Spammers are bypassing the max emails per hour setting

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
The max email per hour setting in tweak settings does not work properly.

It seems its counting the number of email messages, not the number of recipients.
Thus spammers are sending one email with hundreds of BCC's.

Here is one entry from the mail queue

Code:
1O7Huj-000Dxa-2i-H
mailnull 26 6
<[email protected]>
1272502057 0
-helo_name braswell.fu8.com
-host_address 127.0.0.1.49479
-host_name localhost
-host_auth fixed_login
-interface_address 127.0.0.1.25
-received_protocol esmtpa
-body_linecount 78
-max_received_linelength 74
-auth_id [email][email protected][/email]
YY [email][email protected][/email]
YY [email][email protected][/email]
*SNIP* continues for 500 addresses
500
[email][email protected][/email]
[email][email protected][/email]
*SNIP* continues for 500 addresses


217P Received: from localhost ([127.0.0.1] helo=braswell.fu8.com)
	by server4.hostultra.com with esmtpa (Exim 4.71 (FreeBSD))
	(envelope-from <[email protected]>)
	id 1O7Huj-000Dxa-2i; Thu, 29 Apr 2010 00:47:37 +0000
194P Received: from 172.191.235.239 ([172.191.235.239])
        (SquirrelMail authenticated user [email][email protected][/email])
        by braswell.fu8.com with HTTP;
        Thu, 29 Apr 2010 00:47:37 -0000
073I Message-ID: <[email protected]>
038  Date: Thu, 29 Apr 2010 00:47:37 -0000
022  Subject: Job Position
050F From: "Jack V. Braswell" <[email protected]>
033R Reply-To: [email][email protected][/email]
032  User-Agent: SquirrelMail/1.4.20
018  MIME-Version: 1.0
044  Content-Type: text/plain;charset=iso-8859-1
032  Content-Transfer-Encoding: 8bit
023  X-Priority: 3 (Normal)
019  Importance: Normal
In the users file in /var/cpanel/maxemailstracker
1.29.3.110=38

Would indicate the user sent 38 messages, but actually he sent thousands, apparently using BCC's in squirrelmail.

Also. why is squirrel sending via SMTP now.
It was much easier when it used sendmail and i could replace the sendmail binary with one that does additional checks.
 
Last edited by a moderator:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
The max email per hour setting in tweak settings does not work properly.

It seems its counting the number of email messages, not the number of recipients.
Thus spammers are sending one email with hundreds of BCC's.

Here is one entry from the mail queue

Code:
1O7Huj-000Dxa-2i-H
mailnull 26 6
<[email protected]>
1272502057 0
-helo_name braswell.fu8.com
-host_address 127.0.0.1.49479
-host_name localhost
-host_auth fixed_login
-interface_address 127.0.0.1.25
-received_protocol esmtpa
-body_linecount 78
-max_received_linelength 74
-auth_id [email][email protected][/email]
YY [email][email protected][/email]
YY [email][email protected][/email]
*SNIP* continues for 500 addresses
500
[email][email protected][/email]
[email][email protected][/email]
*SNIP* continues for 500 addresses


217P Received: from localhost ([127.0.0.1] helo=braswell.fu8.com)
	by server4.hostultra.com with esmtpa (Exim 4.71 (FreeBSD))
	(envelope-from <[email protected]>)
	id 1O7Huj-000Dxa-2i; Thu, 29 Apr 2010 00:47:37 +0000
194P Received: from 172.191.235.239 ([172.191.235.239])
        (SquirrelMail authenticated user [email][email protected][/email])
        by braswell.fu8.com with HTTP;
        Thu, 29 Apr 2010 00:47:37 -0000
073I Message-ID: <[email protected]>
038  Date: Thu, 29 Apr 2010 00:47:37 -0000
022  Subject: Job Position
050F From: "Jack V. Braswell" <[email protected]>
033R Reply-To: [email][email protected][/email]
032  User-Agent: SquirrelMail/1.4.20
018  MIME-Version: 1.0
044  Content-Type: text/plain;charset=iso-8859-1
032  Content-Transfer-Encoding: 8bit
023  X-Priority: 3 (Normal)
019  Importance: Normal
In the users file in /var/cpanel/maxemailstracker
1.29.3.110=38

Would indicate the user sent 38 messages, but actually he sent thousands, apparently using BCC's in squirrelmail.

Also. why is squirrel sending via SMTP now.
It was much easier when it used sendmail and i could replace the sendmail binary with one that does additional checks.
Please be aware that suspected bugs should be reported via our ticket system to ensure proper attention, investigation, and progress tracking; please see the link in the upper-right-corner of forums, labeled Bugs. Thank you for your understanding.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
It seems its counting the number of email messages, not the number of recipients.
Thus spammers are sending one email with hundreds of BCC's.
There is separate options for this explicitly under "Tweak Settings" as well a few additional recipient limiting you items can do in Exim as well so these are a few areas you may want to go take a closer look.

Incidentally, a properly configured server it would be very difficult if not close to impossible for a spammer to send out any effective spam while still allowing your legitimate user scripts and programs go untouched.

(And yes I setup and deal with those configurations every single day .... )
 

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
Theres nothing else in tweak settings or exim config relating to sending rate limiting.

If you mean custom rules in the advanced editor I know I can do that.
My point is that cpanel already supposedly this feature without resorting to custom modifications, but it doesn't work properly.