Tag Archives: servers

Strange POP3 traffic from Google?

Posted on by
4


I just read a daily email from Logwatch to find some very strange messages…

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.208, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.210, lip=my.ip.ad.dr: 3 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.211, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.212, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.213, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.214, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.216, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.217, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.218, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.219, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.220, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.221, lip=my.ip.ad.dr: 4 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.225, lip=my.ip.ad.dr: 3 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.227, lip=my.ip.ad.dr: 3 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.228, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.232, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.234, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.235, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.236, lip=my.ip.ad.dr: 5 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.237, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.238, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.239, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.240, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.241, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.244, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.245, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.246, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.248, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.249, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.251, lip=my.ip.ad.dr: 1 Time(s)

Okay, so let’s list the strange events here:

  • A whole bunch of sequential IPs are connecting to my POP3 port (not necessarily in order, perhaps Logwatch is just picking them out that way)
  • The remote machines are connecting, but not even attempting to authenticate (log in), they’re just disconnecting
  • The IP range is apparently owned by Google

So… what’s going on here, exactly? Anyone able to shed some light onto this?