Task "action=block_cracking&type=smtp" the email account was not blocked.

M

mean

Verified User
Joined
Feb 14, 2007
Messages
121
Hello DA Team

At present, DirectAdmin cannot effectively prevent outgoing spam, aside from limiting the number of emails per account or per domain. Problematic email accounts can still continue sending spam for several consecutive days, eventually causing the server’s IP address to be blacklisted.

I am trying to find a faster and more efficient way to monitor and suspend outgoing email activities. For example, i'm writing a script that monitors email accounts: if an account continuously sends emails over the allowed limit for more than 2 consecutive days, the system will then restrict its outgoing volume or completely block that email account.


Task command this feature working properly?
echo "action=block_cracking&type=smtp&authenticated_id=[email protected]&sender_host_address=1.2.3.4&log_time=1741640695" >> /etc/virtual/mail_task.queue
da taskq
Click to expand...

# Problem
  • A notification ticket was successfully created: "Warning: 100 non-existent emails have just been sent by [email protected]."
  • However, the SMTP access for the email account was not blocked as expected.

# Questions
  • Do you have any method, API to block an outgoing email account and automatically unblock it once the hosting user resets their password?
  • I tried manually adding the email to /var/spool/exim/blocked_authenticated_users or on "Administrator Settings", but after the password is changed, the email account does not automatically get unblocked.

Reference

Directadmin Version
  • version: 1.682
  • build: a96573edc6aa43ea1753ca4694779a3ac5254598
  • arch: amd64
  • os: linux
  • package: directadmin_a96573edc6aa43ea1753ca4694779a3ac5254598_linux_amd64.tar.gz
  • distro: debian11
  • eol: 2026-11-01 00:00:00
  • eol timestamp: 1793491200

  • Exim Config : v4.5.59
  • Exim: v4.98.2
 
Last edited:
mean said:
However, the email account was not suspended as expected.
Click to expand...
But did you set a limit of lower than 100?
Just to be sure also to verify doublecheck the /etc/virtual/limit and user_limit files.

For PHP scripts you might also want to investigate these settings for directadmin.conf which can block some things:
disable_php_script_at_limit_minimum=
disable_php_script_at_limit_threshold=
 
Currently, DirectAdmin provides two types of email sending limits:
  1. Daily sending limit per domain
  2. Daily sending limit per email account

Example of the problem:​

If an email account like [email protected] has a compromised password and the domain owner does not take action, the account could send out 100 spam emails per day for 3–5 consecutive days via SMTP.

This would likely result in the IP getting blacklisted and the IP reputation (population score) deteriorating — especially with Hotmail, which frequently blocks IPs in such cases.

Proposed solution:​


I’m looking for a way to automatically restrict or block email accounts that cause such issues.
For example, if an email account sends more than 100 spam emails for 2 consecutive days, I would like to:
  • Limit that account to sending outgoing to 1 email per day, or
  • Completely block SMTP access for that email account. ( /etc/virtual/blacklist_smtp_usernames )

  • After a hosting user resets the password of the affected email account,
    the system should automatically remove that email from /etc/virtual/blacklist_smtp_usernames

  • Suspending the email account is not an ideal solution, because it causes auth_failed attempts, which will then be blocked by the Brute Force Monitor.
 
Last edited:
mean said:
Currently, DirectAdmin provides two types of email sending limits:
  1. Daily sending limit per domain
  2. Daily sending limit per email account

Example of the problem:​

If an email account like [email protected] has a compromised password and the domain owner does not take action, the account could send out 100 spam emails per day for 3–5 consecutive days.

This would likely result in the IP getting blacklisted and the IP reputation (population score) deteriorating — especially with Hotmail, which frequently blocks IPs in such cases.

Proposed solution:​


I’m looking for a way to automatically restrict or block email accounts that cause such issues.
For example, if an email account sends more than 100 spam emails for 2 consecutive days, I would like to:
  • Limit that account to sending outgoing to 1 email per day, or
  • Completely block SMTP access for that email account. ( /etc/virtual/blacklist_smtp_usernames )
Click to expand...

You mention Hotmail, I had a user a few years ago that didn't use recaptcha (or the like) on his contact forms, or an SMTP relay, so all the bots were spamming his contact form. I believe he had a hotmail account so they were reporting the bot spam to the DNSBLs. Anyhow, after a few weeks, I had to block all mail from his DA account, and block php sendmail also as I was ending up on Spamhaus' blocklist and although it was easy delisting, I still had to wait for DNS to propogate the delisting and also for other providers, like Hotmail, to refresh their RBLs. Point to note here, My IPs never ended up on any other RBLs, only Spamhaus. A few customers I have are very vocal the second they cannot send an email!

