BUG (i think) "Domain size limit exceeded" Triggers Abuse rule " (email harvesting) "
Problem reported by Curtis Kropar www.HawaiianHope.org - July 17 at 9:51 PM
So, this is with
        SmarterMail Enterprise Edition
        Version 14.4.5801
Below, i  think this is a bug. or at minimum, unwanted behavior.
I am curious if the same problem exists with 15 and 16 ?  AND.. Smarter Peeps, is there a fix for this with 14 ? We plan to upgrade to 15 or 16, but after more of the issues get worked out.
What happened :
One of our domains (a homeless shelter) gets a pile of email, state contracts, etc.  Over the past 3 months as they make changes,  we have had other issues with them too where turnover in staff and they delete the email accounts, then the state sending out emails to them triggers the abuse rules again sending to non existing email accounts. (but that is another issue)
This Issue :
On June 21st, (June is end of fiscal year)  one email account (their executive director) email filled up and exceeded their storage limit. (state sending out a lot of large PDF files, annual reports, etc)
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] rsp: 452 <email@domain.org> Domain size limit exceeded
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] cmd: RSET
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] rsp: 250 OK
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] cmd: QUIT
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] rsp: 221 Service closing transmission channel
Well, the sending server (state), continued to repeat the send, another 10 times. each time getting the "Domain size limit exceeded"  and our server rejecting their email.
On the 10th time, it triggered "Too many bad commands"
  • [2018.06.21] 23:49:42 [xx.xx.xx.xx][21397596] rsp: 421 Too many bad commands, closing transmission channel
  • [2018.06.21] 23:49:42 [xx.xx.xx.xx][21397596] disconnected at 6/21/2018 11:49:42 PM
and then from that point forward, it triggered the abuse detection rule for email harvesting, and blacklisted the states email server (not cool)
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] connected at 6/21/2018 11:50:39 PM
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] "421 Server is busy, try again later." response returned.
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] IP blocked by bad SMTP sessions (email harvesting) abuse detection rule
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] disconnected at 6/21/2018 11:50:39 PM
Over the weekend we did an upgrade on PLESK, which restarting the server cleared the IDS blocks, and these guys started getting email again from the state.  An hour ago i get a phone call and QUITE and earful from their executive director about why our server "has so many problems with email".   She has 24 hours to turn in 3 reports the state was requesting on the 21st. She is NOT happy.
I think this is a bug, OR, at minimum, this is an unwanted behavior.
I don't think that when a single email address on a domain fills up and exceeds its storage limits, that it should count towards a "bad command" and then trigger an abuse detection rule. It is not the "fault" of the sending server that the domain is full, and then it punishes the sending server by blacklisting it,. In this case blacklisting the State of Hawaii email server (whom pays the bills).  If anything, it should be sending ME or the domain admin emails (each time ?) to let me/them know it is full and that email is getting rejected.
Which by the way, that one email address on that domain filling up ends up blacklisting that state server for all of our clients on all domains, which most of them are non profit orgs.  So, Tomorrow i am expecting to get even more phone calls or nastygrams from other non profits asking why we were blocking the states email to them.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

Reply to Thread