Mailing List CGatePro@mail.stalker.com Message #105721
From: James Roman <james.roman@ssaihq.com>
Subject: Re: IP blocking
Date: Thu, 16 Jul 2015 11:38:54 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.2098)


20:24:00.938 1 POP-232729([122.155.16.155]:53698) failed to open ACCOUNT(littleannie) for [122.155.16.155]:53698->[myip]:110. Error Code=account is routed to NULL
20:24:01.605 1 POP-232730([122.155.16.155]:54214) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54214->[myip]:110. Error Code=account is routed to NULL
20:24:02.280 1 POP-232731([122.155.16.155]:54307) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54307->[myip]:110. Error Code=account is routed to NULL
20:24:02.965 1 POP-232732([122.155.16.155]:54409) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54409->[myip]:110. Error Code=account is routed to NULL
20:24:03.685 1 POP-232733([122.155.16.155]:54499) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54499->[myip]:110. Error Code=account is routed to NULL
20:24:04.448 1 POP-232734([122.155.16.155]:54604) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54604->[myip]:110. Error Code=account is routed to NULL
20:24:05.206 1 POP-232735([122.155.16.155]:54720) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54720->[myip]:110. Error Code=account is routed to NULL

From RFC 1939 a typical POP3 session might look like:
 S: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
 C: USER mrose
 S: +OK mrose is a real hoopy frood
 C: PASS secret
 S: +OK mrose's maildrop has 2 messages (320 octets)

Most likely the one here looks like:

 S: +OK POP3 server ready <mailsessionid@your.mail.dom>
 C: USER littleannie
 S: < Youve been bit bucketed so Im not responding >
 C: USER littleannie
 S: < Youve been bit bucketed so Im not responding >
(Rinse and Repeat)

I think what is happening here is that it is that it is never getting to the password phase, so there is no protocol error or failed password to trigger the blacklist. There are only two acceptable protocol responses to the USER command are +OK or -ERR. If the server responds with error, it confirms that the user is invalid, if it delays, it could just mean the server is busy (unless someone is paying attention to the valid response times by sending a simultaneous valid login from a different IP). The deck is stacked in favor of the attacker. 

I dont quite understand the implications, but you may want to review https://www.communigate.com/communigatepro/Listener.html#Restrictions. The part at the bottom about how the behavior when a connection is not from a Client IP Address may be the opposite of what you expect. You could configure the POP3 listener to restrict access to only your client IP addresses. Otherwise, you might consider firewalling POP3 to only be used by your client IP addresses at the server or network level. Also, you might want to consider the affects 
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster