Spammers are bypassing the max emails per hour setting

hostultra · Apr 29, 2010

The max email per hour setting in tweak settings does not work properly.

It seems its counting the number of email messages, not the number of recipients.
Thus spammers are sending one email with hundreds of BCC's.

Here is one entry from the mail queue

Code:

1O7Huj-000Dxa-2i-H
mailnull 26 6
<[email protected]>
1272502057 0
-helo_name braswell.fu8.com
-host_address 127.0.0.1.49479
-host_name localhost
-host_auth fixed_login
-interface_address 127.0.0.1.25
-received_protocol esmtpa
-body_linecount 78
-max_received_linelength 74
-auth_id [email][email protected][/email]
YY [email][email protected][/email]
YY [email][email protected][/email]
*SNIP* continues for 500 addresses
500
[email][email protected][/email]
[email][email protected][/email]
*SNIP* continues for 500 addresses


217P Received: from localhost ([127.0.0.1] helo=braswell.fu8.com)
	by server4.hostultra.com with esmtpa (Exim 4.71 (FreeBSD))
	(envelope-from <[email protected]>)
	id 1O7Huj-000Dxa-2i; Thu, 29 Apr 2010 00:47:37 +0000
194P Received: from 172.191.235.239 ([172.191.235.239])
        (SquirrelMail authenticated user [email][email protected][/email])
        by braswell.fu8.com with HTTP;
        Thu, 29 Apr 2010 00:47:37 -0000
073I Message-ID: <[email protected]>
038  Date: Thu, 29 Apr 2010 00:47:37 -0000
022  Subject: Job Position
050F From: "Jack V. Braswell" <[email protected]>
033R Reply-To: [email][email protected][/email]
032  User-Agent: SquirrelMail/1.4.20
018  MIME-Version: 1.0
044  Content-Type: text/plain;charset=iso-8859-1
032  Content-Transfer-Encoding: 8bit
023  X-Priority: 3 (Normal)
019  Importance: Normal

In the users file in /var/cpanel/maxemailstracker
1.29.3.110=38

Would indicate the user sent 38 messages, but actually he sent thousands, apparently using BCC's in squirrelmail.

Also. why is squirrel sending via SMTP now.
It was much easier when it used sendmail and i could replace the sendmail binary with one that does additional checks.

cPanelDon · Apr 29, 2010

hostultra said:
The max email per hour setting in tweak settings does not work properly.

It seems its counting the number of email messages, not the number of recipients.
Thus spammers are sending one email with hundreds of BCC's.

Here is one entry from the mail queue

Code:

1O7Huj-000Dxa-2i-H mailnull 26 6 <[email protected]> 1272502057 0 -helo_name braswell.fu8.com -host_address 127.0.0.1.49479 -host_name localhost -host_auth fixed_login -interface_address 127.0.0.1.25 -received_protocol esmtpa -body_linecount 78 -max_received_linelength 74 -auth_id [email][email protected][/email] YY [email][email protected][/email] YY [email][email protected][/email] *SNIP* continues for 500 addresses 500 [email][email protected][/email] [email][email protected][/email] *SNIP* continues for 500 addresses 217P Received: from localhost ([127.0.0.1] helo=braswell.fu8.com) by server4.hostultra.com with esmtpa (Exim 4.71 (FreeBSD)) (envelope-from <[email protected]>) id 1O7Huj-000Dxa-2i; Thu, 29 Apr 2010 00:47:37 +0000 194P Received: from 172.191.235.239 ([172.191.235.239]) (SquirrelMail authenticated user [email][email protected][/email]) by braswell.fu8.com with HTTP; Thu, 29 Apr 2010 00:47:37 -0000 073I Message-ID: <[email protected]> 038 Date: Thu, 29 Apr 2010 00:47:37 -0000 022 Subject: Job Position 050F From: "Jack V. Braswell" <[email protected]> 033R Reply-To: [email][email protected][/email] 032 User-Agent: SquirrelMail/1.4.20 018 MIME-Version: 1.0 044 Content-Type: text/plain;charset=iso-8859-1 032 Content-Transfer-Encoding: 8bit 023 X-Priority: 3 (Normal) 019 Importance: Normal

In the users file in /var/cpanel/maxemailstracker
1.29.3.110=38

Would indicate the user sent 38 messages, but actually he sent thousands, apparently using BCC's in squirrelmail.

Also. why is squirrel sending via SMTP now.
It was much easier when it used sendmail and i could replace the sendmail binary with one that does additional checks.

Please be aware that suspected bugs should be reported via our ticket system to ensure proper attention, investigation, and progress tracking; please see the link in the upper-right-corner of forums, labeled Bugs. Thank you for your understanding.

Spiral · Apr 30, 2010

hostultra said:
It seems its counting the number of email messages, not the number of recipients.
Thus spammers are sending one email with hundreds of BCC's.

There is separate options for this explicitly under "Tweak Settings" as well a few additional recipient limiting you items can do in Exim as well so these are a few areas you may want to go take a closer look.

Incidentally, a properly configured server it would be very difficult if not close to impossible for a spammer to send out any effective spam while still allowing your legitimate user scripts and programs go untouched.

(And yes I setup and deal with those configurations every single day .... )

hostultra · May 1, 2010

Theres nothing else in tweak settings or exim config relating to sending rate limiting.

If you mean custom rules in the advanced editor I know I can do that.
My point is that cpanel already supposedly this feature without resorting to custom modifications, but it doesn't work properly.

Thread starter	Similar threads	Forum	Replies	Date
E	Under attack by spammers - need more than only limits returned in Exim Mail Queue on forwarder only messages	Email	1	Dec 3, 2019
	Spammers send emails from our Server with nonexistent email accounts	Email	1	Aug 10, 2015
B	Preventing Boxtrapper backscatter - one weird little trick that spammers HATE!	Email	3	Feb 17, 2015
D	Spammers Hijacking Email Accounts	Email	32	Feb 22, 2014
D	SpamHaus RBL --- as bad as the spammers?	Email	3	May 17, 2012

Search

Search

Spammers are bypassing the max emails per hour setting

hostultra

Well-Known Member

cPanelDon

cPanel Quality Assurance Analyst

Spiral

BANNED

hostultra

Well-Known Member