Skip to main content
We are aware of an issue with a recent Apache update that causes proxied sites to return a "421 Misdirected Request" error. Please see the following article for more information and updates:
Websites show 421 Misdirected Request error while using EA Nginx

Domain has exceeded the max emails per hour

4est
Hello I have a user that keeps getting Domain - Removed - has exceeded the max defers and failures per hour (8/8 (88%)) allowed. Message discarded I am looking at sent summary, but I can't find the source of the problems: So from 9.36 onward I do not see any mail that caused it to his the deferals limit at 9.39 Do incoming emails count too? I ran grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t | grep minus
and I do see the main user with a lot of emails: 988 I'm not sure what does this mean, and why can't I see them in the summary logs Thanks here is a screenshot with only failures. All because of max deferals and failures But I can see no other email that caused the failures in the first place

Comments

17 comments

Date Votes
  • cPanelLauren
    Hi @4est Based on what you're providing in the screenshot my assumption is the user is spamming (more than likely unbeknownst to them) and it looks like several of those messages have the same message ID which would indicate they're sending mail with a bunch of CC's. There's not a way by looking at the report to tell which one of the emails triggered the protection but it does appear that the account is deferring or failing more than 88% of the mail they're sending out.
    0
  • 4est
    yes, but usually there are a few emails that failed to be delivered (for whatever reason) that trigger the protection but in this case there were no emails sent from the day before until the morning, and even so, the first mail was refused because of max deferals so my question: are there other mails being sent that do not appear on this log? Because the protection is /h, so since no email was sent, there should have been no protection active when first email was sent my customer's company are all on vacation, there is only one man working (the one who was unable to send). there were some problems with the workers who did set up autoresponders that triggered the protection (since the autoresponder replied to spam emails also), but we disabled the autoresponse on the existing email accounts
    0
  • cPanelLauren
    Hi @4est
    so my question: are there other mails being sent that do not appear on this log?

    It's difficult to tell from what you're showing where the emailing starts as the screenshot isn't showing the entire screen, it's also only showing one user and this includes protection for the entire domain. You've set the protections to trigger at 8 failed or deferred emails, once that's reached they are banned from sending for an hour until the protection is cleared. What's possible is other failed/deferred messages that user didn't send but were sent from the same domain are assisting with triggering the protection so yes based on what you've shown it is possible other mail isn't being shown.
    my customer's company are all on vacation, there is only one man working (the one who was unable to send).

    This is pretty inconsequential in terms of an email compromise - no one needs to be working if their email account has been used for sending spam, furthermore it is possible that there's a script sending which wouldn't have mail originating from any of the email users on the account. This is why identifying the source of the mail is the most important thing
    There were some problems with the workers who did set up autoresponders that triggered the protection (since the autoresponder replied to spam emails also), but we disabled the autoresponse on the existing email accounts

    This could also be an issue as a result of the autoresponder issue, if mail continues to be returned as failed or deferred even after you remove the autoresponder - these can sometimes (though not often) be delayed. Can you show me the output of the following (just remove the domain name from the output): perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    Thanks!
    0
  • 4est
    I was filtering by the main domain user, not by email. But there was just one email sending as only one person was working. 53385 Emails by user: 632 : mailnull 520 : root 436 : gpsro 281 : minus22 181 : editstr 61 : cabinetu 48 : marmura ............ Directories mail is originating from: 280 : /home/minus22 ......... But email account sending out emails ( I did grep minus): 69 : alin@min...... 5 : office@min.... 3 : gabriel@mi... 2 : daniel@min..... 2 : octavian@mi...... 2 : arpad@min.... 1 : ambalare@mi..... (I did cut the domain name so crawlers won't pick them up for spam) Weird that 280 emails are originating from their home, but I can't pinpoint the address
    0
  • cPanelLauren
    Hi @4est
    I was filtering by the main domain user, not by email. But there was just one email sending as only one person was working.

