Mailing List CGatePro@mail.stalker.com Message #105723
From: Shaun Gamble <listrdr@redco.com.au>
Subject: Re: IP blocking
Date: Fri, 17 Jul 2015 15:14:43 +1000
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Thanks James. I went down this path to give the server a "rest" from it. I simply changed the POP listener to only grant access to my clients' static IP addresses. Unfortunately I have one client who is dynamic IP and insists on still using POP3. So I had to remove the restrictions after a day.

On 17/07/2015 1:38 AM, James Roman wrote:


20:24:00.938 1 POP-232729([122.155.16.155]:53698) failed to open ACCOUNT(littleannie) for [122.155.16.155]:53698->[myip]:110. Error Code=account is routed to NULL
20:24:01.605 1 POP-232730([122.155.16.155]:54214) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54214->[myip]:110. Error Code=account is routed to NULL
20:24:02.280 1 POP-232731([122.155.16.155]:54307) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54307->[myip]:110. Error Code=account is routed to NULL
20:24:02.965 1 POP-232732([122.155.16.155]:54409) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54409->[myip]:110. Error Code=account is routed to NULL
20:24:03.685 1 POP-232733([122.155.16.155]:54499) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54499->[myip]:110. Error Code=account is routed to NULL
20:24:04.448 1 POP-232734([122.155.16.155]:54604) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54604->[myip]:110. Error Code=account is routed to NULL
20:24:05.206 1 POP-232735([122.155.16.155]:54720) failed to open ACCOUNT(littleannie) for [122.155.16.155]:54720->[myip]:110. Error Code=account is routed to NULL

From RFC 1939 a typical POP3 session might look like:
 S: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
 C: USER mrose
 S: +OK mrose is a real hoopy frood
 C: PASS secret
 S: +OK mrose's maildrop has 2 messages (320 octets)

Most likely the one here looks like:

 S: +OK POP3 server ready <mailsessionid@your.mail.dom>
 C: USER littleannie
 S: < You’ve been bit bucketed so I’m not responding >
 C: USER littleannie
 S: < You’ve been bit bucketed so I’m not responding >
(Rinse and Repeat)

            
I think what is happening here is that it is that it is never getting to the password phase, so there is no protocol error or failed password to trigger the blacklist. There are only two acceptable protocol responses to the USER command are “+OK” or “-ERR”. If the server responds with error, it confirms that the user is invalid, if it delays, it could just mean the server is busy (unless someone is paying attention to the valid response times by sending a simultaneous valid login from a different IP). The deck is stacked in favor of the attacker. 

I don’t quite understand the implications, but you may want to review https://www.communigate.com/communigatepro/Listener.html#Restrictions. The part at the bottom about how the behavior when a connection is not from a Client IP Address may be the opposite of what you expect. You could configure the POP3 listener to restrict access to only your client IP addresses. Otherwise, you might consider firewalling POP3 to only be used by your client IP addresses at the server or network level. Also, you might want to consider the affects 

-- 

Shaun
Fitzroy Island <http://www.fitzroyisland.com>
Destination Darwin NT <http://www.destinationnt.com>
MOM Backpackers <http://www.momdarwin.com>
Value Inn Hotel <http://www.valueinn.com.au>
Please do not send any unsolicited email. It is not wanted. 
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster