Domain has exceeded the max emails per hour

Hi @4est

Based on what you're providing in the screenshot my assumption is the user is spamming (more than likely unbeknownst to them) and it looks like several of those messages have the same message ID which would indicate they're sending mail with a bunch of CC's. There's not a way by looking at the report to tell which one of the emails triggered the protection but it does appear that the account is deferring or failing more than 88% of the mail they're sending out.

 

Hi @4est

It's difficult to tell from what you're showing where the emailing starts as the screenshot isn't showing the entire screen, it's also only showing one user and this includes protection for the entire domain. You've set the protections to trigger at 8 failed or deferred emails, once that's reached they are banned from sending for an hour until the protection is cleared. What's possible is other failed/deferred messages that user didn't send but were sent from the same domain are assisting with triggering the protection so yes based on what you've shown it is possible other mail isn't being shown.

This is pretty inconsequential in terms of an email compromise - no one needs to be working if their email account has been used for sending spam, furthermore it is possible that there's a script sending which wouldn't have mail originating from any of the email users on the account. This is why identifying the source of the mail is the most important thing

This could also be an issue as a result of the autoresponder issue, if mail continues to be returned as failed or deferred even after you remove the autoresponder - these can sometimes (though not often) be delayed.

Can you show me the output of the following (just remove the domain name from the output):

Code:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Thanks!

 

Hi @4est

I see, thank you for the clarification. Though if the account itself is sending mail using a script I don't believe it's going to show up in the mail delivery reports as such

I believe this explains why the mail delivery reports/mail tracker didn't see the emails when you looked for that user. I would look in /home/minus22/ more than likely there's a script or a cron that is sending mail (spam or misbehaving).

Perfect!
Thanks!

 

Hi @4est

The exim_mainlog should have all transactions like this but if you want to see the actual email you might look to see if any are in the queue you can do this through the mail queue manager in WHM or you can do it over CLI.

To print a list of what's in the mail queue:

Code:

exim -bp

To view the headers of a specific message in the mail queue:

Code:

exim -Mvh <messagid>

To view the body of a specific message in the mail queue:

Code:

exim -Mvb <messageid> 

Thanks!

 

Hello @4est

This indicates that the domain has reached the percentage of failed or deferred messages which is set in WHM>>Server Configuration>>Tweak Settings. The 8/8 indicates "Number of failed or deferred messages a domain may send before protections can be triggered" as is indicated in Tweak Settings as well.

As I indicated previously - to resolve this you need to resolve the mail sending issues with the account or modify the protections in place.


Thanks!

 

Hello @4est

Can you run the same command I asked you to run originally?

Code:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

And let me know what the output is for the account in question?


Thanks!

 

Hi @4est

What do you have the max emails per hour and max deferred/failed email per hour set to for the account?

Furthermore you can see all sent messages from the account in the logs by running something like:

Code:

exigrep '<= .*domain.tld' /var/log/exim_mainlog

 

Hi @4est

My assumption is that 20% of the messages that domain sent in one hour were failures as it doesn't appear they hit the 250/hr mark. There needed to be at least 8 but if they only sent 40 emails that'd be enough to cause them to be failed.

 

HI @4est

If it does happen again please let us know - it might be best ultimately to open a ticket so that we can have access to the logs as well.

Thanks!