Often a client will get their IP address blocked on CSF (http://configserver.com/cp/csf.html). The blocked messages will tell you why it was blocked, however it’s usually quite vague stating it was blocked for failed passwords to the POP3 server. What it doesn’t tell you however is which account caused the block.
Here is my cheat sheet for finding more detail as to why exactly it was blocked.
cPanel / WHM / Webmail
If you see an entry like this in CSF:
csf.deny: 188.8.131.52 # lfd: (cpanel) Failed cPanel login from 184.108.40.206 (US/United States/c-123-123-123-123.somedomain.net): 5 in the last 3600 secs – Wed Jun 11 15:55:47 2014
This could mean they failed to authenticate on cPanel, WHM, or Webmail. To check which it was, run the following command:
grep 220.127.116.11 /usr/local/cpanel/logs/login_log
When you run this, you’ll get output that looks like this:
18.104.22.168 – email@example.com [08/28/2013:12:56:02 -0000] “GET /cpsess8206284687/horde/index.php HTTP/1.1” DEFERRED LOGIN webmaild: security token incorrect
22.214.171.124 – someuser [01/14/2015:21:07:22 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN cpaneld: invalid cpanel user someuser (loadcpdata failed)
126.96.36.199 – someuser [01/15/2015:03:54:34 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN whostmgrd: user password incorrect
The first result mentions webmaild, so this means it was Webmail they tried to login to with the wrong password.
The second result specifically mentions cpanel, so this is cpanel they tried to login to with the wrong password
The third result says whostmgrd. whostmgrd is the only one that isn’t obvious. This is the WHM.
Pop3 or IMAP
If you see errors like this:
188.8.131.52 # lfd: (pop3d) Failed POP3 login from 184.108.40.206 (DE/Germany/some-reverse-dns-info-here): 10 in the last 3600 secs – Tue Jan 13 10:15:36 2015
220.127.116.11 # lfd: (imapd) Failed IMAP login from 18.104.22.168 (US/United States/some-reverse-dns-info-here): 10 in the last 3600 secs – Tue Jan 13 21:31:16 2015
Run this command:
grep 22.214.171.124 /var/log/maillog | grep -i fail
Jan 13 10:15:32 server1 pop3d: LOGIN FAILED, user=username, ip=[::ffff:126.96.36.199
Jan 13 07:04:00 server1 imapd-ssl: LOGIN FAILED, firstname.lastname@example.org, ip=[::ffff:188.8.131.52]
The first one shows the client tried to login as just “username” to the pop3 server and it failed.
The second shows that they tried to login as “email@example.com” to the IMAP server and it failed.
If you see this:
184.108.40.206 # lfd: (smtpauth) Failed SMTP AUTH login from 220.127.116.11 (US/United States/ some-reverse-dns.com): 5 in the last 3600 secs – Thu Jun 12 08:28:56 2014
Run this command:
grep 18.104.22.168 /var/log/exim_mainlog | grep set_id
You’ll see output like this:
2014-06-12 08:28:47 courier_plain authenticator failed for some-reverse-dns.com ([22.214.171.124]) [126.96.36.199]:4900: 535 Incorrect authentication data (firstname.lastname@example.org)
This shows that the user tried to authenticate to the SMTP server using the username email@example.com, but failed to authenticate
Now that you know what exactly the customer did wrong, you can let them know, so they do not keep doing it, and getting themselves re-blacklisted once you remove the block against their IP address.