In which I discuss Fastmail, rate limits, iOS' Mail.app and the looming possibility of being pwnd...

This is a somewhat more technical post than you'll often see here. If the title didn't clue you in to that, let this be your final warning: Here There Be Dragons!

What Happened:

Wednesday night, I attempted to log in to my Fastmail-hosted domain mail account, but was greeted with this message: '451 Already reached per-hour limit for logins by "me@mydomain.com" of 1000, try again later.'

After a few other attempts, I checked my iPhone's Mail.app, which reported "bad username or password". [I'd like to take this opportunity to thank Cupertino for that really helpful error message.] I checked Fastmail's documentation and found that they do, indeed, block access after > 1000 IMAP connections in an hour, and that they generally attribute such behavior to an IMAP client gone haywire.

I only use webmail and iOS 7's stock Mail.app, and I was aware of issues they'd had with OS X's Mail.app, so I fired off a support request. I asked if there were similar known issues with Apple's mobile mail client.

We use Fastmail's family email level, so Kristina and I both have accounts, and there's an admin-level account for administering everything. I was able to log in to that account and use it to disable logins to the problem account, change the password to both the problem account and the admin account. I'd just changed both passwords a few days before, after getting the email from Fastmail support saying their servers were patched and certs were up to date after the Heartbleed vulnerability had been made public. I use LastPass to generate complex, unique passwords.

I killed all the apps on my phone, shutdown for about 10 minutes, then restarted. Within a few minutes, I was again able to log in to both the web client and Mail.app on my phone.

About 10 hours after logging the support request, I received a response from Fastmail, which included two IP addresses from which my client was accessed. Whois told me that one of those IPs is in Durham, NC. An nslookup told me that it's not owned by my ISP. Since I live in Bentonville, AR, that set off a lot of internal alarms. I relayed this information to Fastmail, and reiterated my question about whether the iOS Mail.app has similar issues to the one they experienced around the OS X client. The case got bumped to "developers/admins", who again responded relatively quickly. Fastmail isn't aware of any problems with iOS 7's mail client, it seems.

What I Think About It All:

I have to consider the possibility that my account was compromised somehow, but I don't know how that could have come about. My password is strong and unique; it would take a lot of computing power to brute-force it. I changed my account passwords shortly after Fastmail patched their servers/certs post-Heartbleed, so that particular vulnerability can't have leaked my new credentials. I just don't get much spam (maybe 1 or 2 a month), and I haven't viewed any of that, so I'm ruling out phishing and social engineering. I haven't logged in to a public wireless network since the post-Heartbleed password update, either, and my home wireless network is reasonably secure, so straightforward packet capture also seems unlikely.

Given all that, I'd think account compromise unlikely...but for the other IP address. A full third of the IMAP sessions were from an IP address in another state, owned by a different ISP. That means two-thirds were right here at home, and can have been originating nowhere else but from iOS' Mail.app on my 5S. My iPhone has been remarkably unstable in the few weeks I've owned it, crashing often, requiring daily restarts; it wouldn't surprise me in the slightest to find that Mail.app was buggy.

I've had relatively timely contact with Fastmail support, and they've so far been graciously helpful, even though this doesn't appear to be an issue with their service. I'm continuing to try to break this down so I can figure out better what further actions I need to take. The more I think about it, the more likely it seems that Mail.app is the culprit, but it bothers me badly that I still don't know for sure what happened.