User blocked by blockcracking!

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,560
Location
Maastricht
Today I got a very important customer blocked by blockcracking.
He send out a lot of mails to a lot of systems, some of which have the same email addres but on more domains like (.com and .org and .ch).

Now the user got blocked with this notice:
The address [email protected] has just finished sending 100 non-existant emails within a 1h period, and has been blocked.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

To unblock this account, the password must be changed by a DirectAdmin User.
Changing the password through the E-Mail self-serve options will not work, as the password is likely compromised.

The last IP to send an email was xx.xx.xx.xx.

This warning was triggered by the BlockCracking monitoring tool in exim.
The E-Mail account is managed under the username User account.

Where can I find these 100 non-existant emails in the logs? This happened a few minutes ago and I instantly checked the mailqueue which had a lot of emails with a D in front of it, since they were delivered. But they were visible because in the batch there were email addresses without the D in front of it.

Those might be non existant so I counted them, and those were only 5 email addresses.

So how come this user got blocked? This should not be happening with only 5 non existing email adresses.

How can this be fixed? Because this is not good.
 
Addition: Why is it that only the customer gets this warning by email and not me as his provider?
> *From:* Message System <<[email protected]>>
> *Date:* 1 maart 2016 15:58:02 CET
> *To:* useraccount <<[email protected]>>
> *Subject:* *New Message: Warning: 100 non-existant E-Mails have just been sent by
> <[email protected]>*
> *Reply-To:* Message System <<[email protected]>>

But I never got an notification about this at [email protected] which should in fact be a lot better. Can this be configured somewhere?
 
The Mailqueue are the ones that has not be send yet, so probably he did send 105, and at 100 it blocked.

It may happend (it happen to a customer of mine) that outlook go crazy with his address book and instead take the email from a contact it take the email formatted in this way <email> and of course the system doesn't accept that, samehow should be somewhere in his distribution list/address book that some contacts are messed or that just the software/mail-client he was using has gone crazy somehow, you should check on exim mainlog /var/log/exim/mainlog for all his outgoing e-mail filtering with like "<D" (considering the wrong emails starting with a D)

This may help you dig a little bit, but for now to me it look like a software side problem, not your server side.

Regards
 
considering the wrong emails starting with a D)
I'm afraid you misunderstood. The wrong emails did not start with a D. The D in front of emails in the mailqueue is for Delivered. So those are the emails that did get delivered when looking at the mailqueue.

If you send 10 emails at once from a contact list, and 1 of them is incorrect, then all 10 emails will remain in the mailqueue, except that the 9 adresses that did get delivered get a D in front of it, like this if you do a exim -bp:
In this list, it shows everything is delivered except for the [email protected] email address. Which is non existant or their email server is unreachable at the moment. That is what I intended to explain.

So I can't easily find the wrong emails by doing a search for "<D" because they are not listed that way in mainlog. It's an output of exim -bp.

And in that exim -bp mailqueue list I could only find 5 non existing emails.
Because non existing emails will get on hold in the queue, and only 5 emails are on hold.
 
Please check /home/user/.php/php-mail.log file if the emails were sent using PHP.
 
Thank you but they were all send via authenticated email.
If there were 100 non-existing emails, I should have 100 email addresses in the mailqueue, correct? Because they wouldn't get delivered neither deleted.
 
I'll ask the customer to check his send list, I just discovered some delivered emails, but the email addresses are very odd. Like this:

Code:
",info.something"@domain.com
",,info"@otherdomain.com

So that is including the " and ,, characters which is strange. They were delivered though, but maybe the receiving domain has catchall enabled?
 
Yep, problem solved, that must have been the case.

Very odd though that exim -bp says that those were Delivered, while mainlog says:
550 Requested action not taken: mailbox unavailable

So those got the Delivered flag, but they were not delivered. So maybe therere is a bug which sets the D flag incorrectly.
The other D flags I checked (with normal email addresses) were all delivered.
 
Ok, i missunderstood the D part :)

But actually i was right about the software-side issue :p

Or did i missunderstood again? xD

Regards
 
No you were correct. You were indeed right about the software-side issue on the customers side, not a server issue.

Except for the Delivered flag which should not have been given to those email addresses in the queue. And it were not a 100.:)
 
Back
Top