Strange POP3 traffic from Google?


I just read a daily email from Logwatch to find some very strange messages…

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.208, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.210, lip=my.ip.ad.dr: 3 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.211, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.212, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.213, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.214, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.216, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.217, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.218, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.219, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.220, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.221, lip=my.ip.ad.dr: 4 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.225, lip=my.ip.ad.dr: 3 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.227, lip=my.ip.ad.dr: 3 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.228, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.232, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.234, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.235, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.236, lip=my.ip.ad.dr: 5 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.237, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.238, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.239, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.240, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.241, lip=my.ip.ad.dr: 2 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.244, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.245, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.246, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.248, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.249, lip=my.ip.ad.dr: 1 Time(s)

dovecot: pop3-login: Disconnected (no auth attempts): rip=209.85.198.251, lip=my.ip.ad.dr: 1 Time(s)

Okay, so let’s list the strange events here:

  • A whole bunch of sequential IPs are connecting to my POP3 port (not necessarily in order, perhaps Logwatch is just picking them out that way)
  • The remote machines are connecting, but not even attempting to authenticate (log in), they’re just disconnecting
  • The IP range is apparently owned by Google

So… what’s going on here, exactly? Anyone able to shed some light onto this?

4 thoughts on “Strange POP3 traffic from Google?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>