I just read a daily email from Logwatch to find some very strange messages…
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.208, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.210, lip=my.ip.ad.dr: 3 Time(s)dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.211, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.212, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.213, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.214, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.216, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.217, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.218, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.219, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.220, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.221, lip=my.ip.ad.dr: 4 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.225, lip=my.ip.ad.dr: 3 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.227, lip=my.ip.ad.dr: 3 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.228, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.232, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.234, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.235, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.236, lip=my.ip.ad.dr: 5 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.237, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.238, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.239, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.240, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.241, lip=my.ip.ad.dr: 2 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.244, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.245, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.246, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.248, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.249, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.251, lip=my.ip.ad.dr: 1 Time(s)
Okay, so let’s list the strange events here:
- A whole bunch of sequential IPs are connecting to my POP3 port (not necessarily in order, perhaps Logwatch is just picking them out that way)
- The remote machines are connecting, but not even attempting to authenticate (log in), they’re just disconnecting
- The IP range is apparently owned by Google
So… what’s going on here, exactly? Anyone able to shed some light onto this?
See
http://www.projecthoneypot.org/ip_209.85.198.248
Looks like it’s attempting to send out spam.
I emailed Google Security about it, hopefully they’ll be able to figure out what’s going on.
That’s someone setting gmail to check their pop3 account.
That would make sense, but it’s strange that Google just hangs up before even trying to log in, thus the “no auth attempts” messages in the logs…