I can tell you in absolute certainty that the emails are sent without looking at the log entries. Moreover, I'm an engineer (Mechanical Engineer by field of study, Software Engineer by profession). I don't make assumptions, I look at the code :)
Speaking of code, please open wp-content/plugins/admintoolswp/app/plugins/waf/util/exceptionshandler.php around line 167. As you can see the email is part of the security exceptions logging process. The email is sent based on the information sent into the logBreaches() method which as you can trace yourself is only called when a security exception is triggered for the current request.
The fact that you are on a private network
does not necessarily mean that nothing else on your internal network is compromised and trying to brute force the login. Moreover, it's possible that you have some other automation going on which might be trying to perform a login. In fact, you can see in wp-content/plugins/admintoolswp/app/plugins/waf/admintools/main.php, method registerFeatures(), that we merely telling WordPress to register our onUserLoginFailure method to the wp_login_failed handler. If your site is built in a way that triggers WordPress' wp_login_failed continuously then yes, you will get thousands of emails.
For what it's worth, we didn't change anything regarding tracking failed logins as security exceptions in the past 11 months and that was simply removing the ability to log the failed login's password. The implementation of that feature dates back to 2017.
I don't see any other change which could be relevant to your issue either. Maybe if I had the Target URL of the exception I could help you better.
Regarding some other points I asked you about.
Setting the limits in each email template is necessary but not enough to set email limits. You have to go to Configure WAF, Logging and Reporting and set Enable security exception email throttling to Yes. Do note that if you have dozens of malicious requests hitting your site at the same time the limit might be exceeded.
Regarding IP blocking, I was not asking you about your server configuration. I was asking you about your Admin Tools configuration. This is in the Configure WAF page under Auto-ban. If it's enabled as you say and the offending IP is the same it should be blocked. But hold your thought on that because I found more clues.
The very fact that your security exceptions log doesn't list the security exceptions you are being emailed about shoots down your suspicion about the log being parsed to send out emails – even if you don't look at the code like I did.
Moreover, your log states that the IP address that causes the security exception (at least the one you screenshotted for me) is
17.58.101.202. This IP address belongs to Apple. Namely, it's part of
AppleBot. It is normally used by things like Siri and Spotlight Suggestions. This could be a clue as to what is going on. Furthermore, if it's AppleBot hitting your server it would explain why it doesn't get blocked; it uses a lot of different IP addresses. Each request comes from a different IP address, therefore a single IP address wouldn't be blocked as it would individually not trigger enough exceptions.
I can't tell you WHY AppleBot is hitting your server, I cannot tell you why that comes through to your internal network and I cannot tell you why WordPress believes that there is a failed login when this happens. I can only tell you that based on the one email you shared with me it's AppleBot hitting your site that triggers the security exceptions.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!