Re: [mailop] Microsoft POP3 Troubles
We see the same, adding ~150Mbps of POP3 traffic on just one cluster. It started on 2016-04-18, but took about two weeks to grow, levelling off as of about 2016-05-01. Probably a code update broke POP3 UIDL caching or the don't-redownload decision. I can't imagine it is entirely broken, or we'd see reports of duplication. Would it help for us to collect login sources or timestamps? It's not really hurting, but would be nice to fix...or auto-punt to IMAP. Simon- On Fri, May 27, 2016 at 06:56:08PM +, Kirk MacDonald wrote: > Sorry to drag up an older thread. Has there been any further discoveries on > this front? Based on our message store interface bps records I'd say this > behavior looks to have started April 17 or 18 2016. > > > Kirk MacDonald > System Administrator > Internet > Eastlink > > > -Original Message- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise > Sent: Thursday, May 05, 2016 3:13 PM > To: mailop@mailop.org > Subject: Re: [mailop] Microsoft POP3 Troubles > > > Well, I got an answer, but am no further ahead as such. > I'd suggest treating them as a malfunctioning POP3 client and suggest ... > that they upgrade to IMAP4 instead? :) > It doesn't seem to be coming from an area that would suggest it's a rogue > tenant, but that cannot be completely ruled out. > > Please let me know if it turns out to be in any way actually malicious > instead of a misconfigure or timeout. > > Aloha, > Michael. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
Sorry to drag up an older thread. Has there been any further discoveries on this front? Based on our message store interface bps records I'd say this behavior looks to have started April 17 or 18 2016. Kirk MacDonald System Administrator Internet Eastlink -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Wise Sent: Thursday, May 05, 2016 3:13 PM To: mailop@mailop.org Subject: Re: [mailop] Microsoft POP3 Troubles Well, I got an answer, but am no further ahead as such. I'd suggest treating them as a malfunctioning POP3 client and suggest ... that they upgrade to IMAP4 instead? :) It doesn't seem to be coming from an area that would suggest it's a rogue tenant, but that cannot be completely ruled out. Please let me know if it turns out to be in any way actually malicious instead of a misconfigure or timeout. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors Sent: Thursday, May 5, 2016 7:15 AM To: mailop@mailop.org Subject: Re: [mailop] Microsoft POP3 Troubles Generally an increase in POP is only related to two things: * Email Client has short time out's and long query times. Seems some* email clients will attempt to download messages, but if the re-query time comes around, it will terminate the first connection and then restart from the beginning. * Unique identifier related to the message keeps changing. The email client trusts that the server ID for the message is correct, so if it changes, the email client will consider this as new. This occurs usually when migrating data stores. On 16-05-05 06:40 AM, Joseph B wrote: >> I was reviewing my flow records and I can see in the last 24h we have >> started doing a much larger amount of POP3 traffic to Microsoft than >> usual. As an example, some of the IP's that are making the POP3 >> connections are: > > Yes, we started seeing these logins from around April 18th. > > Some users have gone from 5MB a day of POP traffic to 25GB per day :-\ > > May 5 17:31:52 server dovecot: pop3-login: Login: > user=, method=PLAIN, rip=40.100.16.125, > lip=45.xx.xx.xx, mpid=294947, session=<7VRKwRMytG4oZBB9> May 5 > 17:31:52 server dovecot: pop3(u...@domain.com): Disconnected: > Logged out top=0/0, retr=0/0, del=0/512, size=223773360, > bytes=24/12306 > > May 5 17:32:17 server dovecot: pop3-login: Login: > user=, method=PLAIN, rip=40.100.16.125, > lip=45.xx.xx.xx, mpid=295053, session= May 5 > 17:40:34 server dovecot: pop3(u...@domain.com): Disconnected: > Logged out top=2/3772, retr=1024/447566492, del=0/512, size=223773360, > bytes=10074/447591247 > > Cheers, > > Joseph > > > ___ > mailop mailing list > mailop@mailop.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchill > i.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7c > michael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f9 > 88bf86f141af91ab2d7cd011db47%7c1&sdata=LTE1QXSHvsPRtTKNfvqsS0NtUJkhU2Y > qqSVZM8ElvIk%3d > -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.linuxmagic.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=nTfW3m0aLAfxTgz%2f0H%2b4%2bKMGODnzJNIvgYvnPoRyGM0%3d @linuxmagic A Wizard IT Company - For More Info https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.wizard.ca&data=01%7c01%7cmichael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GlkrrAzdD4c907vxI9X3D64L14KVJA01biWodvE1Tdw%3d "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%
Re: [mailop] Microsoft POP3 Troubles
On 09/05/2016 7:22 PM, Joseph B wrote: Hi Chris, I've followed up with my customers who had this issue. It seems they had Oulook.com checking their email accounts via POP3, this had been setup for some time (years) and they hadn't touched or changed it recently. As the customers had since migrated to using IMAP and a local client, they disabled this in the Outlook web interface and normal bandwidth consumption resumed [0] with no issues of POP3 bandwidth usage since. Hi Joseph, Thanks for the info - I had a better look into my netflow records today and its even more customers than I thought on our end who have this setup - I am guessing something changed at the Outlook end which has broken it (unlikely a bunch of different servers on our end, not even running the same POP3 server software, all broke at the same time). Just for today we are over 2.8TB and counting. I guess I'll have to get the support team to start calling customers... ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
Hi Chris, > The issue is its not just this one particular mailbox, this just > happened to the first one I checked. This is happening for about 15 > different domains we host, all with different mailboxes and they are > all different customers. The issue started happening about the same > time (+- 30 minutes from each other) on all of them as well - I > don't think this is anything to do with what the customers have > setup. I have tried contacting a couple of the customers but they > have no clue what they have setup, they will check in with their > tech to see. I've followed up with my customers who had this issue. It seems they had Oulook.com checking their email accounts via POP3, this had been setup for some time (years) and they hadn't touched or changed it recently. As the customers had since migrated to using IMAP and a local client, they disabled this in the Outlook web interface and normal bandwidth consumption resumed [0] with no issues of POP3 bandwidth usage since. HTH. Joseph [] https://www.dropbox.com/s/vl9kct0l744hlei/Screenshot%202016-05-09%2020.45.42.png?dl=0 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
Well, I got an answer, but am no further ahead as such. I'd suggest treating them as a malfunctioning POP3 client and suggest ... that they upgrade to IMAP4 instead? :) It doesn't seem to be coming from an area that would suggest it's a rogue tenant, but that cannot be completely ruled out. Please let me know if it turns out to be in any way actually malicious instead of a misconfigure or timeout. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors Sent: Thursday, May 5, 2016 7:15 AM To: mailop@mailop.org Subject: Re: [mailop] Microsoft POP3 Troubles Generally an increase in POP is only related to two things: * Email Client has short time out's and long query times. Seems some* email clients will attempt to download messages, but if the re-query time comes around, it will terminate the first connection and then restart from the beginning. * Unique identifier related to the message keeps changing. The email client trusts that the server ID for the message is correct, so if it changes, the email client will consider this as new. This occurs usually when migrating data stores. On 16-05-05 06:40 AM, Joseph B wrote: >> I was reviewing my flow records and I can see in the last 24h we have >> started doing a much larger amount of POP3 traffic to Microsoft than >> usual. As an example, some of the IP's that are making the POP3 >> connections are: > > Yes, we started seeing these logins from around April 18th. > > Some users have gone from 5MB a day of POP traffic to 25GB per day :-\ > > May 5 17:31:52 server dovecot: pop3-login: Login: > user=, method=PLAIN, rip=40.100.16.125, > lip=45.xx.xx.xx, mpid=294947, session=<7VRKwRMytG4oZBB9> May 5 > 17:31:52 server dovecot: pop3(u...@domain.com): Disconnected: > Logged out top=0/0, retr=0/0, del=0/512, size=223773360, > bytes=24/12306 > > May 5 17:32:17 server dovecot: pop3-login: Login: > user=, method=PLAIN, rip=40.100.16.125, > lip=45.xx.xx.xx, mpid=295053, session= May 5 > 17:40:34 server dovecot: pop3(u...@domain.com): Disconnected: > Logged out top=2/3772, retr=1024/447566492, del=0/512, size=223773360, > bytes=10074/447591247 > > Cheers, > > Joseph > > > ___ > mailop mailing list > mailop@mailop.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchill > i.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7c > michael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f9 > 88bf86f141af91ab2d7cd011db47%7c1&sdata=LTE1QXSHvsPRtTKNfvqsS0NtUJkhU2Y > qqSVZM8ElvIk%3d > -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.linuxmagic.com&data=01%7c01%7cmichael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=nTfW3m0aLAfxTgz%2f0H%2b4%2bKMGODnzJNIvgYvnPoRyGM0%3d @linuxmagic A Wizard IT Company - For More Info https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.wizard.ca&data=01%7c01%7cmichael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GlkrrAzdD4c907vxI9X3D64L14KVJA01biWodvE1Tdw%3d "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7cb8771e2db31442887cdd08d374f07f6c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LTE1QXSHvsPRtTKNfvqsS0NtUJkhU2YqqSVZM8ElvIk%3d ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
Generally an increase in POP is only related to two things: * Email Client has short time out's and long query times. Seems some* email clients will attempt to download messages, but if the re-query time comes around, it will terminate the first connection and then restart from the beginning. * Unique identifier related to the message keeps changing. The email client trusts that the server ID for the message is correct, so if it changes, the email client will consider this as new. This occurs usually when migrating data stores. On 16-05-05 06:40 AM, Joseph B wrote: I was reviewing my flow records and I can see in the last 24h we have started doing a much larger amount of POP3 traffic to Microsoft than usual. As an example, some of the IP's that are making the POP3 connections are: Yes, we started seeing these logins from around April 18th. Some users have gone from 5MB a day of POP traffic to 25GB per day :-\ May 5 17:31:52 server dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.100.16.125, lip=45.xx.xx.xx, mpid=294947, session=<7VRKwRMytG4oZBB9> May 5 17:31:52 server dovecot: pop3(u...@domain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/512, size=223773360, bytes=24/12306 May 5 17:32:17 server dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.100.16.125, lip=45.xx.xx.xx, mpid=295053, session= May 5 17:40:34 server dovecot: pop3(u...@domain.com): Disconnected: Logged out top=2/3772, retr=1024/447566492, del=0/512, size=223773360, bytes=10074/447591247 Cheers, Joseph ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
> I was reviewing my flow records and I can see in the last 24h we have > started doing a much larger amount of POP3 traffic to Microsoft than > usual. As an example, some of the IP's that are making the POP3 > connections are: Yes, we started seeing these logins from around April 18th. Some users have gone from 5MB a day of POP traffic to 25GB per day :-\ May 5 17:31:52 server dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.100.16.125, lip=45.xx.xx.xx, mpid=294947, session=<7VRKwRMytG4oZBB9> May 5 17:31:52 server dovecot: pop3(u...@domain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/512, size=223773360, bytes=24/12306 May 5 17:32:17 server dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.100.16.125, lip=45.xx.xx.xx, mpid=295053, session= May 5 17:40:34 server dovecot: pop3(u...@domain.com): Disconnected: Logged out top=2/3772, retr=1024/447566492, del=0/512, size=223773360, bytes=10074/447591247 Cheers, Joseph ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
I don't know who would be responsible for this, but will ask around in the morning. 3am here currently. :( Aloha, Michael. -- Sent from my Windows Phone From: Chris via mailop<mailto:mailop@mailop.org> Sent: 5/5/2016 2:37 AM To: mailop@mailop.org<mailto:mailop@mailop.org> Subject: Re: [mailop] Microsoft POP3 Troubles On 05/05/2016 5:16 PM, Michael Wise wrote: But by virtue of the, "admin" I'd want whomever owns that domain to be advised? It might be some Dev doing something with their own mailbox, or ... I have no idea, sorry. Hi Michael, The issue is its not just this one particular mailbox, this just happened to the first one I checked. This is happening for about 15 different domains we host, all with different mailboxes and they are all different customers. The issue started happening about the same time (+- 30 minutes from each other) on all of them as well - I don't think this is anything to do with what the customers have setup. I have tried contacting a couple of the customers but they have no clue what they have setup, they will check in with their tech to see. It's not really a big problem it just appears to be wasting a fair bit of bandwidth, it would be nice if it stopped though. The other option I have is firewalling these off and see what breaks but that's a last resort... As we are not a MS customer, is there any way I can get in contact with someone at MS who would be able to follow this up? ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
On 05/05/2016 5:16 PM, Michael Wise wrote: But by virtue of the, "admin" I'd want whomever owns that domain to be advised? It might be some Dev doing something with their own mailbox, or ... I have no idea, sorry. Hi Michael, The issue is its not just this one particular mailbox, this just happened to the first one I checked. This is happening for about 15 different domains we host, all with different mailboxes and they are all different customers. The issue started happening about the same time (+- 30 minutes from each other) on all of them as well - I don't think this is anything to do with what the customers have setup. I have tried contacting a couple of the customers but they have no clue what they have setup, they will check in with their tech to see. It's not really a big problem it just appears to be wasting a fair bit of bandwidth, it would be nice if it stopped though. The other option I have is firewalling these off and see what breaks but that's a last resort... As we are not a MS customer, is there any way I can get in contact with someone at MS who would be able to follow this up? ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft POP3 Troubles
You'd think some rDNS, but... It's not Azure. I have no idea, sorry. But by virtue of the, "admin" I'd want whomever owns that domain to be advised? It might be some Dev doing something with their own mailbox, or ... I have no idea, sorry. Aloha, Michael. -- Sent from my Windows Phone From: Chris via mailop<mailto:mailop@mailop.org> Sent: 5/4/2016 10:53 PM To: mailop@mailop.org<mailto:mailop@mailop.org> Subject: [mailop] Microsoft POP3 Troubles Hi all, Not sure if this is the right list to post this to. I was reviewing my flow records and I can see in the last 24h we have started doing a much larger amount of POP3 traffic to Microsoft than usual. As an example, some of the IP's that are making the POP3 connections are: 40.96.25.117 40.100.0.132 40.100.1.237 40.96.18.165 40.96.47.101 40.96.2.53 40.96.15.165 40.100.2.29 I have reviewed the mail server logs on my end and found that it looks like these IP's are grabbing complete copies of the same mailbox over and over again. I have put an example of the pop3 logs from dovecot below from one of our servers which show the repeated downloads. For this particular domain the user has 1.7GB of emails total in all mailboxes but I can see in the last 24H Microsoft has downloaded the mailbox multiple times totalling over 180GB... I am not exactly sure what on the MS end these IP's belong to and I am not sure what the customers have setup, I am waiting to hear back from a few. This is happening across a bunch of different servers on different mailboxes. I would be interested to hear if anyone else has experienced this recently, it appears to still be happening now. May 5 04:31:36 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 04:56:21 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=442, session=<4FwzdQoylAkoYBKl> May 5 04:56:21 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 04:56:25 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=475, session= May 5 05:03:29 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 05:20:03 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37159, session= May 5 05:20:03 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 05:20:06 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37344, session= May 5 05:25:53 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 05:47:11 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89853, session= May 5 05:47:12 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 05:47:15 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89886, session= May 5 05:54:00 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 06:16:53 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=127954, session= May 5 06:16:54 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 06:16:58 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=128036, session= May 5 06:22:31 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 06:51:20 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170010, session= May 5 06:51:20 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 06:51:29 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170137, session= May 5 06:58:51 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 07:24:25 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=211166, session= May 5 07:24:25 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908
[mailop] Microsoft POP3 Troubles
Hi all, Not sure if this is the right list to post this to. I was reviewing my flow records and I can see in the last 24h we have started doing a much larger amount of POP3 traffic to Microsoft than usual. As an example, some of the IP's that are making the POP3 connections are: 40.96.25.117 40.100.0.132 40.100.1.237 40.96.18.165 40.96.47.101 40.96.2.53 40.96.15.165 40.100.2.29 I have reviewed the mail server logs on my end and found that it looks like these IP's are grabbing complete copies of the same mailbox over and over again. I have put an example of the pop3 logs from dovecot below from one of our servers which show the repeated downloads. For this particular domain the user has 1.7GB of emails total in all mailboxes but I can see in the last 24H Microsoft has downloaded the mailbox multiple times totalling over 180GB... I am not exactly sure what on the MS end these IP's belong to and I am not sure what the customers have setup, I am waiting to hear back from a few. This is happening across a bunch of different servers on different mailboxes. I would be interested to hear if anyone else has experienced this recently, it appears to still be happening now. May 5 04:31:36 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 04:56:21 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=442, session=<4FwzdQoylAkoYBKl> May 5 04:56:21 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 04:56:25 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=475, session= May 5 05:03:29 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 05:20:03 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37159, session= May 5 05:20:03 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 05:20:06 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=37344, session= May 5 05:25:53 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 05:47:11 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89853, session= May 5 05:47:12 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 05:47:15 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=89886, session= May 5 05:54:00 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 06:16:53 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=127954, session= May 5 06:16:54 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 06:16:58 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=128036, session= May 5 06:22:31 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 06:51:20 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170010, session= May 5 06:51:20 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 06:51:29 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=170137, session= May 5 06:58:51 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 07:24:25 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=211166, session= May 5 07:24:25 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=0/0, retr=0/0, del=0/1102, size=478908339, bytes=24/25908 May 5 07:24:39 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=211461, session= May 5 07:32:22 server47 dovecot: pop3(admin@X): Disconnected: Logged out top=2/2831, retr=2204/957869252, del=0/1102, size=478908339, bytes=22081/957917270 May 5 07:55:49 server47 dovecot: pop3-login: Login: user=, method=PLAIN, rip=40.96.18.165, lip=27.124.XXX.XX, mpid=254377, session= May 5 07:55:49 server47 dovecot: pop3(admi