Notify admin and user if user exceeds the email limit

SeLLeRoNe · Mar 17, 2011

Ok this should be a stupid questio but... there is a way to setup option1 but let try the notify email (example spam detected, mail not exist, etc.) max 3 time and then remove those email from queue? and another for automatic remove the frozen ones?

Cause put a limit will jst let send response email for example to 1000 try and stop the 1001 that should be a real user that will not be notified for a wrong email address and that would be not good i suppose...

Btw, regarding the email i posted, ive created another alias aswell so now the sequence is like this:
[email protected] --> [email protected]
[email protected] --> [email protected]

Lets see how much damage will do... ([email protected] exist)

Thanks and regards

tristan · Mar 21, 2011

Is there no way to differentiate between spoofed senders and bounces? Although I think option 2 would be the better option, it's still a strange idea to have your number of bounces limited, they should always be delivered I would suppose.

But maybe best to be 100% sure it's really just the bounces that account for these unknown counts first? We'll update exim.pl over here as well, maybe we'll get some other interesting information out of it.

SeLLeRoNe · Mar 22, 2011

Ok, still having unknown (noticed cause sent 1000 email and touched the limit..)

here a piece of unkonow.bytes

Code:

12500=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=174.143.153.161&log_time=1300798768&path=/etc
7061=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=88.32.40.93&log_time=1300798802&path=/etc
7047=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=88.32.40.93&log_time=1300798802&path=/etc
73624=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=195.149.138.30&log_time=1300798876&path=/etc
11660=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=192.107.51.3&log_time=1300798894&path=/etc
1996=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=62.48.54.80&log_time=1300798996&path=/etc
1865=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=208.180.143.11&log_time=1300799069&path=/etc
2335=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=208.181.181.112&log_time=1300799293&path=/etc
1262=type=email&email=&method=outgoing&id=1Q1cVy-0006dC-M8&authenticated_id=&sender_host_address=&log_time=1300799386&path=/etc
6054=type=email&email=&method=outgoing&id=1Q1RDq-000088-Ae&authenticated_id=&sender_host_address=&log_time=1300799387&path=/etc
6125=type=email&email=&method=outgoing&id=1Q1ih6-0004y4-Om&authenticated_id=&sender_host_address=&log_time=1300799394&path=/etc
7790=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300799397&path=/etc
9019=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300799397&path=/etc
10088=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300799398&path=/etc
9551=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300799541&path=/etc
4716=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=216.194.67.119&log_time=1300799697&path=/etc
3478=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300799942&path=/etc
18412=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=213.215.223.64&log_time=1300800029&path=/etc
12832=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300800067&path=/etc
2845=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=74.53.54.66&log_time=1300800177&path=/etc
3652=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300800281&path=/etc
6125=type=email&email=&method=outgoing&id=1Q1ih6-0004y4-Om&authenticated_id=&sender_host_address=&log_time=1300800286&path=/etc
1262=type=email&email=&method=outgoing&id=1Q1cVy-0006dC-M8&authenticated_id=&sender_host_address=&log_time=1300800287&path=/etc
6054=type=email&email=&method=outgoing&id=1Q1RDq-000088-Ae&authenticated_id=&sender_host_address=&log_time=1300800300&path=/etc
4414=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=88.41.60.75&log_time=1300800632&path=/etc
1838=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=203.126.216.22&log_time=1300800690&path=/etc
2779=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=216.194.67.119&log_time=1300800733&path=/etc
1838=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=203.126.216.22&log_time=1300800806&path=/etc
1513=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=207.145.109.66&log_time=1300800956&path=/etc
3137=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300801068&path=/etc
1262=type=email&email=&method=outgoing&id=1Q1cVy-0006dC-M8&authenticated_id=&sender_host_address=&log_time=1300801186&path=/etc
2559=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300801192&path=/etc
6054=type=email&email=&method=outgoing&id=1Q1RDq-000088-Ae&authenticated_id=&sender_host_address=&log_time=1300801195&path=/etc
6125=type=email&email=&method=outgoing&id=1Q1ih6-0004y4-Om&authenticated_id=&sender_host_address=&log_time=1300801196&path=/etc
4082=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300801212&path=/etc
2602=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=72.16.198.70&log_time=1300801221&path=/etc
1838=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=203.126.216.22&log_time=1300801324&path=/etc
1391=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=212.249.50.133&log_time=1300801690&path=/etc
3288=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300801743&path=/etc
83954=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=151.1.140.156&log_time=1300801820&path=/etc
5880=type=email&[email protected]&method=outgoing&id=1Q21yS-0004AH-AV&authenticated_id=&sender_host_address=&log_time=1300801821&path=
6884=type=email&email=&method=outgoing&id=1Q21yY-0004Ak-2z&authenticated_id=&sender_host_address=&log_time=1300801822&path=
5252=type=email&[email protected]&method=outgoing&id=1Q21z8-0004CX-H3&authenticated_id=&sender_host_address=&log_time=1300801869&path=
5740=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300801970&path=/etc
62632=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=62.149.210.233&log_time=1300801982&path=/etc
1537=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=210.54.239.21&log_time=1300802065&path=/etc
1262=type=email&email=&method=outgoing&id=1Q1cVy-0006dC-M8&authenticated_id=&sender_host_address=&log_time=1300802086&path=/etc
6054=type=email&email=&method=outgoing&id=1Q1RDq-000088-Ae&authenticated_id=&sender_host_address=&log_time=1300802093&path=/etc
17472=type=email&email=&method=outgoing&id=1Q222w-0004QE-Df&authenticated_id=&sender_host_address=&log_time=1300802094&path=/etc
6125=type=email&email=&method=outgoing&id=1Q1ih6-0004y4-Om&authenticated_id=&sender_host_address=&log_time=1300802097&path=/etc
6884=type=email&email=&method=outgoing&id=1Q21yY-0004Ak-2z&authenticated_id=&sender_host_address=&log_time=1300802098&path=/etc
15275=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300802249&path=/etc
479448=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=85.18.244.21&log_time=1300802252&path=/etc
4448=type=email&email=&method=outgoing&id=&authenticated_id=&sender_host_address=94.32.66.129&log_time=1300802305&path=/etc

What shoulod i do for help you and give more information?

Regards

tristan · Mar 22, 2011

Same here, most of the log files are like this:

Code:

108126=type=email&email=&method=outgoing&id=1Q1325-0003TT-EI&authenticated_id=&sender_host_address=&log_time=1300743192&path=/etc/virtual/usage

All the authenticated_id & sender_host_address fields are empty. If I lookup the id's in the exim log, sometimes I don't find anything sometimes I get these kind of 110 errors:

Code:

2011-03-22 04:03:05 1Q1325-0003TT-EI mx106.remotedomain.info [216.221.170.83] Connection timed out
2011-03-22 04:03:05 1Q1325-0003TT-EI == *******@remotedomain.info R=lookuphost T=remote_smtp defer (110): Connection timed out

or 111 errors like these:

Code:

2011-03-22 02:53:38 1Q1NdV-0007v9-Gf *****.remotedomain.co.uk [62.128.157.76] Connection refused
2011-03-22 02:53:38 1Q1NdV-0007v9-Gf == apache@*****.**.remotedomain.co.uk R=lookuphost T=remote_smtp defer (111): Connection refused

Also a lot of them are ""Mail delivery failed" messages:

Code:

2011-03-21 13:37:54 1Q1eMs-0001bU-En <= <> R=1Q0COj-0007TI-5o U=mail P=local S=108136 T="Mail delivery failed: returning message to sender" from <> for ********@remotedomain.it

If you need me to dig some more, these are just a couple of random samples I took from the unknown.bytes file.

DirectAdmin Support · Mar 22, 2011

Hello,

We're fairly sure they're bounces of some sort. Basically, messages generated by exim due to failure to delivery.. usually while sending to an external host via a local forwarder. In any case, as mentioned previously, we have 2 options:

1) Set the exim.pl to ignore the unknown case, which allows for all bounces to be sent without a limit.

2) Leave it as is if you don't want to be backscattering all over, since exim would block an excessive number of bounces once the limit is hit.

You can control this with the limit files, eg:
Solution 1:

Code:

echo 0 > /etc/virtual/limit_unknown

Solution 2:
leave it as is, or if you want a different limit for bounces, set the number, eg

Code:

echo 1000 > /etc/virtual/limit_unknown

John

iprodua · Mar 22, 2011

As i see,
1)spammer sends emails from [email protected] to non-existing accounts in my server ([email protected]).
2)Exim sends it back with "Can not deliver your message".
3)Over time Antispam software at @microsoft.com began to mark all messages from myserver.com as a spam (now myserver.com si in blacklist)

I think there are 2 ways.
1) Set the global option or set options for every account

Ignore: The email is dropped and completely ignored (not recommended)

in CMD_EMAIL_CATCH_ALL?domain=...
2) Scan all emails for non-exist. account by SpammAssassin to verify remote server and sender, if email is spam - drop it... If not - notify sender with "Mail delivery fail."

How setup do 1 or 2 way?

DirectAdmin Support · Mar 23, 2011

Hello,

Close, but not exactly. If the account doesn't exist on your server, exim will deny the message at smtp time, it won't be accepted in the first place. The bounce only happens if you have a forwarder on your server, which is setup to deliver to an external box.. and the external box block the forwarded message from exim. That's when exim decided it must generate the bounce email.

To block all bounces from leaving your server, try this:
http://help.directadmin.com/item.php?id=357

I recommend leaving the catch-all to "fail" and not "blackhole". The fail denies the message at smtp time, and is never accepted (for non-existant accounts).

Again, the message will not be accepted in the first place if the account/forwarder doesn't exist. The issue is only for when a message arrives to a forwarder that does exist (exim accepts the message), and then that forwarder value is set to an external address which refuses the message. Exim is now left with the message that can't be sent forwarder to the external box, but has already accepted the message, so must generate a a bounce.

Using SpamAssassin to delete the spam is recommended in all cases.
It's simple with the "delete high scoring spam" option, which still lets you accept low scoring spam, in case it's a false positive. We set the "delete high scoring spam" option to about 7, and set the actual spam threshold to 5.

In any case, the issue at hand has less to do with spam (although spam may generate it).. it's an issue with your own forwarders being set to locations that refuse the messages. If you use a forwarder, always ensure your destination address exists and will accept the message. Of course, if it's spam, you don't want to be forwarding it to the external box (may be blocked), hence deleting it right away is a good idea.

John

SeLLeRoNe · Mar 23, 2011

Ive a question about catch all so...

Fail: The sender is notified that the address doesn't exist (recommended)
Ignore: The email is dropped and completely ignored (not recommended)

The Fail option generate the bounce and the Ignore options drop the email at smtp?

Cause now ive set to Fail but maybe ive the wrong option (that is the recommended)

Regards

DirectAdmin Support · Mar 23, 2011

No, "fail" does not bounce a message. It denies it before it's accepted.
When the sender tries to send a message to an account that doesn't exist, exim won't accept it in the first place. There won't be a message to bounce.

Exim will only accept message for accounts/forwarders (or catch-all's) that exist. (catch must be set to an email value, or "ignore" in order to accept).

Only after failure to deliver after a message has been accepted, would a bounce message be generated.

John

SeLLeRoNe · Mar 23, 2011

Ok thanks,

so there is a way to edit all users and set catch to fail for be sure of that for everyone?

