF_DISTATTACK]

Log entries:

Jun 7 18:18:36 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS, session=<RKo9CYWn5q29KEyi>
Jun 7 18:18:14 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS: Disconnected, session=<mYrZB4WnLFS9KEyi>
Jun 7 18:00:15 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=189.40.76.66, lip=my-server-ip, TLS: Disconnected, session=<XbTyxoSnAv69KExC>
Jun 7 18:00:15 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=189.40.76.66, lip=my-server-ip, TLS: Disconnected, session=<vEBqx4SnA/69KExC>
Jun 7 18:00:22 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=189.40.76.66, lip=my-server-ip, TLS, session=<MaMLyISnBf69KExC>

IP Addresses Blocked:

user-ip (XX/Country/user-ip.reverse-dns.isp.tld)
user-ip2 (XX/Country/user-ip2.reverse-dns.isp.tld)
And the other mail alert I get is this:
Mail title: lfd on ns1.myserver.tld: blocked user-ip (XX/Country/user-ip.reverse-dns.isp.tld)
Time: Sun Jun 7 12:16:27 2020 -0300
IP: user-ip (XX/Country/user-ip.reverse-dns.isp.tld)
Failures: 5 (imapd)
Interval: 3600 seconds
Blocked: Temporary Block for 3600 seconds [LF_IMAPD]

Log entries:

Jun 7 12:01:19 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS: Disconnected, session=<1dvdw3+n7fC9KE2F>
Jun 7 12:01:34 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS, session=<MPXxxH+n4fC9KE2F>
Jun 7 12:04:17 ns1 dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS, session=<UVFHxH+n6PC9KE2F>
Jun 7 12:16:07 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS: Disconnected, session=<z1zU+H+n6vC9KE2F>
Jun 7 12:16:25 ns1 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<usermailbox@domain.tld>, method=PLAIN, rip=user-ip, lip=my-server-ip, TLS, session=<i7L++X+n5/C9KE2F>
Thanks!

Re: Disable notification for a specific mail box or better solution?

Posted: 08 Jun 2020, 02:51
by Sergio
If you still have the password for that email, go to cPanel recreate the account with the old password.
Then access the "Manage an Email Account" for that specific account and set the following:

Restrictions
Receiving Incoming Mail: Suspend
Sending Outgoing Email: Suspend
Logging In: Allow

So, the account will connect to your server but the account will not be able to send or receive emails from that account.
Or you can enable receiving emails and send an email to the account asking to delete the email account.

Sergio

Re: Disable notification for a specific mail box or better solution?

Posted: 10 Jun 2020, 04:10
by diegoweb
Sergio wrote: 08 Jun 2020, 02:51 If you still have the password for that email, go to cPanel recreate the account with the old password.
Then access the "Manage an Email Account" for that specific account and set the following:

Restrictions
Receiving Incoming Mail: Suspend
Sending Outgoing Email: Suspend
Logging In: Allow

So, the account will connect to your server but the account will not be able to send or receive emails from that account.
Or you can enable receiving emails and send an email to the account asking to delete the email account.

Sergio
Sorry for the delay in this reply.

Well.... I don't have the password because the user doesn't want to disclosure it to me (it seems the password is used in other accounts aswell).
I forgot to say but I use Virtualmin + CSF, not cPanel, but that will not help anyway in this case (since I don't have her old mail password).

But thanks anyway. I think I get what you say, I could just create a new mail box using the same credentials but disable sending and receiving mail, so her old smartphone would connect just fine without reporting attack to CSF. :)

Thanks for your help, but unfortunately I won't be able to do that :(

Re: Disable notification for a specific mail box or better solution?

Posted: 10 Jun 2020, 05:11
by Sergio
Ok, another way to handel this.
If what you want is just not to receive the tons of emails of the account being blocked, enter webmail for the account that is receiving this notifications.
On the main page of the webmail (don't enter into the mail manager) in there could be an option to create "mail filters".

Open that option and create a filter to discard those emails, from the moment that you save the filter you will no longer receive anymore emails for this account.

Sergio
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited