Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Domain has exceeded the max emails per hour

Discussion in 'E-mail Discussion' started by 4est, Jul 18, 2018.

  1. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    Hello

    I have a user that keeps getting Domain - Removed - has exceeded the max defers and failures per hour (8/8 (88%)) allowed. Message discarded

    I am looking at sent summary, but I can't find the source of the problems:


    upload_2018-7-18_10-34-42.png


    So from 9.36 onward I do not see any mail that caused it to his the deferals limit at 9.39

    Do incoming emails count too?
    I ran
    Code:
    grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t  | grep minus
    and I do see the main user with a lot of emails: 988


    I'm not sure what does this mean, and why can't I see them in the summary logs

    Thanks

    here is a screenshot with only failures.
    All because of max deferals and failures
    But I can see no other email that caused the failures in the first place

    upload_2018-7-18_12-23-6.png
     
    #1 4est, Jul 18, 2018
    Last edited by a moderator: Jul 18, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @4est

    Based on what you're providing in the screenshot my assumption is the user is spamming (more than likely unbeknownst to them) and it looks like several of those messages have the same message ID which would indicate they're sending mail with a bunch of CC's. There's not a way by looking at the report to tell which one of the emails triggered the protection but it does appear that the account is deferring or failing more than 88% of the mail they're sending out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    yes, but usually there are a few emails that failed to be delivered (for whatever reason) that trigger the protection

    but in this case there were no emails sent from the day before until the morning, and even so, the first mail was refused because of max deferals

    so my question: are there other mails being sent that do not appear on this log?
    Because the protection is /h, so since no email was sent, there should have been no protection active when first email was sent

    my customer's company are all on vacation, there is only one man working (the one who was unable to send).
    there were some problems with the workers who did set up autoresponders that triggered the protection (since the autoresponder replied to spam emails also), but we disabled the autoresponse on the existing email accounts
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @4est

    It's difficult to tell from what you're showing where the emailing starts as the screenshot isn't showing the entire screen, it's also only showing one user and this includes protection for the entire domain. You've set the protections to trigger at 8 failed or deferred emails, once that's reached they are banned from sending for an hour until the protection is cleared. What's possible is other failed/deferred messages that user didn't send but were sent from the same domain are assisting with triggering the protection so yes based on what you've shown it is possible other mail isn't being shown.

    This is pretty inconsequential in terms of an email compromise - no one needs to be working if their email account has been used for sending spam, furthermore it is possible that there's a script sending which wouldn't have mail originating from any of the email users on the account. This is why identifying the source of the mail is the most important thing

    This could also be an issue as a result of the autoresponder issue, if mail continues to be returned as failed or deferred even after you remove the autoresponder - these can sometimes (though not often) be delayed.

    Can you show me the output of the following (just remove the domain name from the output):

    Code:
    perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    I was filtering by the main domain user, not by email. But there was just one email sending as only one person was working.
    upload_2018-7-19_10-25-37.png

    Emails by user:

    632 : mailnull
    520 : root
    436 : gpsro
    281 : minus22
    181 : editstr
    61 : cabinetu
    48 : marmura
    ............

    Directories mail is originating from:
    280 : /home/minus22
    .........

    But email account sending out emails ( I did grep minus):
    69 : alin@min......
    5 : office@min....
    3 : gabriel@mi...
    2 : daniel@min.....
    2 : octavian@mi......
    2 : arpad@min....
    1 : ambalare@mi.....
    (I did cut the domain name so crawlers won't pick them up for spam)

    Weird that 280 emails are originating from their home, but I can't pinpoint the address
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @4est

    I see, thank you for the clarification. Though if the account itself is sending mail using a script I don't believe it's going to show up in the mail delivery reports as such

    I believe this explains why the mail delivery reports/mail tracker didn't see the emails when you looked for that user. I would look in /home/minus22/ more than likely there's a script or a cron that is sending mail (spam or misbehaving).
    Perfect!
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    4est likes this.
  7. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    where should I look to see at least the email sent by the script? (if not the process/file itself)
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @4est

    The exim_mainlog should have all transactions like this but if you want to see the actual email you might look to see if any are in the queue you can do this through the mail queue manager in WHM or you can do it over CLI.

    To print a list of what's in the mail queue:
    Code:
    exim -bp
    To view the headers of a specific message in the mail queue:
    Code:
    exim -Mvh <messagid>
    To view the body of a specific message in the mail queue:
    Code:
    exim -Mvb <messageid> 
    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    Hello

    I am back with the same issue, the same customer. The problem never went away, but this time let's try to identify the cause

    upload_2018-9-13_9-13-6.png

    Here is a grep minus22 exim_mainlog
    There are really very few emails sent this morning, none with any problems. However, at 8:55 we get Domain - Removed - has exceeded the max defers and failures per hour (8/8 (72%)) allowed. Message discarded.

    Where are the other 8/8 failed emails?


    - Removed -
     
    #9 4est, Sep 13, 2018
    Last edited by a moderator: Sep 13, 2018
  10. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @4est

    This indicates that the domain has reached the percentage of failed or deferred messages which is set in WHM>>Server Configuration>>Tweak Settings. The 8/8 indicates "Number of failed or deferred messages a domain may send before protections can be triggered" as is indicated in Tweak Settings as well.

    As I indicated previously - to resolve this you need to resolve the mail sending issues with the account or modify the protections in place.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    what should I do, I found no emails sent in the logs....
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @4est

    Can you run the same command I asked you to run originally?
    Code:
    perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    And let me know what the output is for the account in question?


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    I replaced other accounts with "****"
    Emails by user:
    266 : root
    256 : ********
    228 : mailnull
    100 : *******
    16 : ******
    12 : *******
    7 : *******
    4 : ******
    .......others have just 1
    Total: 976

    Email accounts sending out mail:
    17 : office@DOMAINREMOVED.ro
    16 : alin@DOMAINREMOVED.ro
    13 : gabriel@DOMAINREMOVED.ro
    10 : contabilitate@DOMAINREMOVED.ro
    9 : marketing@DOMAINREMOVED.ro
    5 : daniel@DOMAINREMOVED.ro
    3 : cristina@DOMAINREMOVED.ro
    2 : depozit@DOMAINREMOVED.ro
    1 : laurentiu@DOMAINREMOVED.ro
    1 : arpad@DOMAINREMOVED.ro
    1 : ambalare@DOMAINREMOVED.ro

    ===================
    Total: 2092
    ===================

    Directories mail is originating from:
    other accounts +
    9 : /root
    4 : /usr/local/cpanel/cgi-sys

    ===================
    Total: 171
    ===================
     
    #13 4est, Sep 18, 2018
    Last edited by a moderator: Sep 18, 2018
  14. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @4est

    What do you have the max emails per hour and max deferred/failed email per hour set to for the account?

    Furthermore you can see all sent messages from the account in the logs by running something like:
    Code:
    exigrep '<= .*domain.tld' /var/log/exim_mainlog
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    250/h
    Maximum percentage of failed or deferred messages a domain may send per hour: now 35 (was 20)
     
  16. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @4est

    My assumption is that 20% of the messages that domain sent in one hour were failures as it doesn't appear they hit the 250/hr mark. There needed to be at least 8 but if they only sent 40 emails that'd be enough to cause them to be failed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. 4est

    4est Member

    Joined:
    Jul 13, 2017
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Brasov, RO
    cPanel Access Level:
    Root Administrator
    I know, but when it happen I found no failures in the logs.
    I will check again if/when it happens again

    Thanks
     
  18. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,163
    Likes Received:
    224
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @4est

    If it does happen again please let us know - it might be best ultimately to open a ticket so that we can have access to the logs as well.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice