Is this a small scale spam/hack attempt?


New Member
I'm sure that like everyone else running WHM I get a cPHulk email every day or so informing me that an IP address has been blocked due to too many failed SMTP login attempts. But today these emails are arriving about every 10 minutes, each time originating from a different IP range/country:

Here's what one of these notices looks like:
5 failed login attempts to account lib (smtp) -- Large number of attempts from this IP:

Reverse DNS:

Origin Country: Morocco (MA)

I can only assume that this is a spammer running a distributed attempt to compromise an email account on my server. Has anyone else experienced a coordinated attack like this, and is it anything for me to be concerned about?

Also, I'm a little confused as to exactly _which_ account the hacker is trying to target. Wouldn't an email account name usually be a full email address such as, whereas cPHulk always reports that the login attempts are directed against an account like 'admin' or 'robert' or 'sales', or something of that nature. In the example above it's 'lib'. None of these accounts actually exists, since there are no email accounts set up at any of my domains currently. Is the hacker just doing a dictionary attack against common usernames?

Sadly those are very common place this day and age on the internet. From what you've posted it appears they are trying common username combinations in attempt to find one that is open or does not require a password.

This is why CSF, LFD and cPHulk earn there keep. Even though chances are they may never guess a correct password, it's better to ban them temporarily to keep them from trying as often.
Thanks Daniel. It sounds like it's nothing to be overly concerned about. One thing I am curious to know:

If a hacker was to compromise an smtp account, is there any way of me knowing? I guess I'm thinking of some sort of warning when too many emails are sent per hour or something? (Knowing WHM this is probably already built in. They seem to think of everything!)

The closest cPanel feature for this would be the email rate limit setting: 4: Configure the max hourly

This allows you to determine X number of emails per hour per domain.

With this set, CSF/LFD will then email you if a domain hits or tries to surpass that limit.

Your mileage may vary of course depending upon your setup but 9 times out of 10 if this is set it will do the trick for letting you know if an email account is compromised. You can also look in your Mail Queue Manager from within WHM to see if there are a lot of emails piling up, as this can also be a sign of a spammer since they try to send to a bunch of bogus email addresses which cannot be delivered to.
Daniel - that's really great information to have. The setting you've described is exactly what I was looking for!
I have received the same hack attempts multiple times and like you I was concerned so I contacted helpdesk and was told the same as you, that they are trying random account names to see if they can find one to login to
As long as you receive these reports you are ok. The firewall is doing what it is suppose to do.
Its when the reports stops that you need to worry...