Strange logins from Microsoft

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
mschumann
New user
New user
Posts: 12
Joined: 2020-05-06 16:08

Strange logins from Microsoft

Post by mschumann » 2020-06-16 10:13

In my hmail server logs I regualry see IMAP logins from 52.125.138.86 (that belongs to Microsoft) with my user I use on my devices but I only use thunderbird on the and fairmail on my phone. I do have a microsoft account for office but do not use outlook neither the app nor the web functionality. Am I hacked or is anyone aware of whats going on here? This is part of the log:

"DEBUG" 3380 "2020-06-16 09:49:34.456" "Creating session 9194"
"TCPIP" 3380 "2020-06-16 09:49:34.456" "TCP - 52.125.138.86 connected to xxx.xxx.xxx.xxx:993."
"DEBUG" 3380 "2020-06-16 09:49:34.456" "TCP connection started for session 9193"
"DEBUG" 3380 "2020-06-16 09:49:34.472" "Performing SSL/TLS handshake for session 9193. Verify certificate: False"
"TCPIP" 3368 "2020-06-16 09:49:34.738" "TCPConnection - TLS/SSL handshake completed. Session Id: 9193, Remote IP: 52.125.138.86, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256"
"IMAPD" 3368 9193 "2020-06-16 09:49:34.738" "52.125.138.86" "SENT: * OK IMAPrev1"
"IMAPD" 3368 9193 "2020-06-16 09:49:34.831" "52.125.138.86" "RECEIVED: TKW0 CAPABILITY"
"IMAPD" 3368 9193 "2020-06-16 09:49:34.847" "52.125.138.86" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL NAMESPACE RIGHTS=texk[nl]TKW0 OK CAPABILITY completed"
"IMAPD" 3380 9193 "2020-06-16 09:49:34.878" "52.125.138.86" "RECEIVED: TKW1 LOGIN xxx@xxx.xxx ***"
"IMAPD" 3380 9193 "2020-06-16 09:49:34.878" "52.125.138.86" "SENT: TKW1 OK LOGIN completed"
"IMAPD" 3356 9193 "2020-06-16 09:49:34.910" "52.125.138.86" "RECEIVED: TKW2 CAPABILITY"
"IMAPD" 3356 9193 "2020-06-16 09:49:34.910" "52.125.138.86" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL NAMESPACE RIGHTS=texk[nl]TKW2 OK CAPABILITY completed"
"IMAPD" 3368 9193 "2020-06-16 09:49:34.941" "52.125.138.86" "RECEIVED: TKW3 NOOP"
"IMAPD" 3368 9193 "2020-06-16 09:49:34.941" "52.125.138.86" "SENT: TKW3 OK NOOP completed"
"IMAPD" 3380 9185 "2020-06-16 09:49:34.988" "52.125.138.86" "RECEIVED: TKD9 UID FETCH 1 (UID)"
"IMAPD" 3380 9185 "2020-06-16 09:49:34.988" "52.125.138.86" "SENT: TKD9 OK UID completed"
"IMAPD" 3356 9185 "2020-06-16 09:49:35.019" "52.125.138.86" "RECEIVED: TKD10 UID SEARCH UID 1275:1275"
"IMAPD" 3356 9185 "2020-06-16 09:49:35.019" "52.125.138.86" "SENT: * SEARCH 1275"
"IMAPD" 3356 9185 "2020-06-16 09:49:35.019" "52.125.138.86" "SENT: TKD10 OK UID completed"
"IMAPD" 3368 9185 "2020-06-16 09:49:35.113" "52.125.138.86" "RECEIVED: TKD11 UID FETCH 1 (UID)"
"IMAPD" 3368 9185 "2020-06-16 09:49:35.113" "52.125.138.86" "SENT: TKD11 OK UID completed"
"IMAPD" 3380 9185 "2020-06-16 09:49:35.144" "52.125.138.86" "RECEIVED: TKD12 UID SEARCH UID 1275:1275"
"IMAPD" 3380 9185 "2020-06-16 09:49:35.144" "52.125.138.86" "SENT: * SEARCH 1275"
"IMAPD" 3380 9185 "2020-06-16 09:49:35.160" "52.125.138.86" "SENT: TKD12 OK UID completed"
"IMAPD" 3356 9185 "2020-06-16 09:49:35.253" "52.125.138.86" "RECEIVED: TKD13 UID FETCH 1:1275 (UID FLAGS)"
"IMAPD" 3356 9185 "2020-06-16 09:49:35.253" "52.125.138.86" "SENT: * 1 FETCH (UID 1275 FLAGS ())"
"IMAPD" 3356 9185 "2020-06-16 09:49:35.253" "52.125.138.86" "SENT: TKD13 OK UID completed"
...
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 1 FETCH (UID 4)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 2 FETCH (UID 5)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 3 FETCH (UID 6)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 4 FETCH (UID 8)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 5 FETCH (UID 9)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 6 FETCH (UID 11)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 7 FETCH (UID 13)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.582" "52.125.138.86" "SENT: * 8 FETCH (UID 14)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.597" "52.125.138.86" "SENT: * 9 FETCH (UID 15)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.597" "52.125.138.86" "SENT: * 10 FETCH (UID 16)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.597" "52.125.138.86" "SENT: * 11 FETCH (UID 17)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.597" "52.125.138.86" "SENT: * 12 FETCH (UID 18)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.597" "52.125.138.86" "SENT: * 13 FETCH (UID 19)"
"IMAPD" 3368 9193 "2020-06-16 09:49:35.597" "52.125.138.86" "SENT: * 14 FETCH (UID 20)"
...