    I see, thank you for the clarification. Though if the account itself is sending mail using a script I don't believe it's going to show up in the mail delivery reports as such
    Directories mail is originating from: 280 : /home/minus22

    I believe this explains why the mail delivery reports/mail tracker didn't see the emails when you looked for that user. I would look in /home/minus22/ more than likely there's a script or a cron that is sending mail (spam or misbehaving).
    (I did cut the domain name so crawlers won't pick them up for spam)

    Perfect! Thanks!
    0
  • 4est
    where should I look to see at least the email sent by the script? (if not the process/file itself)
    0
  • cPanelLauren
    Hi @4est The exim_mainlog should have all transactions like this but if you want to see the actual email you might look to see if any are in the queue you can do this through the mail queue manager in WHM or you can do it over CLI. To print a list of what's in the mail queue: exim -bp
    To view the headers of a specific message in the mail queue: exim -Mvh
    To view the body of a specific message in the mail queue: exim -Mvb
    Thanks!
    0
  • 4est
    Hello I am back with the same issue, the same customer. The problem never went away, but this time let's try to identify the cause Here is a grep minus22 exim_mainlog There are really very few emails sent this morning, none with any problems. However, at 8:55 we get Domain - Removed - has exceeded the max defers and failures per hour (8/8 (72%)) allowed. Message discarded. Where are the other 8/8 failed emails? - Removed -
    0
  • cPanelLauren
    Hello @4est This indicates that the domain has reached the percentage of failed or deferred messages which is set in WHM>>Server Configuration>>Tweak Settings. The 8/8 indicates "Number of failed or deferred messages a domain may send before protections can be triggered" as is indicated in Tweak Settings as well. As I indicated previously - to resolve this you need to resolve the mail sending issues with the account or modify the protections in place. Thanks!
    0
  • 4est
    what should I do, I found no emails sent in the logs....
    0
  • cPanelLauren
    Hello @4est Can you run the same command I asked you to run originally? perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
    And let me know what the output is for the account in question? Thanks!
    0
  • 4est
    I replaced other accounts with "****" Emails by user: 266 : root 256 : ******** 228 : mailnull 100 : ******* 16 : ****** 12 : ******* 7 : ******* 4 : ****** .......others have just 1 Total: 976 Email accounts sending out mail: 17 : office@DOMAINREMOVED.ro 16 : alin@DOMAINREMOVED.ro 13 : gabriel@DOMAINREMOVED.ro 10 : contabilitate@DOMAINREMOVED.ro 9 : marketing@DOMAINREMOVED.ro 5 : daniel@DOMAINREMOVED.ro 3 : cristina@DOMAINREMOVED.ro 2 : depozit@DOMAINREMOVED.ro 1 : laurentiu@DOMAINREMOVED.ro 1 : arpad@DOMAINREMOVED.ro 1 : ambalare@DOMAINREMOVED.ro =================== Total: 2092 =================== Directories mail is originating from: other accounts + 9 : /root 4 : /usr/local/cpanel/cgi-sys =================== Total: 171 ===================
    0
  • cPanelLauren
    Hi @4est What do you have the max emails per hour and max deferred/failed email per hour set to for the account? Furthermore you can see all sent messages from the account in the logs by running something like: exigrep '<= .*domain.tld' /var/log/exim_mainlog
    0
  • 4est
    250/h Maximum percentage of failed or deferred messages a domain may send per hour: now 35 (was 20)
    0
  • cPanelLauren
    Hi @4est My assumption is that 20% of the messages that domain sent in one hour were failures as it doesn't appear they hit the 250/hr mark. There needed to be at least 8 but if they only sent 40 emails that'd be enough to cause them to be failed.
    0
  • 4est
    I know, but when it happen I found no failures in the logs. I will check again if/when it happens again Thanks
    0
  • cPanelLauren
    HI @4est If it does happen again please let us know - it might be best ultimately to open a ticket so that we can have access to the logs as well. Thanks!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post