1
Suddenly SmarterMail reports too many bad commands
Question asked by Batric Batric - January 28, 2015 at 3:30 PM
Unanswered
2 days ago, SmarterMail reported 845 bad commands in "SMTP In Errors" section.
Yesterday the number increased to 2.861 and today it's already on 9.089.
 
I suppose this wastes server resources, and would like to know if there is anything I should and I can do about it.
 
Is there anything I can do with the number of "Bad Commands" that were logged in "SMTP In Errors" section? Does SmarterMail block them automatically? Can this impose a security or DDOS risk?
 
Thanks!
 

6 Replies

Reply to Thread
2
Steve Reid Replied
February 2, 2015 at 7:38 AM
If you need help right away then open a support ticket.
0
Steve Reid Replied
February 4, 2015 at 7:38 AM
Check your logs?
0
Bruce Barnes Replied
August 21, 2015 at 11:09 AM
Are you under a DDoS or BRUTE PASSWORD ATTACK?
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
August 21, 2015 at 11:57 AM
Natalie:
 
If you have your SMTP LOTS set to DETAILED, you should be able to see a string of connect/disconnect, with no other activity, something similar to the following:
 
[2015.08.21] 05:40:34 [74.87.35.154][33754200] rsp: 220 fifi.chicagonettech.com  Fri, 21 Aug 2015 10:40:34 +0000 UTC | SmarterMail Enterprise 14.2.5710.19326
[2015.08.21] 05:40:34 [74.87.35.154][33754200] connected at 8/21/2015 5:40:34 AM
[2015.08.21] 05:40:36 [74.87.35.154][33754200] cmd: EHLO X5J& ??
[2015.08.21] 05:40:36 [74.87.35.154][33754200] rsp: 250-fifi.chicagonettech.com Hello [74.87.35.154]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.08.21] 05:40:36 [74.87.35.154][33754200] cmd: MAIL FROM:<<html>
[2015.08.21] 05:40:36 [74.87.35.154][33754200] cmd: <head><title>403 Forbidden</title></head>
[2015.08.21] 05:40:36 [74.87.35.154][33754200] rsp: 500 command unrecognized
[2015.08.21] 05:40:36 [74.87.35.154][33754200] cmd: <body bgcolor="white">
[2015.08.21] 05:40:36 [74.87.35.154][33754200] rsp: 500 command unrecognized
[2015.08.21] 05:40:36 [74.87.35.154][33754200] cmd: <center><h1>403 Forbidden</h1></center>
[2015.08.21] 05:40:36 [74.87.35.154][33754200] rsp: 500 command unrecognized
[2015.08.21] 05:40:36 [74.87.35.154][33754200] cmd: <hr><center>nginx/1.2.1</center>
[2015.08.21] 05:40:36 [74.87.35.154][33754200] Closing transmission channel: too many bad commands
[2015.08.21] 05:40:36 [74.87.35.154][33754200] rsp: 421 Too many bad commands, closing transmission channel
[2015.08.21] 05:40:36 [74.87.35.154][33754200] disconnected at 8/21/2015 5:40:36 AM
[2015.08.21] 05:40:38 [74.87.35.154][33754200] rsp: 554 Sending address not accepted due to spam filter
[2015.08.21] 05:40:38 [74.87.35.154][33754200] Mail rejected due to SMTP Spam Blocking: _SPF (Fail), Barracuda - BRBL, CBL - Abuse Seat - DO NOT USE FOR OUTGOING!, HostKarma - Blacklist, SPAMHAUS - XBL 1
 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
August 25, 2015 at 8:14 AM

Line 382453: 16:47:05 [73.44.183.227][31907419] cmd: RSET
Line 382454: 16:47:05 [73.44.183.227][31907419] rsp: 421 Too many bad commands, closing transmission channel
is coming from the RECIPIENT'S MAIL SERVER and is not a SmarterMail issue.
 
The receiving mail server has decided to throttle how many messages you can send in a given day.
 
If you do not have DomainKeys, DKIM, SPF, rDNS and DMARC setup, along with proper FEEDBACK LOOPS., you WILL be throttled now.
 
This is very clearly stated in YAHOO!, GMAIL. OUTLOOK.COM (which now handles all of the Microsoft e-mail services), and about 15 other ISPs.
 
Make certain your customers have both ACCEPTABLE USE and PRIVACY POLICY pages,for EVERY HOSTED DOMAIN, on their WEBSITES - YAHOO will manually check for these: on your CUSTOMER'S WEBSITES, not on yours.

They will also need POSTMASTER and ABUSE aliases or accounts setup:  These should point to a valid, WORKING e-mail address that YOU, as the SmarterMail server operator, respond to, and will be used to setup your FEEDBACK LOOPS.

Finally, setup DMARC and USE IT.  It will prevent you from being JOE-JOBBED and that will prevent you from becoming listed on BACKSCATTER.ORG
 
 
E-Mail is no longer set it and forget it.  It requires a lot of work to setup each domain (and control panels do not do a good job of setting it up) and also requires a lot of day-to-day maintenance work.
 
SmarterMail makes the job a lot easier, but only if you take the time to properly setup the hosted domains, all of the associated records, and make certain they are all in compliance and STAY in compliance.
 
Remember, all records in a list MUST now be DOUBLE OPT-IN CONFIRMED and, if they bounce, or request removal, must be removed in THREE OR FEWER BUSINESS DAYS.  
 
Remember, too, that when someone requests removal you MUST remove them and are not allowed to ask why.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robert Emmett Replied
August 25, 2015 at 1:18 PM
Employee Post
Nathalie, how do you have your email harvesting abuse detection rule(s) set up?  If too many MAIL FROM: and RCPT TO: commands are issued and a RSET issued without sending any DATA, it could be "flagged" as harvesting and a 421 given and transmission closed.  This is actually a technic that many spammers use: issue a MAIL FROM: and RCPT TO: to see if they receive a 250 OK.  If not, they scratch the name off their lists; if so, they now know a god email.  They'll do the RCPT TO: and issue a RSET without send any DATA.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread