Domain has exceeded the max emails per hour

[4est]

Hello

I have a user that keeps getting Domain - Removed - has exceeded the max defers and failures per hour (8/8 (88%)) allowed. Message discarded

I am looking at sent summary, but I can't find the source of the problems:





So from 9.36 onward I do not see any mail that caused it to his the deferals limit at 9.39

Do incoming emails count too?
I ran

grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t  | grep minus

and I do see the main user with a lot of emails: 988


I'm not sure what does this mean, and why can't I see them in the summary logs

Thanks

here is a screenshot with only failures.
All because of max deferals and failures
But I can see no other email that caused the failures in the first place

 

[cPanelLauren]

Hi @4est

Based on what you're providing in the screenshot my assumption is the user is spamming (more than likely unbeknownst to them) and it looks like several of those messages have the same message ID which would indicate they're sending mail with a bunch of CC's. There's not a way by looking at the report to tell which one of the emails triggered the protection but it does appear that the account is deferring or failing more than 88% of the mail they're sending out.

 

[4est]

yes, but usually there are a few emails that failed to be delivered (for whatever reason) that trigger the protection

but in this case there were no emails sent from the day before until the morning, and even so, the first mail was refused because of max deferals

so my question: are there other mails being sent that do not appear on this log?
Because the protection is /h, so since no email was sent, there should have been no protection active when first email was sent

my customer's company are all on vacation, there is only one man working (the one who was unable to send).
there were some problems with the workers who did set up autoresponders that triggered the protection (since the autoresponder replied to spam emails also), but we disabled the autoresponse on the existing email accounts

 

[cPanelLauren]

Hi @4est

so my question: are there other mails being sent that do not appear on this log?

It's difficult to tell from what you're showing where the emailing starts as the screenshot isn't showing the entire screen, it's also only showing one user and this includes protection for the entire domain. You've set the protections to trigger at 8 failed or deferred emails, once that's reached they are banned from sending for an hour until the protection is cleared. What's possible is other failed/deferred messages that user didn't send but were sent from the same domain are assisting with triggering the protection so yes based on what you've shown it is possible other mail isn't being shown.

my customer's company are all on vacation, there is only one man working (the one who was unable to send).

This is pretty inconsequential in terms of an email compromise - no one needs to be working if their email account has been used for sending spam, furthermore it is possible that there's a script sending which wouldn't have mail originating from any of the email users on the account. This is why identifying the source of the mail is the most important thing

There were some problems with the workers who did set up autoresponders that triggered the protection (since the autoresponder replied to spam emails also), but we disabled the autoresponse on the existing email accounts

This could also be an issue as a result of the autoresponder issue, if mail continues to be returned as failed or deferred even after you remove the autoresponder - these can sometimes (though not often) be delayed.

Can you show me the output of the following (just remove the domain name from the output):

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Thanks!

 

[4est]

I was filtering by the main domain user, not by email. But there was just one email sending as only one person was working.


Emails by user:

632 : mailnull
520 : root
436 : gpsro
281 : minus22
181 : editstr
61 : cabinetu
48 : marmura
............

Directories mail is originating from:
280 : /home/minus22
.........

But email account sending out emails ( I did grep minus):
69 : [email protected]
5 : [email protected]
3 : [email protected]
2 : [email protected]
2 : [email protected]
2 : [email protected]
1 : [email protected]
(I did cut the domain name so crawlers won't pick them up for spam)

Weird that 280 emails are originating from their home, but I can't pinpoint the address

 

[cPanelLauren]

Hi @4est

I was filtering by the main domain user, not by email. But there was just one email sending as only one person was working.

I see, thank you for the clarification. Though if the account itself is sending mail using a script I don't believe it's going to show up in the mail delivery reports as such

Directories mail is originating from:
280 : /home/minus22

I believe this explains why the mail delivery reports/mail tracker didn't see the emails when you looked for that user. I would look in /home/minus22/ more than likely there's a script or a cron that is sending mail (spam or misbehaving).

(I did cut the domain name so crawlers won't pick them up for spam)

Perfect!
Thanks!

 

[4est]

where should I look to see at least the email sent by the script? (if not the process/file itself)

 

[cPanelLauren]

Hi @4est

The exim_mainlog should have all transactions like this but if you want to see the actual email you might look to see if any are in the queue you can do this through the mail queue manager in WHM or you can do it over CLI.

To print a list of what's in the mail queue:

exim -bp

To view the headers of a specific message in the mail queue:

exim -Mvh <messagid>

To view the body of a specific message in the mail queue:

exim -Mvb <messageid>

Thanks!

 

[4est]

Hello

I am back with the same issue, the same customer. The problem never went away, but this time let's try to identify the cause



Here is a grep minus22 exim_mainlog
There are really very few emails sent this morning, none with any problems. However, at 8:55 we get Domain - Removed - has exceeded the max defers and failures per hour (8/8 (72%)) allowed. Message discarded.

Where are the other 8/8 failed emails?


- Removed -

 

[cPanelLauren]

Hello @4est

This indicates that the domain has reached the percentage of failed or deferred messages which is set in WHM>>Server Configuration>>Tweak Settings. The 8/8 indicates "Number of failed or deferred messages a domain may send before protections can be triggered" as is indicated in Tweak Settings as well.

As I indicated previously - to resolve this you need to resolve the mail sending issues with the account or modify the protections in place.


Thanks!

 

[4est]

what should I do, I found no emails sent in the logs....

 

[cPanelLauren]

Hello @4est

Can you run the same command I asked you to run originally?

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

And let me know what the output is for the account in question?


Thanks!

 

[4est]

I replaced other accounts with "****"
Emails by user:
266 : root
256 : ********
228 : mailnull
100 : *******
16 : ******
12 : *******
7 : *******
4 : ******
.......others have just 1
Total: 976

Email accounts sending out mail:
17 : [email protected]
16 : [email protected]
13 : [email protected]
10 : [email protected]
9 : [email protected]
5 : [email protected]
3 : [email protected]
2 : [email protected]
1 : [email protected]
1 : [email protected]
1 : [email protected]

===================
Total: 2092
===================

Directories mail is originating from:
other accounts +
9 : /root
4 : /usr/local/cpanel/cgi-sys

===================
Total: 171
===================

 

[cPanelLauren]

Hi @4est

What do you have the max emails per hour and max deferred/failed email per hour set to for the account?

Furthermore you can see all sent messages from the account in the logs by running something like:

exigrep '<= .*domain.tld' /var/log/exim_mainlog

 

[4est]

250/h
Maximum percentage of failed or deferred messages a domain may send per hour: now 35 (was 20)

 

[cPanelLauren]

Hi @4est

My assumption is that 20% of the messages that domain sent in one hour were failures as it doesn't appear they hit the 250/hr mark. There needed to be at least 8 but if they only sent 40 emails that'd be enough to cause them to be failed.

 

[4est]

I know, but when it happen I found no failures in the logs.
I will check again if/when it happens again

Thanks

 

[cPanelLauren]

HI @4est

If it does happen again please let us know - it might be best ultimately to open a ticket so that we can have access to the logs as well.

Thanks!