Domain has exceeded the max emails per hour

Hi @4est

Based on what you're providing in the screenshot my assumption is the user is spamming (more than likely unbeknownst to them) and it looks like several of those messages have the same message ID which would indicate they're sending mail with a bunch of CC's. There's not a way by looking at the report to tell which one of the emails triggered the protection but it does appear that the account is deferring or failing more than 88% of the mail they're sending out.

 

Hi @4est

It's difficult to tell from what you're showing where the emailing starts as the screenshot isn't showing the entire screen, it's also only showing one user and this includes protection for the entire domain. You've set the protections to trigger at 8 failed or deferred emails, once that's reached they are banned from sending for an hour until the protection is cleared. What's possible is other failed/deferred messages that user didn't send but were sent from the same domain are assisting with triggering the protection so yes based on what you've shown it is possible other mail isn't being shown.

This is pretty inconsequential in terms of an email compromise - no one needs to be working if their email account has been used for sending spam, furthermore it is possible that there's a script sending which wouldn't have mail originating from any of the email users on the account. This is why identifying the source of the mail is the most important thing

This could also be an issue as a result of the autoresponder issue, if mail continues to be returned as failed or deferred even after you remove the autoresponder - these can sometimes (though not often) be delayed.

Can you show me the output of the following (just remove the domain name from the output):

Code:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Thanks!

 

Hi @4est

I see, thank you for the clarification. Though if the account itself is sending mail using a script I don't believe it's going to show up in the mail delivery reports as such

I believe this explains why the mail delivery reports/mail tracker didn't see the emails when you looked for that user. I would look in /home/minus22/ more than likely there's a script or a cron that is sending mail (spam or misbehaving).

Perfect!
Thanks!

 

Hi @4est

The exim_mainlog should have all transactions like this but if you want to see the actual email you might look to see if any are in the queue you can do this through the mail queue manager in WHM or you can do it over CLI.

To print a list of what's in the mail queue:

Code:

exim -bp

To view the headers of a specific message in the mail queue:

Code:

exim -Mvh <messagid>

To view the body of a specific message in the mail queue:

Code:

exim -Mvb <messageid> 

Thanks!