The Post Office Protocol (POP) is an application-layer protocol used by e-mail clients to retrieve e-mail from a server.
The very first version of the protocol (POP1) was described in RFC 918 in 1984. One year later, in 1985, the second version
of the protocol (POP2) was introduced by RFC 937. POP version 3 (POP3) is the most recent version of the protocol was
originated with RFC 1081 in 1988.
During the last 10 years POP3 has been superseded by the Internet Message Access Protocol (IMAP). But, after 30 years of the
introduction, POP3 is still used on many servers around the globe.
The protocol was the subject of interest from the hackers and security experts many times. In result, multiple tools for
POP3 brute-forcing are freely available on the Internet.
If POP3 ports are open on your server, you may notice repeating entries in your logs like below:
"POP3D" "SENT: +OK POP3"
"POP3D" "RECEIVED: CAPA"
"POP3D" "SENT: +OK CAPA list follows[nl]USER[nl]UIDL[nl]TOP[nl]."
"POP3D" "RECEIVED: USER bob"
"POP3D" "SENT: +OK Send your password"
"POP3D" "RECEIVED: PASS ***"
"POP3D" "SENT: -ERR Invalid user name or password."
"POP3D" "RECEIVED: USER alice"
"POP3D" "SENT: +OK Send your password"
"POP3D" "RECEIVED: PASS ***"
"POP3D" "SENT: -ERR Invalid user name or password."
"POP3D" "RECEIVED: USER joe"
"POP3D" "SENT: +OK Send your password"
"POP3D" "RECEIVED: PASS ***"
"POP3D" "SENT: -ERR Invalid user name or password."
"POP3D" "SENT: +OK POP3"
"POP3D" "RECEIVED: CAPA"
"POP3D" "SENT: +OK CAPA list follows[nl]USER[nl]UIDL[nl]TOP[nl]."
"POP3D" "RECEIVED: USER office"
"POP3D" "SENT: +OK Send your password"
"POP3D" "RECEIVED: PASS ***"
"POP3D" "SENT: -ERR Invalid user name or password."
"POP3D" "RECEIVED: USER fax"
"POP3D" "SENT: +OK Send your password"
"POP3D" "RECEIVED: PASS ***"
"POP3D" "SENT: -ERR Invalid user name or password.
"POP3D" "RECEIVED: USER reception"
"POP3D" "SENT: +OK Send your password"
"POP3D" "RECEIVED: PASS ***"
"POP3D" "SENT: -ERR Invalid user name or password."
These attempts usually mean brute-force attack on your POP3 server. They waste your server's resources - bandwidth, RAM, CPU and free disk space.
If some of your POP3 users have weak passwords, attackers may succeed and get access to the user's mailbox.
RdpGuard
effectively protects your POP3 server from brute-force attacks.
RdpGuard works with POP3 ports or logs on your server to detect failed login attempts.
If the number of failed login attempts from a single IP address reaches a set limit,
the attacker's IP address will be blocked.
For Windows Vista/7/8/8.1/10/11 and Windows Server 2008/2012/2016/2019/2022
