User blocked by blockcracking!

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Today I got a very important customer blocked by blockcracking.
He send out a lot of mails to a lot of systems, some of which have the same email addres but on more domains like (.com and .org and .ch).

Now the user got blocked with this notice:
The address my.customer@hisdomain.com has just finished sending 100 non-existant emails within a 1h period, and has been blocked.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

To unblock this account, the password must be changed by a DirectAdmin User.
Changing the password through the E-Mail self-serve options will not work, as the password is likely compromised.

The last IP to send an email was xx.xx.xx.xx.

This warning was triggered by the BlockCracking monitoring tool in exim.
The E-Mail account is managed under the username User account.
Where can I find these 100 non-existant emails in the logs? This happened a few minutes ago and I instantly checked the mailqueue which had a lot of emails with a D in front of it, since they were delivered. But they were visible because in the batch there were email addresses without the D in front of it.

Those might be non existant so I counted them, and those were only 5 email addresses.

So how come this user got blocked? This should not be happening with only 5 non existing email adresses.

How can this be fixed? Because this is not good.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Addition: Why is it that only the customer gets this warning by email and not me as his provider?
> *From:* Message System <<xxx@mycompany.nl>>
> *Date:* 1 maart 2016 15:58:02 CET
> *To:* useraccount <<his.private@email.com>>
> *Subject:* *New Message: Warning: 100 non-existant E-Mails have just been sent by
> <some.email@hisdomain.com>*
> *Reply-To:* Message System <<xxx@mycompany.nl>>
But I never got an notification about this at xxx@mycompany.nl which should in fact be a lot better. Can this be configured somewhere?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
The Mailqueue are the ones that has not be send yet, so probably he did send 105, and at 100 it blocked.

It may happend (it happen to a customer of mine) that outlook go crazy with his address book and instead take the email from a contact it take the email formatted in this way <email> and of course the system doesn't accept that, samehow should be somewhere in his distribution list/address book that some contacts are messed or that just the software/mail-client he was using has gone crazy somehow, you should check on exim mainlog /var/log/exim/mainlog for all his outgoing e-mail filtering with like "<D" (considering the wrong emails starting with a D)

This may help you dig a little bit, but for now to me it look like a software side problem, not your server side.

Regards
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
considering the wrong emails starting with a D)
I'm afraid you misunderstood. The wrong emails did not start with a D. The D in front of emails in the mailqueue is for Delivered. So those are the emails that did get delivered when looking at the mailqueue.

If you send 10 emails at once from a contact list, and 1 of them is incorrect, then all 10 emails will remain in the mailqueue, except that the 9 adresses that did get delivered get a D in front of it, like this if you do a exim -bp:
In this list, it shows everything is delivered except for the test@domain5.com email address. Which is non existant or their email server is unreachable at the moment. That is what I intended to explain.

So I can't easily find the wrong emails by doing a search for "<D" because they are not listed that way in mainlog. It's an output of exim -bp.

And in that exim -bp mailqueue list I could only find 5 non existing emails.
Because non existing emails will get on hold in the queue, and only 5 emails are on hold.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,341
Location
LT, EU
Please check /home/user/.php/php-mail.log file if the emails were sent using PHP.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Thank you but they were all send via authenticated email.
If there were 100 non-existing emails, I should have 100 email addresses in the mailqueue, correct? Because they wouldn't get delivered neither deleted.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
I'll ask the customer to check his send list, I just discovered some delivered emails, but the email addresses are very odd. Like this:

Code:
",info.something"@domain.com
",,info"@otherdomain.com
So that is including the " and ,, characters which is strange. They were delivered though, but maybe the receiving domain has catchall enabled?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Yep, problem solved, that must have been the case.

Very odd though that exim -bp says that those were Delivered, while mainlog says:
550 Requested action not taken: mailbox unavailable

So those got the Delivered flag, but they were not delivered. So maybe therere is a bug which sets the D flag incorrectly.
The other D flags I checked (with normal email addresses) were all delivered.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Ok, i missunderstood the D part :)

But actually i was right about the software-side issue :p

Or did i missunderstood again? xD

Regards
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
No you were correct. You were indeed right about the software-side issue on the customers side, not a server issue.

Except for the Delivered flag which should not have been given to those email addresses in the queue. And it were not a 100.:)
 
Top