Too many Brute force attacks from Google IP's

I have alot of Brute force attack reports on my message system. Lately, in last 3-4 weeks i have lot more Brute force attacks and many of them are comming from google ip's

Currently i have over 700 messages about brute force attacks from last 4 days. When i take a look over 500 of them are from google IP's 209.85..... when i trace ip's all they come from various google mail servers.

These are just messages about attacks when i open message every of them have reported from 500 to 900 attacks.

Example

IP 209.85.215.12 has 782 failed login attempts: dovecot1=782

Click to expand...

When i look in detailed brute force attack i see attacks are failed login attempts through pop3

hosting dovecot[5451]: pop3-login: Disconnected (auth failed, 1 attempts): user=<tbn>, method=PLAIN, rip=209.85.215.13

Click to expand...

I don't get any complains about spaming others and as i can see my server is not sending mass mails and spam.

How much these attacks are dangerous and how to get rid of these attacks. should i block whole range of ip's or do some more security checks or what ?

Hello,

My guess would be somebody is trying to fetch emails from your server using Google APPs. I don't know how much dangerous is it for you, as I don't know how strong password you are using there.

By the way do they try on,y one specific email account? Or do they a random set?

zEitEr said:

Hello,

My guess would be somebody is trying to fetch emails from your server using Google APPs. I don't know how much dangerous is it for you, as I don't know how strong password you are using there.

By the way do they try on,y one specific email account? Or do they a random set?

Click to expand...

Well this admin account where is website of hosting company have more than 500 email accounts and attacks are on random but on active usernames. I set strong password request and all new passwords require caps small letters and number combination. But all old passwords are easy ones.

There is somewhere here a similar discussion... and I wrote there that I faced the same issue and wrote an abuse to Google team, but did not receive a reply. So I don't know what to suggest, as I did not go into details and did not investigate what IP have Google apps and what does it have for MX/SMTP servers. If @gmail.com and other SMTP servers of Google have different IPs from those in your alerts then I guess you can easily blacklist them, as emails from Google will still arrive to your server, otherwise... you should decide.

Google offers account holders the ability to download email from other accounts to put it into your gmail account. While helpful to many, of course this can be misused, and if Google won't help you, then you need to do what you need to do if bad actors are attempting to use Google to gather email or logins maliciously. However, blocking them would result in no-one being able to consolidate email from your server into his/her email account.

Jeff

and if Google won't help you

Click to expand...

That's the big problem. Google indeed won't help, they don't even react on emails about it.

We have a couple of users who let Google fetch their email from the server.
They moved from the server, but still Google is trying to fetch the mail. We called both users, but they say they don't have those accounts active anymore. We do not believe them because Google keeps trying to get mails for their accounts on regular base. Like an email program which fetches every 15 minutes.

Users don't always know if it's active, or lie about it because they don't know how to deactivate, or they think it's deactivated but it isn't.

So there is only the choice to ban the google ip's which are fetching the mail, or to not ban those ip's.

Banning those ip's will result in other customers being annoyed that they can't let Gmail fetch their mail anymore. So both are bad choices.
Solely for the fact that Google won't budge, react, do anything. Google sux for this part of their (not) actions.