This has happened several times now. One of our accounts with about 50 email accounts exceeds it's limit (1800). Looking at all the email accounts none has sent more than 30 (their limit). How can we find which account is responsible for sending these emails? More important how can we prevent this from happening in the future?
Account send limit exceeded but no email accounts have sent more than 30
- Thread starter pcjunky
- Start date
Message system message
The cyberst account has just finished sending 1800 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.
After some processing of the /etc/virtual/usage/cyberst.bytes file, it was found that the highest sender was [email protected], at 28 emails.
([email protected] isn't an account on this server)
This warning was generated because the 1800 email threshold was hit.
The cyberst account has just finished sending 1800 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.
After some processing of the /etc/virtual/usage/cyberst.bytes file, it was found that the highest sender was [email protected], at 28 emails.
([email protected] isn't an account on this server)
This warning was generated because the 1800 email threshold was hit.
SeLLeRoNe
Super Moderator
You can check if they are sending using some script in the website looking at the logs in:
/home/USER/.php/php-mail.log
Regards
/home/USER/.php/php-mail.log
Regards
All the php log are zero bytes. This account has no webpages associated with. Just the placeholder directadmin has.
SeLLeRoNe
Super Moderator
So you need to find (hopefully in the mail queue) one of those outgoing e-mails and look into the headers for this line:
X-Authenticated-Id:
If you have that line you will know what user is being authenticated for those email and change his password/suspsend it.
It may be a virus on a customer computer where the password has been found.
Regards
X-Authenticated-Id:
If you have that line you will know what user is being authenticated for those email and change his password/suspsend it.
It may be a virus on a customer computer where the password has been found.
Regards
I have the same issue. I have five DirectAdmin servers running and since a couple of days I already had three customers with this message. When I look at the logfiles, there are just a few mails sent:
2016-08-03 17:00:50 1bUxf4-0003Mr-Jo => prive <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=13262
2016-08-04 11:55:13 1bVFMv-0005x9-1A => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=684 H=gate2.mxlab.eu [141.138.198.241] C="250 2.6.0 679 bytes received in 00:00:00; Message id 201608041155113663 accepted for delivery"
2016-08-04 15:08:21 1bVINl-0002iN-T7 => prive <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=48835
Also running eximstat doesn't show any excessive usage for these mail accounts. The php-mail.log files are empty. I'm running DirectAdmin 1.50.1 and yesterday I updated both the server OS and the DirectAdmin build so all packages are up-to-date, but still this problem.
Any clues?
2016-08-03 17:00:50 1bUxf4-0003Mr-Jo => prive <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=13262
2016-08-04 11:55:13 1bVFMv-0005x9-1A => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=684 H=gate2.mxlab.eu [141.138.198.241] C="250 2.6.0 679 bytes received in 00:00:00; Message id 201608041155113663 accepted for delivery"
2016-08-04 15:08:21 1bVINl-0002iN-T7 => prive <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=48835
Also running eximstat doesn't show any excessive usage for these mail accounts. The php-mail.log files are empty. I'm running DirectAdmin 1.50.1 and yesterday I updated both the server OS and the DirectAdmin build so all packages are up-to-date, but still this problem.
Any clues?
SeLLeRoNe
Super Moderator
You can see the list in:
/etc/virtual/DOMAIN/usage.cache
Also check /home/USER/.php/php-mail.log
Regards
/etc/virtual/DOMAIN/usage.cache
Also check /home/USER/.php/php-mail.log
Regards