Regards

DirectAdmin Support · Mar 23, 2011

Code:

cd /etc/virtual
perl -pi -e 's/\*\: .*/\*\: \:fail\:/' */aliases

John

SeLLeRoNe · Mar 23, 2011

Thanks a lot.

Always very gentle.

Regards

DirectAdmin Support · Mar 23, 2011

FYI, since we were getting more emails about the "unknown" case, I've added a knowledge base entry for clarification:
http://help.directadmin.com/item.php?id=360

John

interfasys · Mar 23, 2011

Regarding the labels for these numbers, I think they should be renamed to "Incoming emails" and "Outgoing emails" because a pretty large part of the number of "Received emails" is just spam being blocked within Exim, so users do find it confusing.

Any incoming email without an id could be removed to make the "incoming" number more accurate, but I think it's not a bad idea after all to keep the whole number in DA as it causes no harm.

DirectAdmin Support · Mar 23, 2011

Hello,

Emails that are dropped because of spam are not counted in the bytes file. The incoming count is only the emails that actually end up in the mailboxes (at least, that's what intended).

The exim.conf virtual_user: director has a condition:

Code:

condition = ${perl{save_virtual_user}}

which is where the incoming count comes from. If the account does not exists in /etc/virtual/domain.com/passwd, the incoming count does not go up and save_virtual_user returns false, so the message isn't saved by that director.

Let me know if you're noticing otherwise and we can investigate. Basically, we'd need to see the ID of the "method=incoming", and check the mainlog to see if the message got saved.

John

interfasys · Mar 24, 2011

I see 2 issues:

1) There are lots of duplicates. Exact same line, including log_time.
2) There are all those lines with empty IDs. It only affects incoming messages,

What shows up with no ID is never delivered. I suspect it's some kind of stuttering, but I'm not sure.
It could be that without the duplication, there are 2 calls being logged, once without the ID and the next one with the proper ID. The size of the lines without ID and the one that actually has one are very similar.

If I'm the only one seeing this it could be due to the fact that I'm not using virtual_localdelivery as the next step, but I don't think it plays a role, since it's the next step.

nobaloney · Mar 25, 2011

DirectAdmin Support said:
Exim will only accept message for accounts/forwarders (or catch-all's) that exist. (catch must be set to an email value, or "ignore" in order to accept).

I just thought I'd at that if by chance you're running a version of exim.conf from before DirectAdmin started using my SpamBlocker code (some point in 2004 if I recall correctly), then exim will accept email to non-existent recipients and then try to send it back. That was because exim version 3.x worked that way, and when exim version 4.x first came out, the software used to translate the exim.conf file didn't include the new options. That's one of the main reasons I started working on my SpamBlocker file in the first place.

Jeff

DirectAdmin Support · Mar 31, 2011

Since it's been found that the sender-verify cases do use the lookuphost and are counting against the "unknown" sends, for the next release of DA, if the file /etc/virtual/limit_unknown does not exist, DA will create it with a 0 value (via update.sh script). If you wish to have some other limit, feel free to set it as such (DA will not touch it if it already exists). This will also apply for new install. This may change in the future if more information is found, but for now, this will be the plan.

John

zEitEr · Mar 31, 2011

Might it be related?

Notify admin and user if user exceeds the email limit

SeLLeRoNe

Super Moderator

tristan

Verified User

SeLLeRoNe

Super Moderator

tristan

Verified User

DirectAdmin Support

Administrator

iprodua

Verified User

DirectAdmin Support

Administrator

SeLLeRoNe

Super Moderator

DirectAdmin Support

Administrator

SeLLeRoNe

Super Moderator

DirectAdmin Support

Administrator

SeLLeRoNe

Super Moderator

DirectAdmin Support

Administrator

interfasys

Verified User

DirectAdmin Support

Administrator

interfasys

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

DirectAdmin Support

Administrator

zEitEr

Super Moderator