Warning: ### emails have been sent yesterday by username

P

philmcdonnell

Verified User
Joined
Jan 6, 2004
Messages
184
Location
New York
I am getting this error all of a sudden. I keep getting it daily now and DA is the one sending it to the ticket system.

"Warning: 1110 emails have been sent yesterday by username"

Where is this set at? Is there a way to change the threshold? It appears that it is counting all forwarded messages and that is what is triggering it.

Thanks,
Phil
 
Thanks!!!!

I thought it was going to be something new as it just started happening... I will review this now... I should have thought to look at the version log...
 
zEitEr said:
Sure, it's a new feature of DirectAdmin.
Click to expand...

Ok, I see this is a new feature but it seems like it is counting all forwarded emails as well? I am getting accounts on the server that are sending 3 & 4 thousand messages a day which is not true according to the logs but I guess it is counting any message that comes in and gets forwarded to say a users Blackberry?

Can anyone confirm this is the case? If it is I will turn this off as it really is no use if I keep getting these annoying emails everyday for something that is not really true.

Thanks,
Phil
 
Hello,

I just tested the latest exim.pl with forwarders, and it seems to be making 2 entires into the usage/user.bytes and usage files per destination of a forwarder. I believe (not 100% sure) it's related to the fact that the aliases file is process twice, once for the "virtual_aliases_nostar" case (wildcard), and then again after the "virtual_user" for "virtual_aliases". I commented out the first case, and that only generated 1 delivery. The reason we have 2 aliases is to allow a local save in an email account and dupliate forwarder, without causing a bounce if the pop account doesn't exist.

I'll have to check, but I might be able to add more checks into the exim.pl to distinguish between the two Directors.. and only log one of them.

In any case, if you're getting notices about delivering x emails yesterday, the user.bytes files has a message ID which DA takes note of, and removes duplicates, so assuming you have a current exim.pl, this number would be accurate. If you've got an older exim.pl that is not logging the message ID, then DA has no way of knowing if the message is unique, so ends up counting 1 sent for each attempt (if an email is stuck in the queue).

So there are 2 parts to this:
1) The /etc/virtual/usage/* files will be counting 2x as many emails as they should be with forwarders (I'll look into this)

2) The report that has the word "yesterday" in it will be correct, assuming you have a new /etc/exim.pl. If not, grab the latest one from files.directadmin.com/services/exim.pl.

Related:
http://help.directadmin.com/item.php?id=51

John
 
How can I turn these notifications off? I read that it is in directadmin.conf but I can't find it anywhere...

Thanks,
Phil
 
We're very happy with this feature. It will give us faster than before information whether or not an e-mailaccount has been compromised.

However is it possible in a future release to set thresholds per user for this warning e-mail.
We've got customers who every day send out more than 1000 mails (newsletters), but less than e.g. 1500 mails. So for this specific customers it would be helpful to set a treshold for (e.g.) 1500.

Anyone else also interrested in this feature?
 
Hello,

Assuming you've got a new exim.pl, you can already do that. Type
Code: 
echo 1500 > /etc/virtual/limit_newsletters
Related

John
 
excuse me John but the

Code: 
echo 1500 > /etc/virtual/limit_newsletters

is referred to a user called newsletters or he will catch if the email is a newsletter?

I didnt get it honestly, and, if is the second option, will be count majordomo too or should be done for that too?

Thanks
 
@SeLLeRoNe:

Did you look at the link on John's post? It appears it would refer to user a user named newsletters.

Jeff
 
Yep i did and im using that featured, thats why i was confused.

Cause the user wrote "who every day send out more than 1000 mails (newsletters)" and John replied with limit_newsletters

So i was confused about if "newsletters" was the user or the service

Regards
 
From 3 days, one of my admin don't receive any more this alert :
Warning: ### emails have been sent yesterday by username

Have you an idea of why ?
directadmin.conf has not been changed.

So he has only changed something in notification of user / reseller or admin account.

But I do not find what !
Another thing, default limit to send warning is 1000. Where can we changed it ?

Thanks for help
 
The same problem

Hi all,

I have also this problem whit my server now. I first wanted to open a new topic, but there are much likely topics so i think its better to ask it here: i have tried much things which i have readed in likely topics but whitout results. So i want to ask if someone knows a solution for this problem.

I am receiving often emails like: there are **** emails sended by user muhammet yesterday

And also when i want to sent an email, the email comes back whit a header that its blacklisted on spam-lists: very annoying.

How can i solve this problem? Thanks
 
Thanks

Thanks John,

but i readed somewhere this:

'And if you set it the limit lower and don't fix the spam problem then undeliverable spam stuck in your spool could crash your server.'

Is this right?
 
"crash" may not be the correct word.

If you use a newer exim.pl (version 15) then it will block any over-limit account from using smtp-auth at all, so that would mean the messages couldn't arriving in the spool file in the first place (they'd get a wrong password error, even with the correct password)
But, if the email is generated locally (eg: via a local php script to /usr/sbin/sendmail), then the spam would accumulate in the spool file (still cannot send), and will make exim much slower. I don't think it would crash anything, but it's by no means going to help anything either.

John
 
Hi John, Thanks again i have set a limit of 200 and i have founded something interesting:

The muhammet account has just finished sending 100 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/muhammet.bytes file, it was found that the highest sender was [email protected], at 57129 emails.

The top authenticated user was info@*******.nl, at 112180 emails.
This accounts for 112180% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.

The top sending host was 108.170.31.111, at 57129 emails (57129%).

The most common path that the messages were sent from is /, at 112180 emails (112180%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

This warning was generated because the 100 email threshold was hit.


Anything that i can do now?
 
You must log in or register to reply here.
Back
Top