Back to Community Threads
2
BUG (i think) "Domain size limit exceeded" Triggers Abuse rule " (email harvesting) "
Problem reported by Curtis Kropar www.HawaiianHope.org - 7/17/2018 at 9:51 PM
Resolved
So, this is with
        SmarterMail Enterprise Edition
        Version 14.4.5801
Below, i  think this is a bug. or at minimum, unwanted behavior.
I am curious if the same problem exists with 15 and 16 ?  AND.. Smarter Peeps, is there a fix for this with 14 ? We plan to upgrade to 15 or 16, but after more of the issues get worked out.
 
What happened :
One of our domains (a homeless shelter) gets a pile of email, state contracts, etc.  Over the past 3 months as they make changes,  we have had other issues with them too where turnover in staff and they delete the email accounts, then the state sending out emails to them triggers the abuse rules again sending to non existing email accounts. (but that is another issue)
 
This Issue :
On June 21st, (June is end of fiscal year)  one email account (their executive director) email filled up and exceeded their storage limit. (state sending out a lot of large PDF files, annual reports, etc)
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] rsp: 452 <email@domain.org> Domain size limit exceeded
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] cmd: RSET
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] rsp: 250 OK
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] cmd: QUIT
  • [2018.06.21] 22:43:38 [xx.xx.xx.xx][21305886] rsp: 221 Service closing transmission channel
Well, the sending server (state), continued to repeat the send, another 10 times. each time getting the "Domain size limit exceeded"  and our server rejecting their email.
 
On the 10th time, it triggered "Too many bad commands"
 
  • [2018.06.21] 23:49:42 [xx.xx.xx.xx][21397596] rsp: 421 Too many bad commands, closing transmission channel
  • [2018.06.21] 23:49:42 [xx.xx.xx.xx][21397596] disconnected at 6/21/2018 11:49:42 PM
 
and then from that point forward, it triggered the abuse detection rule for email harvesting, and blacklisted the states email server (not cool)
 
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] connected at 6/21/2018 11:50:39 PM
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] "421 Server is busy, try again later." response returned.
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] IP blocked by bad SMTP sessions (email harvesting) abuse detection rule
  • [2018.06.21] 23:50:39 [xx.xx.xx.xx][61250872] disconnected at 6/21/2018 11:50:39 PM
Over the weekend we did an upgrade on PLESK, which restarting the server cleared the IDS blocks, and these guys started getting email again from the state.  An hour ago i get a phone call and QUITE and earful from their executive director about why our server "has so many problems with email".   She has 24 hours to turn in 3 reports the state was requesting on the 21st. She is NOT happy.
 
I think this is a bug, OR, at minimum, this is an unwanted behavior.
I don't think that when a single email address on a domain fills up and exceeds its storage limits, that it should count towards a "bad command" and then trigger an abuse detection rule. It is not the "fault" of the sending server that the domain is full, and then it punishes the sending server by blacklisting it,. In this case blacklisting the State of Hawaii email server (whom pays the bills).  If anything, it should be sending ME or the domain admin emails (each time ?) to let me/them know it is full and that email is getting rejected.
 
Which by the way, that one email address on that domain filling up ends up blacklisting that state server for all of our clients on all domains, which most of them are non profit orgs.  So, Tomorrow i am expecting to get even more phone calls or nastygrams from other non profits asking why we were blocking the states email to them.
 
 

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

5 Replies

Reply to Thread
0
Bump. Curious if anyone else has seen this. or if this has been fixed with newer versions
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
Kyle Kerst Replied
7/22/2019 at 3:07 PM
Employee Post
Hello Curtis. I tested this under our latest release and was not able to replicate the problem as you'll see in the session logs below:

250 OK
RSET
250 OK
MAIL FROM: <kkerst@smartertools.com>
250 OK <kkerst@smartertools.com> Sender ok
RCPT TO: <tester@kyletest.com>
452 <tester@kyletest.com> Mailbox size limit exceeded

After ~20 attempts or so, SmarterMail continues to respond indicating the mailbox size limit has been exceeded, and does not add the test server to the blacklist/IDS list. I would recommend getting on to a later release as soon as possible to correct these issues. 
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
1
David Fisher Replied
7/22/2019 at 7:50 PM
Marked As Resolution
Hi Curtis,

  According to the release notes this was fixed in v15 :

15.7.6443 (Aug 22, 2017)
Fixed: Mailbox oversize limit SMTP bounce could produce an IDS block for email harvesting.

-dave
0
Awesome.  Thanks !
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
I am going to resurrect this old thread. I just found that It appears to do the same thing if the drive fills up.

On Sept 5th, Our server data drive went to 100% capacity, it was full. I never got a notification about that, did not have the server "events" set up properly to actually email me. It ONLY gives a notice in the admin control panel, but I am not logged into it every day.

This was with Smarter Mail Build 8930. Last Night we just updated to 9014. Not sure if it is the same.

In any case, the drive filled up and smarterMail could not write the emails to the drive. 
So, this appears to have triggered the harvesting rule.  And In fact I just found out why we have not been getting ANY emails from the SmarterTools portal, or tech support, or the forums here.... because I found the IP Address for SmarterTools Email server in our IDS Blocks.

[2024.09.06] 00:31:37.687 [35.212.221.81][38619296] connected at 9/6/2024 12:31:37 AM
[2024.09.06] 00:31:37.688 [35.212.221.81][38619296] "421 Server is busy, try again later." response returned.
[2024.09.06] 00:31:37.688 [35.212.221.81][38619296] IP blocked by bad SMTP sessions (email harvesting) abuse detection rule
[2024.09.06] 00:31:37.688 [35.212.221.81][38619296] disconnected at 9/6/2024 12:31:37 AM
I just unblocked the IP Address and got 6 new emails from Smarter Peeps.

Now I need to look at several dozen other legitimate IP Addresses.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Improve Calendar ResponsivenessSmarterMail > Domain/User Configuration and Management
SmarterMail Server Performance TuningSmarterMail > Server Configuration and Management
Common Email Delivery ErrorsSmarterMail > Troubleshooting
Why is a migrated mailbox over the mailbox size limit?SmarterMail > Installation and Configuration