Strange POP3 traffic from Google?

Aaron B. Russell — Sun, 12 Apr 2009 09:07:35 +0000

I just read a daily email from Logwatch to find some very strange messages…

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.208, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.210, lip=my.ip.ad.dr: 3 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.211, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.212, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.213, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.214, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.216, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.217, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.218, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.219, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.220, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.221, lip=my.ip.ad.dr: 4 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.225, lip=my.ip.ad.dr: 3 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.227, lip=my.ip.ad.dr: 3 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.228, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.232, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.234, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.235, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.236, lip=my.ip.ad.dr: 5 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.237, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.238, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.239, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.240, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.241, lip=my.ip.ad.dr: 2 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.244, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.245, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.246, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.248, lip=my.ip.ad.dr: 1 Time(s) dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.249, lip=my.ip.ad.dr: 1 Time(s)
dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.251, lip=my.ip.ad.dr: 1 Time(s)

Okay, so let’s list the strange events here:

A whole bunch of sequential IPs are connecting to my POP3 port (not necessarily in order, perhaps Logwatch is just picking them out that way)
The remote machines are connecting, but not even attempting to authenticate (log in), they’re just disconnecting
The IP range is apparently owned by Google

So… what’s going on here, exactly? Anyone able to shed some light onto this?

Lost Entropy » internet

Strange POP3 traffic from Google?