Email Account under attack (really) - anything I can do? The 2019 Stack Overflow Developer Survey Results Are InWhen secure email, is not really secureSpam Mail - have someone broke in to my shared hosting account?Could someone stop another from accessing their own online account?Can/do botnets brute force “high value” users of services like Gmail?Hijacked Aol Email Account - Lack of security?Sending password reset links in emailIs there more of a security risk by providing an email when creating a new account?How viable is MITM interception of email, really?Email really sent or not?A safer way to read emails on Android devices

What does ひと匙 mean in this manga and has it been used colloquially?

Shouldn't "much" here be used instead of "more"?

Can a rogue use sneak attack with weapons that have the thrown property even if they are not thrown?

Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?

How come people say “Would of”?

Can we generate random numbers using irrational numbers like π and e?

Does a dangling wire really electrocute me if I'm standing in water?

How can I autofill dates in Excel excluding Sunday?

Falsification in Math vs Science

What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?

Why did Acorn's A3000 have red function keys?

Where to refill my bottle in India?

Can one be advised by a professor who is very far away?

Is "plugging out" electronic devices an American expression?

Protecting Dualbooting Windows from dangerous code (like rm -rf)

Am I thawing this London Broil safely?

Are children permitted to help build the Beis Hamikdash?

Loose spokes after only a few rides

If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20?

Identify boardgame from Big movie

What does "fetching by region is not available for SAM files" means?

Is flight data recorder erased after every flight?

What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?

What do the Banks children have against barley water?



Email Account under attack (really) - anything I can do?



The 2019 Stack Overflow Developer Survey Results Are InWhen secure email, is not really secureSpam Mail - have someone broke in to my shared hosting account?Could someone stop another from accessing their own online account?Can/do botnets brute force “high value” users of services like Gmail?Hijacked Aol Email Account - Lack of security?Sending password reset links in emailIs there more of a security risk by providing an email when creating a new account?How viable is MITM interception of email, really?Email really sent or not?A safer way to read emails on Android devices



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








78















Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.



My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.



Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?










share|improve this question







New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 41





    Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?

    – schroeder
    Apr 6 at 15:04






  • 8





    Are you using one of the big email providers (Gmail, etc) or something smaller?

    – Anders
    Apr 6 at 17:20






  • 30





    Get a better provider that isn't so vulnerable to this kind of trivial DoS?

    – Nate Eldredge
    Apr 6 at 22:46






  • 23





    Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.

    – jww
    Apr 6 at 23:57







  • 49





    I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.

    – pat3d3r
    Apr 7 at 9:30

















78















Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.



My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.



Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?










share|improve this question







New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 41





    Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?

    – schroeder
    Apr 6 at 15:04






  • 8





    Are you using one of the big email providers (Gmail, etc) or something smaller?

    – Anders
    Apr 6 at 17:20






  • 30





    Get a better provider that isn't so vulnerable to this kind of trivial DoS?

    – Nate Eldredge
    Apr 6 at 22:46






  • 23





    Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.

    – jww
    Apr 6 at 23:57







  • 49





    I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.

    – pat3d3r
    Apr 7 at 9:30













78












78








78


11






Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.



My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.



Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?










share|improve this question







New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












Over the last week, there is a constant barrage of authentication failures to my email account from a variety of ip addresses - usually in blocks of exactly 575 attempts.



My password is as strong as a password can be so the chance of brute force winning is infinitesimal. However as a result of the authentication failures, my hosting provider keeps locking the email account.



Is there anything I can do (or that I can ask my hosting provider to do), or am I just screwed until the botnet moves on? Anyone with similar experience who can comment on whether I can expect this to ever end?







email botnet






share|improve this question







New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Apr 6 at 14:51









clemdiaclemdia

491125




491125




New contributor




clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






clemdia is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 41





    Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?

    – schroeder
    Apr 6 at 15:04






  • 8





    Are you using one of the big email providers (Gmail, etc) or something smaller?

    – Anders
    Apr 6 at 17:20






  • 30





    Get a better provider that isn't so vulnerable to this kind of trivial DoS?

    – Nate Eldredge
    Apr 6 at 22:46






  • 23





    Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.

    – jww
    Apr 6 at 23:57







  • 49





    I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.

    – pat3d3r
    Apr 7 at 9:30












  • 41





    Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?

    – schroeder
    Apr 6 at 15:04






  • 8





    Are you using one of the big email providers (Gmail, etc) or something smaller?

    – Anders
    Apr 6 at 17:20






  • 30





    Get a better provider that isn't so vulnerable to this kind of trivial DoS?

    – Nate Eldredge
    Apr 6 at 22:46






  • 23





    Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.

    – jww
    Apr 6 at 23:57







  • 49





    I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.

    – pat3d3r
    Apr 7 at 9:30







41




41





Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?

– schroeder
Apr 6 at 15:04





Ask your email provider to make a change, that's the only options. In the meantime, open a new account and forward all emails to your new account so that you are still functional?

– schroeder
Apr 6 at 15:04




8




8





Are you using one of the big email providers (Gmail, etc) or something smaller?

– Anders
Apr 6 at 17:20





Are you using one of the big email providers (Gmail, etc) or something smaller?

– Anders
Apr 6 at 17:20




30




30





Get a better provider that isn't so vulnerable to this kind of trivial DoS?

– Nate Eldredge
Apr 6 at 22:46





Get a better provider that isn't so vulnerable to this kind of trivial DoS?

– Nate Eldredge
Apr 6 at 22:46




23




23





Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.

– jww
Apr 6 at 23:57






Maybe another account is under attack (Bank? Facebook? Income tax refund? Domain in your possession?), and they are taking out your email so you don't get notified.

– jww
Apr 6 at 23:57





49




49





I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.

– pat3d3r
Apr 7 at 9:30





I had a similar experience with my account: The culprit actually was my phone, that had an outdated password for the account and repeatedly tried to log into it unsuccessfully.

– pat3d3r
Apr 7 at 9:30










5 Answers
5






active

oldest

votes


















50














A few thoughts:



  • Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.

  • If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.

  • If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)

  • Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.

  • Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.





share|improve this answer


















  • 20





    Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

    – Barmar
    Apr 6 at 18:35






  • 3





    What makes you think he's not already using IMAP?

    – Barmar
    Apr 6 at 18:36






  • 2





    @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

    – jpmc26
    Apr 6 at 20:27







  • 7





    I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

    – Barmar
    Apr 6 at 21:21






  • 15





    @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

    – Anders
    Apr 7 at 7:09


















33














No. That's pretty much the background noise of being on the internet.



From a random server I have with e-mail:



$ sudo grep -c "auth failed" /var/log/mail.log
1109


That's today. It's with fail2ban blocking more than five attempts from the same IP.






share|improve this answer


















  • 32





    This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

    – John Keates
    Apr 6 at 21:27











  • True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

    – clemdia
    Apr 7 at 3:53







  • 6





    I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

    – aaaaaa
    2 days ago






  • 2





    @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

    – Doktor J
    yesterday


















24















tl/dr: This is your hosting company's problem, not yours. You'll have
to contact them to get it fixed. Their security policies shouldn't
lock you out of your own account. They need to do security better.




You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:




However as a result of the authentication failures, my hosting
provider keeps locking the email account.




In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.



In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.



Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).






share|improve this answer




















  • 7





    Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

    – Steve Shipway
    Apr 7 at 20:42






  • 3





    Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

    – clemdia
    2 days ago






  • 2





    @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

    – Conor Mancone
    2 days ago






  • 2





    @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

    – Conor Mancone
    2 days ago






  • 1





    I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

    – Conor Mancone
    2 days ago


















17














Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.



 From: account-I-always-had@oldserver.com
Subject: Re: so-and-so
In-Reply-To: <4735813474834434634@theirmail.com>
Sender: burneraccount@newserver.com


Or something like that.



Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.



As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.



Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.






share|improve this answer


















  • 2





    Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

    – Esa Jokinen
    Apr 7 at 4:05






  • 4





    THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

    – clemdia
    Apr 7 at 4:36







  • 1





    you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

    – sudo rm -rf slash
    Apr 7 at 7:31











  • @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

    – Justin
    yesterday











  • @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

    – Doktor J
    yesterday


















0














This is dependent on your provider and what they are willing to do.



If you had a static IP you could ask them to whitelist your IP. Maybe even your CIDR, but if you do too many of those some of the bad traffic may start to come through.



After so many attempts your provider should temporarily ban the IP addresses attacking them. Now hackers have thousands even 10's of thousands of IP to choose from but eventually they might be able to block them all.



Obviously your provider needs better ddos protection.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    clemdia is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206923%2femail-account-under-attack-really-anything-i-can-do%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    50














    A few thoughts:



    • Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.

    • If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.

    • If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)

    • Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.

    • Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.





    share|improve this answer


















    • 20





      Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

      – Barmar
      Apr 6 at 18:35






    • 3





      What makes you think he's not already using IMAP?

      – Barmar
      Apr 6 at 18:36






    • 2





      @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

      – jpmc26
      Apr 6 at 20:27







    • 7





      I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

      – Barmar
      Apr 6 at 21:21






    • 15





      @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

      – Anders
      Apr 7 at 7:09















    50














    A few thoughts:



    • Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.

    • If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.

    • If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)

    • Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.

    • Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.





    share|improve this answer


















    • 20





      Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

      – Barmar
      Apr 6 at 18:35






    • 3





      What makes you think he's not already using IMAP?

      – Barmar
      Apr 6 at 18:36






    • 2





      @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

      – jpmc26
      Apr 6 at 20:27







    • 7





      I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

      – Barmar
      Apr 6 at 21:21






    • 15





      @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

      – Anders
      Apr 7 at 7:09













    50












    50








    50







    A few thoughts:



    • Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.

    • If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.

    • If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)

    • Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.

    • Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.





    share|improve this answer













    A few thoughts:



    • Usually my first recommendation would be to pick an extremely strong password. But you allready got that covered.

    • If there is two factor authentication available, turn it on. If you are lucky, it might make you an unattractive target and cause the attacker to move on.

    • If the account lock out doesn't affect other methods of reading your mail, like via IMAP, you could switch to that to maintain access. (To be honest, I don't know much about the security of IMAP, so you might want to consider that before turning it on.)

    • Forwarding the mail somewhere else will also ensure that you can read it even if your account is locked.

    • Finally, you can try contacting your email provider. I think your best bet here is to just describe the problem to them, and ask what they can do to help you.






    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 6 at 17:01









    AndersAnders

    50.4k22144167




    50.4k22144167







    • 20





      Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

      – Barmar
      Apr 6 at 18:35






    • 3





      What makes you think he's not already using IMAP?

      – Barmar
      Apr 6 at 18:36






    • 2





      @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

      – jpmc26
      Apr 6 at 20:27







    • 7





      I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

      – Barmar
      Apr 6 at 21:21






    • 15





      @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

      – Anders
      Apr 7 at 7:09












    • 20





      Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

      – Barmar
      Apr 6 at 18:35






    • 3





      What makes you think he's not already using IMAP?

      – Barmar
      Apr 6 at 18:36






    • 2





      @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

      – jpmc26
      Apr 6 at 20:27







    • 7





      I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

      – Barmar
      Apr 6 at 21:21






    • 15





      @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

      – Anders
      Apr 7 at 7:09







    20




    20





    Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

    – Barmar
    Apr 6 at 18:35





    Would 2FA really help? The second factor isn't usually attemped until after a correct password is entered, and the attacker will never get that far.

    – Barmar
    Apr 6 at 18:35




    3




    3





    What makes you think he's not already using IMAP?

    – Barmar
    Apr 6 at 18:36





    What makes you think he's not already using IMAP?

    – Barmar
    Apr 6 at 18:36




    2




    2





    @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

    – jpmc26
    Apr 6 at 20:27






    @Barmar If the attacker's script isn't written to try to enter anything on the second factor, it might prevent the lock out. Worth a try at least.

    – jpmc26
    Apr 6 at 20:27





    7




    7





    I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

    – Barmar
    Apr 6 at 21:21





    I think most 2FA systems don't prompt for the second factor until after you successfully pass the first.

    – Barmar
    Apr 6 at 21:21




    15




    15





    @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

    – Anders
    Apr 7 at 7:09





    @Barmar Yes, that is true, but my advice still stands. There is a non zero chance it helps, the effort is near zero, the risk is zero, and you should probably do it anyway. So even if it probably doesn't help, you should still do it.

    – Anders
    Apr 7 at 7:09













    33














    No. That's pretty much the background noise of being on the internet.



    From a random server I have with e-mail:



    $ sudo grep -c "auth failed" /var/log/mail.log
    1109


    That's today. It's with fail2ban blocking more than five attempts from the same IP.






    share|improve this answer


















    • 32





      This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

      – John Keates
      Apr 6 at 21:27











    • True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

      – clemdia
      Apr 7 at 3:53







    • 6





      I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

      – aaaaaa
      2 days ago






    • 2





      @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

      – Doktor J
      yesterday















    33














    No. That's pretty much the background noise of being on the internet.



    From a random server I have with e-mail:



    $ sudo grep -c "auth failed" /var/log/mail.log
    1109


    That's today. It's with fail2ban blocking more than five attempts from the same IP.






    share|improve this answer


















    • 32





      This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

      – John Keates
      Apr 6 at 21:27











    • True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

      – clemdia
      Apr 7 at 3:53







    • 6





      I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

      – aaaaaa
      2 days ago






    • 2





      @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

      – Doktor J
      yesterday













    33












    33








    33







    No. That's pretty much the background noise of being on the internet.



    From a random server I have with e-mail:



    $ sudo grep -c "auth failed" /var/log/mail.log
    1109


    That's today. It's with fail2ban blocking more than five attempts from the same IP.






    share|improve this answer













    No. That's pretty much the background noise of being on the internet.



    From a random server I have with e-mail:



    $ sudo grep -c "auth failed" /var/log/mail.log
    1109


    That's today. It's with fail2ban blocking more than five attempts from the same IP.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 6 at 16:47









    vidarlovidarlo

    3,869823




    3,869823







    • 32





      This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

      – John Keates
      Apr 6 at 21:27











    • True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

      – clemdia
      Apr 7 at 3:53







    • 6





      I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

      – aaaaaa
      2 days ago






    • 2





      @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

      – Doktor J
      yesterday












    • 32





      This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

      – John Keates
      Apr 6 at 21:27











    • True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

      – clemdia
      Apr 7 at 3:53







    • 6





      I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

      – aaaaaa
      2 days ago






    • 2





      @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

      – Doktor J
      yesterday







    32




    32





    This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

    – John Keates
    Apr 6 at 21:27





    This is not the same thing. He is referring to one specific account, not the complete authentication log for a mailserver. This is attempts at one specific user.

    – John Keates
    Apr 6 at 21:27













    True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

    – clemdia
    Apr 7 at 3:53






    True it is my account specifically - but I think vidario has it right in a general sense. My hosting company recently updated their implementation of csf, and I wonder if it’s too strict - I’ve been wondering if the attacks are nothing new - just a new policy of locking account after “x failed attempts in y minutes”...

    – clemdia
    Apr 7 at 3:53





    6




    6





    I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

    – aaaaaa
    2 days ago





    I understood this answer to show that even for some random server online, failed authentication attempts are plentiful and should be expected (which is true), not trying to equate the example to OP's use-case.

    – aaaaaa
    2 days ago




    2




    2





    @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

    – Doktor J
    yesterday





    @clemdia yeah, you might want to contact them then, and let them know that their "security" is turning a run-of-the-mill brute force drive-by into a DoS by locking the legitmate user (you) out of the account. They should be blocking authentication attempts by IP, not by account, that's terrible practice.

    – Doktor J
    yesterday











    24















    tl/dr: This is your hosting company's problem, not yours. You'll have
    to contact them to get it fixed. Their security policies shouldn't
    lock you out of your own account. They need to do security better.




    You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:




    However as a result of the authentication failures, my hosting
    provider keeps locking the email account.




    In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.



    In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.



    Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).






    share|improve this answer




















    • 7





      Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

      – Steve Shipway
      Apr 7 at 20:42






    • 3





      Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

      – clemdia
      2 days ago






    • 2





      @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

      – Conor Mancone
      2 days ago






    • 2





      @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

      – Conor Mancone
      2 days ago






    • 1





      I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

      – Conor Mancone
      2 days ago















    24















    tl/dr: This is your hosting company's problem, not yours. You'll have
    to contact them to get it fixed. Their security policies shouldn't
    lock you out of your own account. They need to do security better.




