Mail Alert Received from router

Would appreciate it if someone could explain what this error message is all about. Where xx is show is my WAN address.

2025/02/20 10:58:22 -- [DOS][Block][unassigned_numbers][14.187.104.0->xx.xx.xx.xx][143][HLen=20, TLen=149]

The message arrives almost every minute and could easily fill my inbox by the end of the day!

What router is it?

Draytek Vigor2865

The Firewall rules for DOS Defence are all ticked,

Very sorry wrong info supplied in my earlier message, It is:

Model Name Vigor2860Vac System Up Time 327:11:25
Router Name xxxx Current Time Thu Feb 20 2025 11:48:30
Firmware Version 3.9.8.2_BT Build Date/Time Sep 13 2024 19:37:52
DSL Version 576D17_A/B/C HW: A LAN MAC Address 00-xxxxxxxxx-68

Sensitive information replaced with xxxxx

Then looks like the firewall is detecting what it thinks is a DOS (denial of service) exploit from what looks to be a host in Vietnam. If I’m reading the log correctly the incoming packets to port 143 (email IMAP port) are being blocked by the firewall.

Can you disable the logging notifications from the router sent to your email?

The router is doing its job…

https://www.draytek.co.uk/support/guides/kb-denial-o...

As said you may want to switch of the syslog function that sends you these alerts to your email. You can continue to monitor the syslog entries directly on the router, without having your inbox fill up.

https://www.draytek.co.uk/support/guides/kb-vigor-sy...

In reply to a post by Pheasant:

looks to be a host in Vietnam.

I've never seen a useable IP address ending in .0 so could it be incoming DOS from more than one address in that range??

Notifications can indeed be turned off at the loss of any other useful information. The firewall DOS defence has the ability to block IP addresses. That seems a better solution and I will try that solution first.

But the black list has a limit of 16 entries now populated with these IP addresses:
31.43.192.166
94.247.61.201
117.6.130.51
95.154.33.134
183.105.163.42
86.125.18.166
176.36.109.230
188.25.82.228
91.150.81.203
113.176.70.49

Doing this seems to have slowed down the number of reports received. My be a country blocking would be better.

There's nothing inherently invalid in a public IP ending in .0
for example any kind of /32 or /31 PPP connection (including PPPoE customers of an ISP) can be allocated that.

Technically the loopback interface of a router can also be allocated a /32 but that's unlikely to be acting as an IMAP client.

However if it were a regular routed network range the smallest subnet that could contain a host address of 14.187.104.0
would be 14.187.96.0/20 (since for smaller subnets this would otherwise be the reserved network address).

Edited by prlzx (Thu 20-Feb-25 12:46:42)

Thanks for explaining