Macbook - Mac Mail - IP gets blocked - is there a virus / Malware?

I have a case of a client based in France who is having a problem with their IMAP email account provided by a UK webhost.

Summarised story is

When they turn on their Mac Book, their IP address at home gets blocked by the email provider and they justify this because they say their logs show many invalid credential checks when the Mac is turned on.

If we take the Mac to an internet café it works fine.

They have an iPad and iPhone. When the laptop is turned off for a long while, they work, when the laptop is on, they stop (so have to swtich to cellular network to get email from this account)

Much obvious investigation has been done, but the fact the laptop works at an internet café, suggests the settings are correct.

This leaves me thinking there is some virus on the laptop or something. However, I have run Malwarebytes AND I have also monitored the network traffic from the Mac and can’t see anything.
Screen shot below with username blurred for privacy.
NEtwork MonitorAny insights into what could be causing this welcome. Can it be the ISP in France has some issue? But then why only when the laptop is on and the fact the email provider / webhost shows a log of invalid login attempts.

Suggestions welcome
NetworkMonitor-screen-shot.png
IT Man200Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Eoin OSullivanConsultantCommented:
Doesn't sound like a virus .. sounds like the UK ISP has their home IP on a greylist and it is easily blacklisted.

When at home they have iPad, iPhone and MacBook .. all on the WiFi and all probably regularly checking email from the one IP address.

It could be that there is an incorrect account setup on the MacBook in Mac Mail or even another email client which is causing the UK email host to blacklist them.

Options are
1. Change the iPad and iPhone to check emails manually and disable the FETCH to reduce requests from their home IP to the UK mail host.
2. Check Mac Mail and see that there are no duplicate accounts which are sending invalid authentication details.
3. Quit Apple Mail and open Keychain Access and DELETE any keychain entries relating to the UK Mail servers .. then in Apple Mail you will have to re-enter the passwords for the mail accounts but at least there will be no legacy incorrect passwords stored in the keychain
IT Man200Author Commented:
I should also add, this all started, after an upgrade to El Capitan.
Eoin OSullivanConsultantCommented:
Could well be a corrupted or incorrect password in a keychain file .. if you open the Activity window and Connection Doctor in Mac Mail you can also see the various accounts as they connect and get responses from the IMAP server .. you might spot failed connections and narrow down the source.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Eoin OSullivanConsultantCommented:
Clearly there is a chance that some other application or process on the macbook is attempting to check or send emails using an incorrect password .. to get to the bottom of it the UK ISP may need to provide more detail of when it received requests .. are they IMAP or SMTP requests?  Is there any header information that might give a clue as to the source ?

You can use lsof and netstat to see what services are listening or communicating on port 143 for imap or secure imap 993

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Man200Author Commented:
OK eoinosullivan. Sounds like a great idea with the spotting failed connections.

Next access to laptop might not be until Monday, but will keep you posted. Additional suggestions to try when I get a chance on it next are welcome.

Thanks so far!
strungCommented:
I agree with everything Eoin says (as always).

 If your client does not see extra e-mail accounts in his sidebar, the most likely culprit is an extra SMTP account. These are better hidden. You have to go to Mail > Preferences>Accounts (not to Mail>Accounts),  then click on an account. Then in the right hand window, click on the SMTP server and choose "Edit SMTP Server List". Delete any unknown or unused SMTP servers.

Another alternative is to go to Mail and drag down the Window menu to "Connection Doctor". Check the "Log Activities" checkbox and the hit the "Check Again" box, then "Show Logs". From the logs you should be able to tell which connection is being rejected. (Do this at an internet cafe rather than at home so that blocked IP's do not muddy the water.)
IT Man200Author Commented:
We've kind of got this working. Basically the provider is rubbish and blocks anything ver y easily. Even when we change the password, we got blocked as some devices still trying to login with old password. So it leads you think something wrong when really, the server is being over sensitive and blocking the user.

Will wait a day or two and see, but we recommended user change provider.
IT Man200Author Commented:
Thanks for all the great input on this. In the end, we moved provider and and all worked well. WE can only conclude that the host had a very sensitive blocking system or some other issues that caused the email to be blocked so easily.

Since on the new server, there have been no problems whatsoever so far (A few weeks in).

Many thanks for input
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mac OS X

From novice to tech pro — start learning today.