    You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:




    However as a result of the authentication failures, my hosting
    provider keeps locking the email account.




    In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.



    In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.



    Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).






    share|improve this answer




















    • 7





      Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

      – Steve Shipway
      Apr 7 at 20:42






    • 3





      Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

      – clemdia
      2 days ago






    • 2





      @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

      – Conor Mancone
      2 days ago






    • 2





      @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

      – Conor Mancone
      2 days ago






    • 1





      I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

      – Conor Mancone
      2 days ago













    24












    24








    24








    tl/dr: This is your hosting company's problem, not yours. You'll have
    to contact them to get it fixed. Their security policies shouldn't
    lock you out of your own account. They need to do security better.




    You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:




    However as a result of the authentication failures, my hosting
    provider keeps locking the email account.




    In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.



    In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.



    Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).






    share|improve this answer
















    tl/dr: This is your hosting company's problem, not yours. You'll have
    to contact them to get it fixed. Their security policies shouldn't
    lock you out of your own account. They need to do security better.




    You already have some answers that I agree heartily with and which cover the technical aspects of this, but I'm throwing in another answer to cover a "business" item. Here you hit on the crux of the issue:




    However as a result of the authentication failures, my hosting
    provider keeps locking the email account.




    In otherwords, the problem isn't your problem. You have done everything you can to secure your account on someone else's mail server - you are using a strong password that can't be brute forced. The underlying issue here is that your hosting provider has implemented a bad security policy. As @vidarlo mentioned, this is just the background noise of the internet. Your hosting provider should know this. Unfortunately their chosen response has the side effect of locking you out of your account.



    In essence the combination of your hosting company's choice of security policies and the standard password scanning that happens to every server on the internet has resulted in a denial of service (DoS) of your email. If your email went down because someone attempted an actual DoS of your hosting provider and filled their networks with useless bandwidth, the solution would be quite simple. You wouldn't be here asking what you can do to fix the problem - you'd be talking to your provider and asking them to fix it. After all, the whole point of using a third party email service provider is for them to provide you with a service. If you are not being provided with that service, either because their servers went down, or because their network is crippled by a DoS, or because their security policy is overly zealous and locks you out of your account, then the only real solution is for your hosting provider to fix it and provide you with the service that you are paying them to give you.



    Many questions we get here are the result of people ignoring security all together.. However, there are plenty more examples of people trying to do security but just doing it wrong. This is one of the latter. Therefore, you definitely need talk to your hosting provider and get them to fix it. If they can't provide you with the service you are paying for, then you need to switch to a provider that will (although hopefully it won't be the kind of provider that simply doesn't do security at all).







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 2 days ago

























    answered Apr 7 at 17:46









    Conor ManconeConor Mancone

    10.6k32152




    10.6k32152







    • 7





      Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

      – Steve Shipway
      Apr 7 at 20:42






    • 3





      Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

      – clemdia
      2 days ago






    • 2





      @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

      – Conor Mancone
      2 days ago






    • 2





      @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

      – Conor Mancone
      2 days ago






    • 1





      I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

      – Conor Mancone
      2 days ago












    • 7





      Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

      – Steve Shipway
      Apr 7 at 20:42






    • 3





      Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

      – clemdia
      2 days ago






    • 2





      @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

      – Conor Mancone
      2 days ago






    • 2





      @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

      – Conor Mancone
      2 days ago






    • 1





      I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

      – Conor Mancone
      2 days ago







    7




    7





    Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

    – Steve Shipway
    Apr 7 at 20:42





    Yes, +1 for this. I work for an email security company, and we have far more intelligent anti-bruteforce systems than the OP is experiencing. This sort of blunt-instrument protection is unnecessary - locking out the legitimate user because of a brute-force is just inviting denial-of-service. Consider changing your email provider if possible...

    – Steve Shipway
    Apr 7 at 20:42




    3




    3





    Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

    – clemdia
    2 days ago





    Turns out they reimplemented CSF (and maybe some other things) just before this started happening. I suspect they've implemented a policy that deflects/denies all authentication requests (regardless of source IP) after "x attempts in n minutes" - I can watch myself connect to the server, get refused, submit the same credentials a few more times, get refused a few more times, and then suddenly the credentials work. I do this with them live on the phone. They agree it's odd, and then email me log files that show "authentication failures" from my IP address. Yeah, no kidding...

    – clemdia
    2 days ago




    2




    2





    @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

    – Conor Mancone
    2 days ago





    @clemdia hard to say with 100% certainty, but it definitely sounds like this is exclusively an issue on their end and (either way) can only be fixed on their end. To some extent they are also using you as a beta tester (intentionally or not). Just about all tech companies do that to some extent, so I give you props for your patience, but it also isn't something that you have to continue to do, especially if they continue to provide a broken service.

    – Conor Mancone
    2 days ago




    2




    2





    @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

    – Conor Mancone
    2 days ago





    @clemdia An example of a simple bug that could explain this: "Authentication failure" is a very broad error message. It could be that their system uses that for any broad class of authentication failures including, "Automatically blocked because of too many failed attempts". Therefore, botnets trigger the block on your account, then you try to login and get Authentication Failure - not because your credentials were wrong, but because you were auto banned. They see "Authentication failure" and therefore conclude you typed your password wrong, missing the larger issue.

    – Conor Mancone
    2 days ago




    1




    1





    I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

    – Conor Mancone
    2 days ago





    I'm not claiming for sure that that is what happened, but stuff like that is easy to have happen and easy to miss. As a programmer on the other end, it is easy to put bugs in the most obvious box and sometimes miss the root cause, causing issues to take longer to resolve than necessary... of course I've never done that myself...

    – Conor Mancone
    2 days ago











    17














    Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.



     From: account-I-always-had@oldserver.com
    Subject: Re: so-and-so
    In-Reply-To: <4735813474834434634@theirmail.com>
    Sender: burneraccount@newserver.com


    Or something like that.



    Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.



    As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.



    Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.






    share|improve this answer


















    • 2





      Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

      – Esa Jokinen
      Apr 7 at 4:05






    • 4





      THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

      – clemdia
      Apr 7 at 4:36







    • 1





      you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

      – sudo rm -rf slash
      Apr 7 at 7:31











    • @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

      – Justin
      yesterday











    • @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

      – Doktor J
      yesterday















    17














    Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.



     From: account-I-always-had@oldserver.com
    Subject: Re: so-and-so
    In-Reply-To: <4735813474834434634@theirmail.com>
    Sender: burneraccount@newserver.com


    Or something like that.



    Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.



    As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.



    Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.






    share|improve this answer


















    • 2





      Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

      – Esa Jokinen
      Apr 7 at 4:05






    • 4





      THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

      – clemdia
      Apr 7 at 4:36







    • 1





      you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

      – sudo rm -rf slash
      Apr 7 at 7:31











    • @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

      – Justin
      yesterday











    • @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

      – Doktor J
      yesterday













    17












    17








    17







    Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.



     From: account-I-always-had@oldserver.com
    Subject: Re: so-and-so
    In-Reply-To: <4735813474834434634@theirmail.com>
    Sender: burneraccount@newserver.com


    Or something like that.



    Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.



    As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.



    Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.






    share|improve this answer













    Yeah, it's pretty easy to have your official email address forward your emails to a new "burner" email account. Then in the new email account setup, you set your From: field to your official email address. That way mails go out like this.



     From: account-I-always-had@oldserver.com
    Subject: Re: so-and-so
    In-Reply-To: <4735813474834434634@theirmail.com>
    Sender: burneraccount@newserver.com


    Or something like that.



    Anyway, that lets you keep your identity at the official email address. The attacks on the login server are irrelevant to receiving and forwarding email.



    As is evident from the above, your new email address may be obvious from headers so don't set up an autoresponder. Only correspond with people you trust. If this burner email account comes under attack, trash this burner account, setup another one, and tell the official email server to forward to the new burner.



