Server is brute forced by itself

Active8

Verified User
Joined
Jul 13, 2013
Messages
290
Hi we have issue with on of our servers, when we check the log from the brute force page we see lot of this:
Code:
Jan 20 18:04:38 srv1 dovecot[5721]: imap-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<name@domain.com>, method=PLAIN, rip=11.x.x.x, lip=11.x.x.x, secured, session=
11.x.x.x is the server his main ip address !

This goes on and on for this domain and email address, I have checked roundcube logs but there is not any data there, strange thing is this only happens for the email account on this domain.com, other customers dont have this problem, any idea?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,534
Location
Maastricht
Does this domein have a forum or website (like Wordpress) where the customer can enter smtp information to send mail? This could also be cause of such notices. Or another script (maybe malicious) which is trying to send mail via smtp using that e-mail address and smtp.
 

Active8

Verified User
Joined
Jul 13, 2013
Messages
290
Hi Richard, thanks for replying

Meanwhile I have located the trouble maker :)
customer had a CRM system wich also has an email client build in but customer has changed his password for the mail account so CRM system was hammering on dovecot because the passwords where changed, fixed this and the trouble went away :)
 
Last edited:
Top