Re: [mailop] Microsoft POP3 Troubles

[Michael Peddemors]

Generally an increase in POP is only related to two things:

* Email Client has short time out's and long query times.

Seems some* email clients will attempt to download messages, but if the 
re-query time comes around, it will terminate the first connection and 
then restart from the beginning.


* Unique identifier related to the message keeps changing.

The email client trusts that the server ID for the message is correct, 
so if it changes, the email client will consider this as new.


This occurs usually when migrating data stores.



On 16-05-05 06:40 AM, Joseph B wrote:

I was reviewing my flow records and I can see in the last 24h we have
started doing a much larger amount of POP3 traffic to Microsoft than
usual. As an example, some of the IP's that are making the POP3
connections are:


Yes, we started seeing these logins from around April 18th.

Some users have gone from 5MB a day of POP traffic to 25GB per day :-\

May  5 17:31:52 server dovecot: pop3-login: Login:
user=, method=PLAIN, rip=40.100.16.125,
lip=45.xx.xx.xx, mpid=294947, session=<7VRKwRMytG4oZBB9>
May  5 17:31:52 server dovecot: pop3(u...@domain.com): Disconnected:
Logged out top=0/0, retr=0/0, del=0/512, size=223773360, bytes=24/12306

May  5 17:32:17 server dovecot: pop3-login: Login:
user=, method=PLAIN, rip=40.100.16.125,
lip=45.xx.xx.xx, mpid=295053, session=
May  5 17:40:34 server dovecot: pop3(u...@domain.com): Disconnected:
Logged out top=2/3772, retr=1024/447566492, del=0/512, size=223773360,
bytes=10074/447591247

Cheers,

Joseph


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft POP3 Troubles

[Joseph B]

> I was reviewing my flow records and I can see in the last 24h we have 
> started doing a much larger amount of POP3 traffic to Microsoft than 
> usual. As an example, some of the IP's that are making the POP3 
> connections are:

Yes, we started seeing these logins from around April 18th.

Some users have gone from 5MB a day of POP traffic to 25GB per day :-\

May  5 17:31:52 server dovecot: pop3-login: Login:
user=, method=PLAIN, rip=40.100.16.125,
lip=45.xx.xx.xx, mpid=294947, session=<7VRKwRMytG4oZBB9>
May  5 17:31:52 server dovecot: pop3(u...@domain.com): Disconnected:
Logged out top=0/0, retr=0/0, del=0/512, size=223773360, bytes=24/12306

May  5 17:32:17 server dovecot: pop3-login: Login:
user=, method=PLAIN, rip=40.100.16.125,
lip=45.xx.xx.xx, mpid=295053, session=
May  5 17:40:34 server dovecot: pop3(u...@domain.com): Disconnected:
Logged out top=2/3772, retr=1024/447566492, del=0/512, size=223773360,
bytes=10074/447591247

Cheers,

Joseph


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft POP3 Troubles

[Michael Wise]

I don't know who would be responsible for this, but will ask around in the 
morning. 3am here currently. :(

Aloha,
Michael.
--
Sent from my Windows Phone

From: Chris via mailop<mailto:mailop@mailop.org>
Sent: ‎5/‎5/‎2016 2:37 AM
To: mailop@mailop.org<mailto:mailop@mailop.org>
Subject: Re: [mailop] Microsoft POP3 Troubles


On 05/05/2016 5:16 PM, Michael Wise wrote:

But by virtue of the, "admin" I'd want whomever owns that domain to be advised?

It might be some Dev doing something with their own mailbox, or ... I have no 
idea, sorry.

Hi Michael,

The issue is its not just this one particular mailbox, this just happened to 
the first one I checked. This is happening for about 15 different domains we 
host, all with different mailboxes and they are all different customers. The 
issue started happening about the same time (+- 30 minutes from each other) on 
all of them as well - I don't think this is anything to do with what the 
customers have setup. I have tried contacting a couple of the customers but 
they have no clue what they have setup, they will check in with their tech to 
see.

It's not really a big problem it just appears to be wasting a fair bit of 
bandwidth, it would be nice if it stopped though. The other option I have is 
firewalling these off and see what breaks but that's a last resort...

As we are not a MS customer, is there any way I can get in contact with someone 
at MS who would be able to follow this up?
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft POP3 Troubles

[Michael Wise]

You'd think some rDNS, but...
It's not Azure.

I have no idea, sorry.

But by virtue of the, "admin" I'd want whomever owns that domain to be advised?

It might be some Dev doing something with their own mailbox, or ... I have no 
idea, sorry.