I created an IP range for now that does not allow logins.

Thanks for any help!

User avatar
RvdH
Senior user
Senior user
Posts: 1105
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Strange logins from Microsoft

Post by RvdH » 2020-06-16 11:17

Check the default Windows 10 Mail app, does this list the account in question?

[EDIT] Don't know what i was thinking, ignore this comment :oops:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 21036
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Strange logins from Microsoft

Post by mattg » 2020-06-16 12:09

I'd change the password for that account too...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
johang
Senior user
Senior user
Posts: 320
Joined: 2008-09-01 09:20

Re: Strange logins from Microsoft

Post by johang » 2020-06-16 17:41

mschumann wrote:
2020-06-16 10:13
...---...; ...---...
perhaps someone has linked their account to outlook.com .. ?

https://support.microsoft.com/en-us/off ... n-us&ad=us
___________________________________________________________end of the line
spam filter appliance gateway: www.mailcleaner.org

mschumann
New user
New user
Posts: 12
Joined: 2020-05-06 16:08

Re: Strange logins from Microsoft

Post by mschumann » 2020-06-17 21:01

Thanks, I blocked that IP for login. I remember that I tried the outlook app once on my mobile but deleted it, thats the only source where the MS server can have gotten my login credentials. Thsi is really strange, I usually trust Mcrosoft a lot.

Virinum
Normal user
Normal user
Posts: 110
Joined: 2018-11-23 14:42
Location: Germany

Re: Strange logins from Microsoft

Post by Virinum » 2020-06-18 12:12

I've once installed the iOS version of the outlook app, too.

This app doesn't connect directly to the mail server. Instead your credentials are sent to microsoft and microsofts server connects to your mail server.

This way microsoft is able to send push notifications nearly instantly when a mail arrives. Because microsofts server holds the connection up all the time.

To stop microsofts server to connect to your mail server, you have to remove your account from the app before you remove the app. If you already removed the app, install it again. Then add your account and remove it again. When removing there is an option you have to select which says something like "Remove account from all devices".

palinka
Senior user
Senior user
Posts: 2078
Joined: 2017-09-12 17:57

Re: Strange logins from Microsoft

Post by palinka » 2020-06-19 20:56

Virinum wrote:
2020-06-18 12:12
This app doesn't connect directly to the mail server. Instead your credentials are sent to microsoft and microsofts server connects to your mail server.

This way microsoft is able to send push notifications nearly instantly when a mail arrives. Because microsofts server holds the connection up all the time.
That's mighty helpful of them. :roll:

Post Reply