Back to Community Threads
BAN IP by POP3 attempt and Is there a way to disable POP3 server wide ?
Problem reported by Curtis Kropar www.HawaiianHope.org - Today at 3:43 AM
Submitted
In looking at all of our users and knowing how they access email, not a single one of the hundreds legitimately uses POP3. 
BUT, In looking at the POP3, I see hundreds of attempts to authenticate from all over the planet

Also, as of January, Google has apparently ended POP3 access.

I would like to see a way to prevent POP 3 access server wide, and in addition BAN any IP Address that attempts to use POP3 to get to email, Because NONE of our users do, its all hack attempts.
SmarterPeeps - Help a brother out !

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
Sébastien Riccio Replied
Today at 3:56 AM
You can disable POP3 service from Manage > Troubleshooting > Services. I did this for XMPP that we don't use at all.


The stopped services stays stopped even after a full service restart. You have to enable it again manually if you want it to be up again.
Sébastien Riccio System & Network Admin https://swisscenter.com
Sébastien Riccio Replied
Today at 4:03 AM
If you want to auto ban IPs that tries to connect POP3 ports (110 and 995), you could probably do something like firewalling these ports in windows firewall and enable logs for firewall rejections.

Some powershell script could check the event log to get IPs that attempted connections to these firewalled ports and add these IP to apply a global ban ffirewall rule.

# Enable logging of dropped packets
Set-NetFirewallProfile -All -LogBlocked True -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -LogMaxSizeKilobytes 4096
An exemple powershell script that would do the check

$logFile    = "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
$banLogFile = "C:\Scripts\banned_ips.txt"
$targetPort = "110"
$threshold  = 3   # number of attempts before ban

# Read already banned IPs
$alreadyBanned = @()
if (Test-Path $banLogFile) {
    $alreadyBanned = Get-Content $banLogFile
}

# Parse firewall log for DROP entries targeting port 110
$hits = Get-Content $logFile |
    Where-Object { $_ -match "^20" } |       # skip header lines
    ForEach-Object {
        $fields = $_ -split " "
        [PSCustomObject]@{
            Action  = $fields[2]
            SrcIP   = $fields[4]
            DstPort = $fields[7]
        }
    } |
    Where-Object { $_.Action -eq "DROP" -and $_.DstPort -eq $targetPort }

# Group by source IP and apply threshold
$candidates = $hits |
    Group-Object SrcIP |
    Where-Object { $_.Count -ge $threshold } |
    Select-Object -ExpandProperty Name

foreach ($ip in $candidates) {
    if ($alreadyBanned -contains $ip) { continue }

    # Validate it looks like an IP
    if ($ip -notmatch '^\d+\.\d+\.\d+\.\d+$') { continue }

    Write-Output "$(Get-Date) - Banning $ip"

    # Add firewall block rule
    New-NetFirewallRule `
        -DisplayName "AutoBan $ip (port $targetPort)" `
        -Direction Inbound `
        -Action Block `
        -Protocol TCP `
        -RemoteAddress $ip `
        -Enabled True | Out-Null

    # Record the ban
    Add-Content $banLogFile $ip
}
Add a scheduled task to run the script

# Run the script every 5 minutes as SYSTEM
$action  = New-ScheduledTaskAction -Execute "powershell.exe" `
             -Argument "-NonInteractive -ExecutionPolicy Bypass -File C:\Scripts\AutoBan-Port110.ps1"

$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -Once -At (Get-Date)

$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Minutes 2)

Register-ScheduledTask `
    -TaskName "AutoBan Port 110 Scanners" `
    -Action $action `
    -Trigger $trigger `
    -RunLevel Highest `
    -User "SYSTEM" `
    -Settings $settings
```

How It Works

Port 110 connection attempt
        │
        ▼
Windows Firewall DROPs it  ──▶  logs to pfirewall.log
        │
        ▼
Script runs every 5 min
        │
        ▼
Parses log, counts hits per IP
        │
        ▼
IP hits threshold (≥3)?  ──▶  New-NetFirewallRule blocks IP entirely
        │
        ▼
IP recorded in banned_ips.txt (skip on next run)

DISCLAIMER: exemple scripts generated by claude, because well, i'm lazy.
Sébastien Riccio System & Network Admin https://swisscenter.com
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Set up POP in Outlook 2003SmarterMail > Desktop and Mobile Synchronization
Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization
Configure IMAP or POP for eM ClientSmarterMail > Desktop and Mobile Synchronization
Moving SmarterMail to a New Hosting CompanySmarterMail > Domain/User Configuration and Management
Reset the System Administrator Username and Password (Windows)SmarterMail > Installation and Configuration