Aloha,
Michael.
--
Sent from my Windows Phone

From: Chris via mailop<mailto:mailop@mailop.org>
Sent: ‎5/‎4/‎2016 10:53 PM
To: mailop@mailop.org<mailto:mailop@mailop.org>
Subject: [mailop] Microsoft POP3 Troubles

Hi all,

Not sure if this is the right list to post this to.

I was reviewing my flow records and I can see in the last 24h we have
started doing a much larger amount of POP3 traffic to Microsoft than
usual. As an example, some of the IP's that are making the POP3
connections are:

40.96.25.117
40.100.0.132
40.100.1.237
40.96.18.165
40.96.47.101
40.96.2.53
40.96.15.165
40.100.2.29

I have reviewed the mail server logs on my end and found that it looks
like these IP's are grabbing complete copies of the same mailbox over
and over again. I have put an example of the pop3 logs from dovecot
below from one of our servers which show the repeated downloads. For
this particular domain the user has 1.7GB of emails total in all
mailboxes but I can see in the last 24H Microsoft has downloaded the
mailbox multiple times totalling over 180GB...

I am not exactly sure what on the MS end these IP's belong to and I am
not sure what the customers have setup, I am waiting to hear back from a
few. This is happening across a bunch of different servers on different
mailboxes.

I would be interested to hear if anyone else has experienced this
recently, it appears to still be happening now.

May  5 04:31:36 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339,
bytes=22081/957917270
May  5 04:56:21 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=442,
session=<4FwzdQoylAkoYBKl>
May  5 04:56:21 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 04:56:25 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=475,
session=
May  5 05:03:29 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339,
bytes=22081/957917270
May  5 05:20:03 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37159,
session=
May  5 05:20:03 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 05:20:06 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37344,
session=
May  5 05:25:53 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339,
bytes=22081/957917270
May  5 05:47:11 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89853,
session=
May  5 05:47:12 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 05:47:15 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89886,
session=
May  5 05:54:00 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339,
bytes=22081/957917270
May  5 06:16:53 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=127954,
session=<Poc+lQsyWj8oYBKl>
May  5 06:16:54 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 06:16:58 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=128036,
session=
May  5 06:22:31 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339,
bytes=22081/957917270
May  5 06:51:20 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170010,
session=
May  5 06:51:20 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 06:51:29 server47 dovecot: pop3-login: Login: user=<admin@X>,
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170137,
session=
May  5 06:58:51 server47 dovecot: pop3(admin@X): Disconnected:
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339,
bytes=22081/957917270
May  5 07:24:25 server47 dovecot: pop3-login: Login: user=<admin

[mailop] Microsoft POP3 Troubles

[Chris via mailop]

Hi all,

Not sure if this is the right list to post this to.

I was reviewing my flow records and I can see in the last 24h we have 
started doing a much larger amount of POP3 traffic to Microsoft than 
usual. As an example, some of the IP's that are making the POP3 
connections are:


40.96.25.117
40.100.0.132
40.100.1.237
40.96.18.165
40.96.47.101
40.96.2.53
40.96.15.165
40.100.2.29

I have reviewed the mail server logs on my end and found that it looks 
like these IP's are grabbing complete copies of the same mailbox over 
and over again. I have put an example of the pop3 logs from dovecot 
below from one of our servers which show the repeated downloads. For 
this particular domain the user has 1.7GB of emails total in all 
mailboxes but I can see in the last 24H Microsoft has downloaded the 
mailbox multiple times totalling over 180GB...


I am not exactly sure what on the MS end these IP's belong to and I am 
not sure what the customers have setup, I am waiting to hear back from a 
few. This is happening across a bunch of different servers on different 
mailboxes.


I would be interested to hear if anyone else has experienced this 
recently, it appears to still be happening now.


May  5 04:31:36 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May  5 04:56:21 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=442, 
session=<4FwzdQoylAkoYBKl>
May  5 04:56:21 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 04:56:25 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=475, 
session=
May  5 05:03:29 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May  5 05:20:03 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37159, 
session=
May  5 05:20:03 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 05:20:06 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37344, 
session=
May  5 05:25:53 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May  5 05:47:11 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89853, 
session=
May  5 05:47:12 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 05:47:15 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89886, 
session=
May  5 05:54:00 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May  5 06:16:53 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=127954, 
session=
May  5 06:16:54 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 06:16:58 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=128036, 
session=
May  5 06:22:31 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May  5 06:51:20 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170010, 
session=
May  5 06:51:20 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 06:51:29 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170137, 
session=
May  5 06:58:51 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May  5 07:24:25 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=211166, 
session=
May  5 07:24:25 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908
May  5 07:24:39 server47 dovecot: pop3-login: Login: user=, 
method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=211461, 
session=
May  5 07:32:22 server47 dovecot: pop3(admin@X): Disconnected: 
Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, 
bytes=22081/957917270
May