Watching this thread though as a solution to this problem could be very interesting to me and others.
 
mean said:
I’m looking for a way to automatically restrict or block email accounts that cause such issues.
Click to expand...
I can understand that and is indeed a good option. DA would need a block or suspend account or something, or maybe temporarily, when too many mails are send out.
Probably this is not created because the use on shared servers in general is very different. Some users only send out 50 mails a day, others have a mailing list and send out maybe 150 and there are company's which send out maybe way more than 250.

So the question is how should DA concluded if sending out for example 200 mails via smtp is a hacked account, or is an account which is allowed to send out that many mail?
To even differentiate something like that, one would need to setup a daily mail account for every account or email address seperately or make it in such way that accounts going over the limit are suspended or something like that.

Maybe a per-hour option would be good. But it's also good to set a limit of for example between 100 and 150 a day for normal users and only raise limits for accounts who need that.

It's not that bad for blacklist (and believe me I had some experience with those in the past), if you take appropriate action immediately. If 200 go out and then mails are stopped because of the daily limit, then I already get a notice. On that notice I suspend the complete account and after that I clear the complete mail queue from the spamming domain.
Then I notify the customer, and tell him to change the password of the mail. If required I set an random pass myself before which he can change afterwards.

And then, as long as this does not happen too often, and also php scripts are protected and you're member of SNDS and JMPR (it's free) and don't have bad reputation ip's, then you won't get on the blacklist that fast anymore. And also it's easier to get off such list when you are member and the MTA is fulfulling all RFC's.

I don't think a lot more can be done at this point. It would be good maybe for DA to put in an hourly limit, something I suggested already 13 years ago. :rolleyes:

It was re-requested 6 years ago and 5 years ago a feedback request was made with 74 (!) voters and it's still under review.
However feel free to add your vote here:

Upvoty

feedback.directadmin.com feedback.directadmin.com
 
This has indeed been an ongoing issue for many years, and I’ve been trying to find ways to manage it myself.
it becomes very time-consuming to constantly monitor and manually with this problem.

I'm really glad this conversation is happening — especially since I’ve noticed that DirectAdmin has been actively updating Exim recently.
Hopefully someone from the DA team will see this and consider improving the situation.

# 1
I'm not sure if hourly limits alone can resolve this issue quickly enough.
However, I believe that if an email account exceeds its quota repeatedly, and the system can immediately block SMTP access (/etc/virtual/blacklist_smtp_usernames ), then automatically unblock it after a password reset, this approach would be faster and more effective to develop and implement

# 2
Thank you for sharing your ideas. example from other control panels like Plesk and cPanel offer the ability to configure “hourly emails per domain”, which helps significantly in mitigating the issue.

Plesk solution:​

  • limit on outgoing messages from (a mailbox/ a domain) per hour

1756959599861.png


cPanel solution:​

blog.hostonnet.com

How to Set Email Send Limits for an Individual Domain In WHM | HostOnNet.com

You can set Email send Limits per hour for an individual account from WHM Reseller control panel. 1. Log into your WHM 2. Click on Account Functions then click on Modify an Account 3.
blog.hostonnet.com
  • Hourly email by domain relayed
  • Percentage of failed or deferred messages a domain may send per hour.

1756959722646.png
 
mean said:
I'm not sure if hourly limits alone can resolve this issue quickly enough.
Click to expand...
Well maybe kindlike with php mail, where a calculation is made between the daily limit and the hourly send. If the limit is send within a short time the account is blocked, something like that.
An hourly mail addition could help anyway. Maybe an option with that where the admin can choose to either wait to the next day or suspend the mail account would be a good option.

I'm aware of the fact that cP and Plesk do have hourly limits. However, the option you circled there, it says "email by domein relayed". Relaying is something different than sending. So I wonder if this also works on just sending. The one from Plesk is more clear about that.
Because 1 line below that, there is an ption of percentage of failed or deferred messages a domain may "send". So there the term "send" is used.
I never had that on Unlimited, because this is also a good spam protection. If 200 mails go out often lots of them got blocked so using a limit at that place too is also a good option to prevent further outgoing spam mail.

Anyway, that also is based on hourly limits like the rest. To me this adds to the argument that hourly limits are just required nowadays.
 
You must log in or register to reply here.
Back
Top