Deleted mail box issue?

Hi
just wondered if anyone has any ideas on this issue?
One of my users has deleted a mail box but the email address is still active on one of their devices and keeps trying to connect to the server. They cannot find the device that is trying to connect (cannot be that hard i know!!) the device tries ever minute.
The server has BFD and APF firewall and the users ip gets banned due to vpopmail user not found rules. I have white listed their ip address but as soon as their ip changes they are obviously banned again.
Can the email address be white listed or blocked in some way so the ip address is not effected.

Thank you
Gary

Hi Bear

Hope your well

I do not believe there is an easy answer to this, and guess they are dynamic on their broadband for external IP

Can you see the requests on the logs

Do you know the full email address used, and if so, do you know the password which was used for the email account

Is their MX pointed at another server or your server

My thinking is that it is on mobile device with it been every minute but should not be hard to find the email client with it setup on and delete it, as the email client must be showing an error screen/message, so the user must know but just ignoring it

I do not believe you can whitelist an email address so if they cannot find the device, your only option is to carry on as you are or create the email address, but if you do not know the exact password, you will be in same position

Good luck

Many thanks

John

Good morning

The device is on their home network, i have traced the ip address.
I know the full email address but do not know the password and the MX is pointed at my server.

logs are showing for example (removed domain & ip)
Nov 17 09:11:26 serv vpopmail[29520]: vchkpw-smtp: vpopmail user not found camera@removed.com:#.#.#.#

At a guess i feel its on a home security device, going by the email address.

Just thought i would ask if there was a way to put a stop to it, more of an inconvenience to them than me.

Thank you for your reply

Gary

Hi bear

Yes I concur it’s a security device now you shared first part of email address

The only thing I could think of but not ideal if they use email on your server would be to null the mx record

This would only stop the device if server address was using mx record

If set to server ip or server mx record it would not stop it and of course if the client uses email facilities on your server, you could not null the domain mx

Caught between a rock and a hard place but good luck, and please make sure client knows it is not your fault or that of your servers

Many thanks

John

Hi

they have other emails in use so cannot null the mx record but thank you for the idea.
Will contact them again and get them to find the device

Have a good day

I had the same problem with a client. He swore up and down he didn’t have any other devices set up to access his email, yet his IP was blocked again and again by POP3 failed logins with his old password each time I unblocked him in CSF.

The way I finally got him to find the device was to have him access his router via his browser and look at all the connected devices, turning off each device until only one was listed on the router. It turned out a tablet he gave to his kids to play games was set up to access his email using his old password.

I don’t know if he ever would have figured it out if he hadn’t used the router trick. It’s worth a try.

Yeah, unfortunately, this is one of those cases that all services providers go through where it is 100% a customer’s issue, but you can’t really come out and blame the customer directly (though it is their fault). Unfortunately, outside of @linux4me’s suggestion, there isn’t much you can do at the server level.

Additionally, stressing to the customer that allowing them to circumvent/backdoor the server’s protections for such a ridiculous reason is going to lower security for everyone on the server. I can think of a few ways to allow the customer to update their IP on another server (that they won’t be locked out of) and then run a cron to grab that IP from another server and whitelist that IP on a regular basis, but that’s not safe and it would be really annoying to manage. Overall, its a ton of work for something that only affects one customer who is technically causing the problem themselves.

As John said, you’re stuck between a rock and a hard place. Sorry about that.

He found the device causing the issue !!! :smiley: :smiley:

I don’t usually bother to much but this one was trying to connect every minute.

Its not to difficult to explain to people that have some understanding why they are getting blocked but trying to explain to people with little or no knowledge is harder, the first response is to blame the hosting service :innocent:

Thanks for all the replies