Mail domain with "Maximum Hourly Email by Domain Relayed" value of 50 000 keeps on getting spammed

[eugenevdm.host]

We are the network and email administrators for an ISP domain. The email domain which is a paid service. It hosts around 3000 mailboxes, is always under attack.

Quite frankly when you have 3000 consumer mailboxes on your system the chances of dictionary attacks and spyware and so on is very large.

In order to "get the mail out" the value for "Maximum Hourly Email by Domain Relayed" has been set to 50 000.

The "Maximum percentage of failed or deferred messages a domain may send per hour" has been set to the smallest value, 1%. For conniving spammers even 500 failures be hour doesn't matter because they use legitimate email addresses.

That typically means by the time the spammer has sent email there could be 1000s of messages in the queue and major repercussions for real time blocklist blocks. We change IPs, but sometimes it takes massive effort to combat the problem.

I've thoroughly read the WHM/cPanel documentation here:

How to Prevent Spam with Mail Limiting Features | cPanel & WHM Documentation

The Mail section of WHM's Tweak Settings interface contains five options that allow you to limit outgoing mail.

docs.cpanel.net

I read it a few times. I don't see how I can limit *individual* accounts. I need something like limiting (BLOCKING) individual accounts after 100 messages per hour. I think with Postfix this technology is called "Anvil", not too sure.

On that documentation it refers to the warning that is sent, and we react on those, but imagine 3AM in the morning when everything runs slightly slower. After 10 minutes we easily end up with 2000+ messages in the queue.

What can I do? I am at wits end here. Please help.

 

[cPRex]

Hey there! The limits you are referring to apply to the entire cPanel account, and not to individual email accounts. I'm not aware of any built-in tools that would offer that level of control, so it may be best to submit a feature request using the link in my signature if you'd like to see that added to a future version of the product.

 

[Handssler Lopez]

Have you already tried configuring that the server every time it detects a possible spammer, it retains the emails sent? for example.

The server detects a possible spammer once it sends 50 or 100 emails per hour to different recipients that immediately retain all the outgoing mail from that account?

** important ** I can't quite remember whether it only holds outgoing mail from the [email protected] account or the entire account. it would be good to do the test maybe @cPRex can confirm us!

===
WHM» Server Configuration» Tweak Settings» Mail

Select the action for the system to take on an email account when it detects a potential spammer. [?]
-> Hold outgoing mail

Number of unique recipients per hour to trigger potential spammer notification. [?]
-> 50 - 100 or more?
===

 

[eugenevdm.host]

@Handssler Lopez

> it retains the emails sent?

No, I have not tried that! I didn't know such a setting existed. I have enabled "holding the email" and reduced the default from 500 to 100.

I wonder what precisely happens when 100 is reached?

@cPRex

> Hey there! The limits you are referring to apply to the entire cPanel account, and not to individual email accounts. I'm not aware of any built-in tools that would offer that level of control, so it may be best to submit a feature request

I appreciate your politeness but sending someone to "submit a feature request" is not a positive experience at all. I'm dealing with something fundamentally broken here and / or lack of scalability in WHM/cPanel. Thank goodness for the user reply which makes me feel like I have half a chance next time this happens.

 

[Handssler Lopez]

@Handssler Lopez

> it retains the emails sent?

No, I have not tried that! I didn't know such a setting existed. I have enabled "holding the email" and reduced the default from 500 to 100.

I wonder what precisely happens when 100 is reached?

When the user reaches the established email limit and is considered a possible spammer, it retains all the outgoing emails from the account, placing them in a queue, so you can enter WHM or cPanel and:

- Eliminate queued emails as they are Spam and change passwords or
- remove the retention and Send them as they are valid emails

I hope I've helped!

 

[eugenevdm.host]

@Handssler Lopez thanks man you've been incredible.

> remove the retention and Send them as they are valid emails

Just curious where to "remove the retention" but will go and look in Mail Queues

 

[Handssler Lopez]

@Handssler Lopez thanks man you've been incredible.

> remove the retention and Send them as they are valid emails

Just curious where to "remove the retention" but will go and look in Mail Queues

Queued mail can be found at
WHM »Email» Mail Queue Manager

You can also access through
Cpanel »Email accounts» [email protected]

Click on the "Manage" button in "Restrictions" you will see the option "HOLD" marked or selected and the number of emails or queued recipients (I can't remember correctly) and from there you can send queued emails among other options

 

[eugenevdm.host]

Excuse my total ignorance but this "holding" of email is as clear as mud.

> Queued mail can be found at
> WHM »Email» Mail Queue Manager

This I use every second day, but the only Statuses I've ever seen there is:

- Queued
- Frozen

However, after having implemented the Tweak setting to hold after 100 messages, I have queued messages, and then when I try to send them there is a very clear indication that they are being held. For example:

LOG: MAIN
  cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1l7DD3-000361-Oh
delivering 1l7DD3-000361-Oh
LOG: MAIN
  Sender identification U=domain D=domain.co.za [email protected]
LOG: MAIN
  == [email protected] R=enforce_mail_permissions defer (-1): "Sender [email protected] has an outgoing mail hold.  Message will be reattempted later"
LOG: MAIN PANIC
  Failed to get write lock for /var/spool/exim/db/retry.lockfile: timed out

As far as I know, the only possible action on individual "stuck" items in the queue is to select them, and then pressed "Deliver Selected" or "Delete Selected".

Moving on to the cPanel interface and to the user's mailbox.

There is very clear that message that the message configuration is "Hold". I can even Delete them.



But the question remains, how do I "unhold" them? What am I missing??

 

[eugenevdm.host]

Well after tearing my hair out to find a user interface function to "unhold" someone's email address that has been "held", I googled and found that there is none

You have to manually remove the user using root on the command from a file called `/etc/outgoing_mail_hold_users` and then restart Exim.

Reference: Email Suspensions - Manage?

I'm going to file that in the category of `sad`, and no, I won't be submitting a feature request.