System messages 4000 times

R

roadit

New member
Joined
Feb 20, 2017
Messages
2
Hi,

my first thread on this forum.
We've been using Directadmin for a while now and I often use the forums for research.
Now I've got a problem but I'm unable to find it anywhere on the forum, So I hope someone can help me.

A user is frequently receiving system messages, but last week Directadmin started to multiply them by thousands.
The message system shows the same message like 4000 times.
That's not the big issue though, the issue is that we receive those message by e-mail on 2 e-mail addresses.
So that creates a lot of outgoing email which might be bad for our IP reputation since we're using e-mail on another e-mail server.

What could be the probleem or where should I start looking?
I appreciate any help!

Thank you.
 
Hello, welcome on the forums.

The best way to be able to help you is to start telling us exactly what messages is being send by the system. And the content of it.
Good chance you can find something in the logs, but I can't tell you which logs to look at without knowing anything about the messages send.

If it's that much, it could be anything, maybe a corrupted or wrongly working or configured script on his site.
 
Richard G said:
Hello, welcome on the forums.

The best way to be able to help you is to start telling us exactly what messages is being send by the system. And the content of it.
Good chance you can find something in the logs, but I can't tell you which logs to look at without knowing anything about the messages send.

If it's that much, it could be anything, maybe a corrupted or wrongly working or configured script on his site.
Click to expand...

Thank you for the reply.

I have been thinking about it some more and I think it all started with the latest DA update.
It seems that something with the system messages has changed since the message are actually different.
There's a file in the user account that sends out e-mail but it exceeds the 1 treshold, I think everytime it hits the treshold it sends out a system message.
Before the latest update it just sent out once when the treshold was exceeded.

The system message contains this:
The [user] account has just finished sending 1 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/[user].bytes file, it was found that the highest sender was jadwiga_lewandowski@[user.nl, at 1 emails.

The top authenticated user was [user], at 1 emails.
This accounts for 100% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.


The most common path that the messages were sent from is [path-to-folder], at 1 emails (100%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

The top sending script was [path-to-file] at 930 emails, (93000%).
Because the bulk of the emails have been sent by the script, please check it to confirm it has not been compromised.


This warning was generated because the 1 email threshold was hit.
 
You must log in or register to reply here.
Back
Top