    Then, research who you sent mail to in the last 2 days to the last burner account. One of them compromised it. Use one tactic or another to trick them into attacking this or another burner account, that lets you distinguish who exactly did it.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 6 at 19:02









    HarperHarper

    2,200414




    2,200414







    • 2





      Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

      – Esa Jokinen
      Apr 7 at 4:05






    • 4





      THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

      – clemdia
      Apr 7 at 4:36







    • 1





      you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

      – sudo rm -rf slash
      Apr 7 at 7:31











    • @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

      – Justin
      yesterday











    • @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

      – Doktor J
      yesterday












    • 2





      Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

      – Esa Jokinen
      Apr 7 at 4:05






    • 4





      THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

      – clemdia
      Apr 7 at 4:36







    • 1





      you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

      – sudo rm -rf slash
      Apr 7 at 7:31











    • @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

      – Justin
      yesterday











    • @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

      – Doktor J
      yesterday







    2




    2





    Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

    – Esa Jokinen
    Apr 7 at 4:05





    Or if possible, change username to be different from the address. This way you reply from the same address and have the same mailbox, but prevent account lockout.

    – Esa Jokinen
    Apr 7 at 4:05




    4




    4





    THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

    – clemdia
    Apr 7 at 4:36






    THIS (if only it were possible) - btw this experience has highlighted the lunacy of websites REQUIRING email address as username - just stupid.

    – clemdia
    Apr 7 at 4:36





    1




    1





    you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

    – sudo rm -rf slash
    Apr 7 at 7:31





    you might try using + to add a per domain suffix. then when you get spam it will (most likely) include who leaked your email. plus it becomes easy to block all emails that came from the domain

    – sudo rm -rf slash
    Apr 7 at 7:31













    @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

    – Justin
    yesterday





    @sudorm-rfslash - I think the the +suffix trick might be gmail specific.

    – Justin
    yesterday













    @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

    – Doktor J
    yesterday





    @sudorm-rfslash yeah... I actually have my mail server configured to use _ as the "decorator" or "suffix" character. Since many (especially business) domains use a first_last@example.com format, even sites that reject emails with + in them will still happily accept an email with _ in it!

    – Doktor J
    yesterday











    0














    This is dependent on your provider and what they are willing to do.



    If you had a static IP you could ask them to whitelist your IP. Maybe even your CIDR, but if you do too many of those some of the bad traffic may start to come through.



    After so many attempts your provider should temporarily ban the IP addresses attacking them. Now hackers have thousands even 10's of thousands of IP to choose from but eventually they might be able to block them all.



    Obviously your provider needs better ddos protection.






    share|improve this answer



























      0














      This is dependent on your provider and what they are willing to do.



      If you had a static IP you could ask them to whitelist your IP. Maybe even your CIDR, but if you do too many of those some of the bad traffic may start to come through.



      After so many attempts your provider should temporarily ban the IP addresses attacking them. Now hackers have thousands even 10's of thousands of IP to choose from but eventually they might be able to block them all.



      Obviously your provider needs better ddos protection.






      share|improve this answer

























        0












        0








        0







        This is dependent on your provider and what they are willing to do.



        If you had a static IP you could ask them to whitelist your IP. Maybe even your CIDR, but if you do too many of those some of the bad traffic may start to come through.



        After so many attempts your provider should temporarily ban the IP addresses attacking them. Now hackers have thousands even 10's of thousands of IP to choose from but eventually they might be able to block them all.



        Obviously your provider needs better ddos protection.






        share|improve this answer













        This is dependent on your provider and what they are willing to do.



        If you had a static IP you could ask them to whitelist your IP. Maybe even your CIDR, but if you do too many of those some of the bad traffic may start to come through.



        After so many attempts your provider should temporarily ban the IP addresses attacking them. Now hackers have thousands even 10's of thousands of IP to choose from but eventually they might be able to block them all.



        Obviously your provider needs better ddos protection.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered yesterday









        cybernardcybernard

        49528




        49528




















            clemdia is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            clemdia is a new contributor. Be nice, and check out our Code of Conduct.












            clemdia is a new contributor. Be nice, and check out our Code of Conduct.











            clemdia is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206923%2femail-account-under-attack-really-anything-i-can-do%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

            Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

            Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020