# Strange mail logs

## hellochaps

Hi there,

I was recently going over some old mail logs, and I came across this:

```

Jun 12 14:51:56 hostname imapd: LOGIN FAILED, user=Purple, ip=[::ffff:127.0.0.1]

Jun 12 14:51:56 hostname postfix/smtpd[21538]: disconnect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:51:58 hostname postfix/smtpd[21536]: connect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:52:02 hostname postfix/smtpd[21537]: disconnect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:52:03 hostname imapd: LOGIN FAILED, user=Sports, ip=[::ffff:127.0.0.1]

Jun 12 14:52:07 hostname postfix/smtpd[21559]: connect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:52:09 hostname postfix/smtpd[21536]: disconnect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:52:11 hostname imapd: LOGIN FAILED, user=dragon, ip=[::ffff:127.0.0.1]

Jun 12 14:52:14 hostname postfix/smtpd[21562]: connect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:52:17 hostname postfix/smtpd[21559]: disconnect from 75-145-26-162-Washington.hfc.comcastbusiness.net[75.145.26.162]

Jun 12 14:52:18 hostname imapd: LOGIN FAILED, user=michael, ip=[::ffff:127.0.0.1]

```

Why would imapd be reporting login failures coming from 127.0.0.1?

Cheers,

Eric

----------

## Hu

The local user probably submitted a bad password, or may have tried to use an account name that did not exist.  If you want to know why the connection is coming from localhost, I would guess that some other program on the system is making a connection over loopback, possibly on behalf of a remote user.  This can happen when ssh port forwardings are used.

----------

## hellochaps

I am the only user of the system, and the only application I can think of that might access over loopback is SquirrelMail - but Apache logs say nobody accessed it.

----------

