[SOLVED] Strange connections from unknown source

I’ve a couple of accounts, which have a connection to an ip address, assigned to Google.

sander@domain1.nl 1 imap (3910) (
sander@domain2.eu 1 imap (4891) (

when I ran ‘sudo doveadm who’, i see these two connections remaining when all the mail clients are disconnected.

I changed passwords for the accounts; reset the mailserver and after entering the account in my mail software (apple mail, spark for apple (alternative)), these two connections popped up (within 2 seconds).

Are these push notifications from apple? Or do I’ve to look somewhere else?

By the way, I’m the only user, for who this occurs, even after changing all the passwords


Probably someone trying to brute Force their way in, is the any indication of incorrect passwords being input?

Also, some apps (in order to use push notifications, will periodically have a remote server check for email, maybe that’s what this is?

That’s the only option, i could verify, but I’m using apple products, so I would expect a connection from some apple domain if it was push notifications.

But I can’t configure it.

Certainly no brute-force attacks. It’s just 2 open connections from of my 4 my mailboxes to a strange ip addresses. After changing passwords and even force restarting the server, the connections reappear, when I start email for the first time.

But i don’t see push notifications, so sending an email, with the mail-app closed doesn’t give any result

Not always. The push notifications on iOS will always come from apple, but where did apple get the notification? From the email apps developer. On the developers server, it will check your inbox for new email, then tell apple to send a push notification when required. I could almost guarantee that is the issue you are seeing.

It could be a logical explanation, but I don’t understand, why only my accounts are involved. There are only a few users not using apple stuff and most of them, don’t know how to configure it, so all the configurations are almost the same.

Can you PM what email app you use? I can test it with you further but might need more sensitive details.

Hello Murgero,

I think I found it. I used the email client “Spark”.

After enabling a login with this application, a strange connection from a google hosted server is coming in. The account details seems to be shared trough “accounts” on my mac.

I explicitly reset the spark settings; within a couple of minutes, the connections disappear.

I removed spark from my computer after this incident.

Thanks for support.

The most important part for me was to find out if my mac was compromised by some strange thing. But no proof jet:)

By the way, i run an strace on the strange processes and it was only do an monitoring on change of inbox data.

Case closed.

1 Like

Just an observation here. It sounds very much like Spark works in a similar manner to Accompli - Which was bought by Microsoft and rebranded as Outlook Mobile app.

Although you set it up in a way similar to any other email client, the app doesn’t communicate directly with your email servers, rather it sends traffic to servers run by the app maker which acts as a MITM and passes the message on to your mail servers. (I remember scratching my head when looking at the SMTP headers on mail sent using the app)

More information on Outlook Mobile can be found here.

I think I might have a play with Spark and confirm what they do.

I assume that’s the situation, but I run my private mail server to prevent storage of data on strange servers. So, for me, the investigation stopped and I stopped using Spark;)

Problem solved

1 Like