Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Domain has exceeded the max emails per hour

Discussion in 'E-mail Discussion' started by Maning, May 24, 2018.

  1. Maning

    Maning Member

    Joined:
    Jun 29, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Hello,
    I am experiencing problem with a specific email address. It sends mass spam mails, CSF notify me:
    Code:
    Time:  Tue May 22 07:32:25 2018 +0300
    Type:  LOCALHOSTRELAY, IPv6 localhost - ::1
    Count: 355 emails relayed
    Blocked: No
    
    Sample of the first 10 emails:
    
    - Removed -

    On mail delivery reports I saw differences between mail send from spam and mail send from user:

    User mail:
    Code:
    Authentication:    dovecot_login
    Delivery User:    -remote-
    Router:    dkim_lookuphost
    Transport:    dkim_remote_smtp
    Spam mail:
    Code:
    Authentication:    dovecot_login
    Delivery User:    -system-
    Router:    enforce_mail_permissions
    Transport:    fail (because domain has exceeded the max emails per hour)
    I am wondering:
    If this is a normal login (spammer have the email password) or is something else going wrong?
    Why delivery user on spam mails is system?
    Why router on spam mail is enforce_mail_permissions? (Because domain exceeded the max emails per hours?
     
    #1 Maning, May 24, 2018
    Last edited by a moderator: May 24, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Maning

    With this amount of information I would lean towards a php script sending the mail but with some more information we can find out for sure. Please run the following via SSH and reply with the output:

    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    Code:
    grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Maning

    Maning Member

    Joined:
    Jun 29, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    Code:
          1 /home/user1/public_html/mail
          1 /home/user2/public_html
          1 /home/user3/public_html/test
          1 /home/user4/public_html/site
          1 /home/user5/public_html
          1 /home/user6/public_html/en
          1 /home/user7/public_html
          1 /home/user8/public_html
          2 /home/user9/public_html
          2 /home/user10/public_html/wp-admin
          7 /home/user11
         15 /root
         25 /home/user12/public_html
        184 /home/user13/public_html
        311 /home/user14/public_html
       2138 /etc/csf
       2265 /
    Code:
    grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t
    Code:
    info@domain15.com              60
    elen@domain10.com              77
    user13                        186
    root                          359
    user16                        397
    user17                        622
    mailnull                      965
    user15                        95251
    user15 owns domain15
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Maning

    And to confirm the first command I had you run, user15 didn't show up at all?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Maning

    Maning Member

    Joined:
    Jun 29, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    That's right user15 didn't show up at all in first command
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That wasn't quite what I was expecting! I was hoping to see an account or if it's the user a path where the mail originated from. The following is something we use internally to identify the origin of spam really quickly -in this case, we know the user15 account is to blame but not specifically who or what

    Code:
    perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    
    Let me know what it reports for "Emails by user" and "Directories mail is originating from" please
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Maning

    Maning Member

    Joined:
    Jun 29, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Nothing unusual to the report
    But the command check 5 days ago? (exim_mainlog was already renamed from that date)

     
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Maning

    Yea, none of these will be really effective if the user15 account is not still sending spam, in fact it would be almost impossible to determine this without the issue occurring or access to the logs. Can you go ahead and open a ticket so we can take a closer look if the issue is persisting.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Maning

    Maning Member

    Joined:
    Jun 29, 2017
    Messages:
    12
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    According to the ticket:

    Code:
    I was able to find a number of spamd log entries for localhost connections that were considered spam. Some of them were from user15 who owns domain15:
    [00:20:09 hostname root@9656309 /var/log]cPs# grep user15 /root/May24spamassassin
    May 24 08:56:05 hostname spamd[10280]: spamd: setuid to user15 succeeded
    May 24 08:56:05 hostname spamd[10280]: spamd: checking message <3d1181987f3b43986d6bedf46ae2ef2f@pomagri.com.br> for user15:1011
    May 24 08:56:07 hostname spamd[10280]: spamd: identified spam (6.0/5.0) for user15:1011 in 2.3 seconds, 43303 bytes.
    May 24 08:56:07 hostname spamd[10280]: spamd: result: Y 6 - DKIM_SIGNED,DKIM_VALID,HTML_MESSAGE,RDNS_NONE,SPF_FAIL scantime=2.3,size=43303,user=user15,uid=1011,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=46106,mid=<3d1181987f3b43986d6bedf46ae2ef2f@pomagri.com.br>,autolearn=no autolearn_force=no,shortcircuit=no
    May 24 22:13:10 hostname spamd[29702]: spamd: setuid to user15 succeeded
    May 24 22:13:10 hostname spamd[29702]: spamd: checking message <upxuvds81186123.12473752@mail.bestwill.eu> for user15:1011
    May 24 22:13:12 hostname spamd[29702]: spamd: identified spam (15.6/5.0) for user15:1011 in 1.5 seconds, 174004 bytes.
    May 24 22:13:12 hostname spamd[29702]: spamd: result: Y 15 - HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,KAM_VERY_BLACK_DBL,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLACK,URIBL_DBL_SPAM scantime=1.5,size=174004,user=user15,uid=1011,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=57486,mid=<upxuvds81186123.12473752@mail.bestwill.eu>,autolearn=spam autolearn_force=no,shortcircuit=no
    =-=
    This happen to some other users as well, but nothing at the current maillog.
    So I was confused were the problem is located?
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,838
    Likes Received:
    275
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Maning


    Can you please reply with the ticket ID? I'd like to take a look at what was investigated in the ticket as well as the notes.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice