Failed POP3 login attempts from

While checking the mail log file, /var/log/maillog, on an email server today, I noticed an attempted login from an IP address in an address range I didn't recognize. The entry in the log file contained the following text:

dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=

I checked the country associated with the IP address ( with geoiplookup (you can install the GeoIP package on a CentOS Linux system with yum install GeoIP) and found it was an address assigned to an entity in Great Britain.

$ geoiplookup
GeoIP Country Edition: GB, United Kingdom

When I checked the Dshield page for the IP address at IP Info:, I found that others had also reported similar attempts at unauthorized access on the POP3 port, port 110.

External Threat Feeds

This data was retrieved from various external threat feeds

First SeenLast SeenFeed
2017-09-152017-09-22Port 110 Scanner
2017-09-152017-09-22Port 143 Scanner
2017-09-152017-09-21Port 25 Scanner
2017-09-152017-09-22Port 993 Scanner
2017-09-152017-09-22courier imap attacker

I also found that espMail was listing the IP address at their espMail Banned IPs webpage for failed SMTP logins where they note:

These IPs are banned because they have been used in brute force attacks against us.

The most common type of brute force attack is an attempt to login via SSH. The second most common brute force attack is to login to a POP3 mail account.

espMail is a "small business that specialises in Internet mail solutions for other small businesses.

I checked the fail2ban log on the system, but didn't see any entries for the IP address there, but I did see 47 failed login attempts in today's /var/log/maillog file.

# grep /var/log/fail2ban.log
# grep '' /var/log/maillog | grep -c 'Login failed'

All of the login failures were for "Plaintext authentication disabled" entries.

Related articles:

  1. Determining the Country Associated with an IP Address
  2. GEOIPLOOKUP - man page
  3. Fail2ban Logging