Server is brute forced by itself

[Active8]

Hi we have issue with on of our servers, when we check the log from the brute force page we see lot of this:

Jan 20 18:04:38 srv1 dovecot[5721]: imap-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<[email protected]>, method=PLAIN, rip=11.x.x.x, lip=11.x.x.x, secured, session=

11.x.x.x is the server his main ip address !

This goes on and on for this domain and email address, I have checked roundcube logs but there is not any data there, strange thing is this only happens for the email account on this domain.com, other customers dont have this problem, any idea?

 

[Richard G]

Does this domein have a forum or website (like Wordpress) where the customer can enter smtp information to send mail? This could also be cause of such notices. Or another script (maybe malicious) which is trying to send mail via smtp using that e-mail address and smtp.

 

[Active8]

Hi Richard, thanks for replying

Meanwhile I have located the trouble maker
customer had a CRM system wich also has an email client build in but customer has changed his password for the mail account so CRM system was hammering on dovecot because the passwords where changed, fixed this and the trouble went away