Exceeding Email Limit Rule Of Thumbs

[eob]

Apparently there's a rule on the amount of email a server can send.

Last night, my account exceeded the allowed number of sent emails per hour, which is set at 200.

What did it was a VBulletin mailer emailing out 'Thread Update' details to 1600 forum members. I can totally understand why excess email exiting the server is a very bad thing because from a purely numbers point of view it would look like the server had been compromised and was being used by a spam bot.

However, what I would expect to happen in this instance would be a block on the script sending out the mails or contacting the client or at least having a look to see if the outgoing emails were sinister or not.

Instead what happened is all the folder permissions were removed from a fairly sensitive and crucial folder on my website where the email script was based.

What then happened was my whole website went down because it's very dependent on that particular folder. As a result, my regular visitors are getting a big 'Forbidden' warning from accessing that particular folder, and what's worse, a page full of PHP errors which shows potential script kiddies EXACTLY where all my sensitive global and include files are, ie. contained in the folder that's been locked out.

So I spent an hour this morning trying to delete and re-create the folder using both my FTP client and FileManager in cPanel and getting error messages so as a last ditch attempt to solve the issue I contacted support, explaining the problem, and presuming it was a corrupted folder problem.

I get an email telling me they've locked that folder and nailed my site because it was sending out too many emails.

That was 5 hours ago.

My site still isn't back up. I still can't change the folder permissions. I still can't get the site to work.

I would suggest a change to Vox policy when it comes to a server sending out too many (legitimate) emails.

1. Before locking a folder and ruining a site, it should take about 5 seconds to check to see what's doing the emailing. If it's at 4am and it's a forum, it would be the logical thing to conclude to that it's sending out thread update emails.

2. Don't ruin someones site for 5 hours just because the forum sent out too many emails. There has to be a better way.

3. Disabling folders and generating mucho PHP errors gives script kiddies all the info they need about the location of various, very sensitive, PHP files. Does it make business sense to stop outgoing legitimate emails and compromise security while you're doing it?

4. Inform customers that there is a 200 email per hour outgoing limit and that exceeding this will mean their website, and not just their ability to send email, will be terminated.

5. Inform customers when a member of staff has locked a folder so they don't spend an hour wasting valuable time first thing in the morning trying to figure out what's wrong.

6. When the customer contacts support and says 'Yes, I understand why this folder has been locked, can you unlock it please as it's a potential security hole at the moment and my site is down', don't say you've fixed it and not fixed it. Actually get off your backside and fix it. It's kinda difficult to reset the allowed number of outgoing emails on a server when it's disabled.

I've huge faith in WHB. I've sent at least 5 guys your way who've bought packages. Don't ruin it with bad practice. You guys are really cutting the mustard as regards server speeds et al.

Thanks for listening!

Eamonn

[JasonD]

Ouch... That is a good thing to hear, especially since it is not posted in any location as a limit...

Once you get situated, I may be able to assist you with protecting your code, but as far as the mailer, I am not sure if the forum has a "Send Limit" that you can even select.

This is one of those situations where the default settings, and possibly universal unsettable settings, crosses paths with a direct unpublished limitation imposed for security reasons. (Something that needs to be lifted, or be added as a warning into all default forum instillations, so you realize, before you hit that button, that there may be an unavoidable hazard.)

I can't fathom why 200 would even be a limit number?

Most businesses send several thousands of mails a day. At the most, it should have simply returned a "Mail Undeliverable", or "Mail server busy"...

Such a harsh penalty for a service you paid for. (If this was a free-mail service, I could see a limitation like that imposed and enforced.)

What is the point of unlimited emails, if you can only send 200 emails a day, and you had 400 clients on your server... they could each send one mail, every other day!

I mail over 20 mails a day, just from my one address... Um... so you could have 10 members on your site, mail 20 letters each. (Heaven forbid you had 200 members join in one day... confirmation mails alone would kill your server!)

I will be watching this thread, as I do not wish to have this limitation here on this server. That would severely impede my business in the future, and presently!

[eob]

In defence of WHB they're under serious pressure to make sure their servers don't end up black-listed by spam haus, etc, which was a big problem at my last host, but, disabling a website for 6 hours isn't really going to do anyone any favours.

I'm fine for security advice, I'm just super-paranoid about script kiddies so I tend to hide everything, double check everything, anti-inject everything etc.

I know, lame, but it pays to be diligent

[Matt R.]

Eamonn,

This is an automatic thing done on the servers. I'm going ot talk to the team about how it can better notify if it comes into palce though.

[JasonD]

Eamonn,

This is an automatic thing done on the servers. I'm going ot talk to the team about how it can better notify if it comes into place though.

How about talking to them about notifying us that there is even a limit!

And the details of the limit...

Is it exactly 200 total? 200 a day? 200 per account? 200 all month?

I don't want to launch my site, which will depend on e-mails, and I already KNOW I will have over 200 to send in a day. Only to get locked out, 2 hours after opening.

I understand the blacklist thing... But the mails should not be identified as WHM mails... They should be identified as our mails. (That is a gripe I tried to explain to a tech, three times, and they did not comprehend what I was saying.)

WHM will not get blacklisted, it will be our sites. (Should be our sites.)

Blacklisting comes from millions of mails, not hundreds of mails. I am quite sure the CPU LIMITS will be reached, before any threatening level of mails could be sent. (No need to padlock the door, to the already 3 foot thick bank-safe door. Rather, I should say, duct-tape the bank-safe door.)

*Sits and awaits patiently for a formal release to be announced.*

[eob]

What I've done, and the only option I can find in VBulletin, is how many emails to send per batch. I've reduced that from 5 to 2 (I'd reduced it previously to ease server load at WHB) but there's no limit in there, that I can see, to reduce the amount per hour.

Any suggestions?

There's also an option there to use an external SMTP server, anyone any suggestions for one of those?

[Alan B]

Most businesses send several thousands of mails a day.

No, they don't, not on a very inexpensive shared hosting server they don't.

What is the point of unlimited emails, if you can only send 200 emails a day

It's 200 per hour, not per day. And, IIRC from another cPanel host, it's per account/domain.

It's intended as a threshold to limit abuse.

[JasonD]

Thanks Alan, for clearing that up...

Not sure about that "Inexpensive shared hosting", defense... (That may be true and very informative, but that was not part of my statement. I have no idea how many businesses have inexpensive shared servers, I only know that most send several thousand a day.)

(EG, since I got this for my business, which will require similar use in the future, I am now thinking of finding another host service that can handle my business in the future.)

I was not sure about the 200 per hour... can you point me to documentation on that limitation number, for my future reference...

I can and will, limit my mails, to stay under the radar. I have the ability to use exterior SMTP and POP3... so there is more than one way to beat that egg. (Though it is wasted time to me, and even more wasted bandwidth and processing to the server, handling those connections and sending all those bloated files, just to escape lock-down. I do not anticipate needing to send more than 200/hr or 4800/dy or 134400/mo, any time soon. That was why I got the cheapest package! LOL. Though, I would rather have mails, and throughput, as opposed to drive-space and novelty.)

Yes, you can setup most sites to use exterior e-mail accounts. (I am not sure if the tools installed, qualify for that type of connection, since they are there for your servers mail.)

PHP has the ability to make those connections, if you know how to write code. (You will have to research that. I don't want to stray into another topic here.)

[ChiefGoFor]

I would like to see this number increased. To what number? I do not know. (500?)

I would really like to see the ability to throttle this per domain. Then as customers have proven themselves to not being spammers and that the site needing a higher limit is legit. For instance, I have been a WHB customer for several years. If I wanted to request having my limit jumped to 1000 for a 7 day period on an account while a site launched, I think it would be great.

I know this opens for abuse, so it makes it tough to figure out where the line should be drawn.


Just my 2.5 cents.

[Thomas T]

This is a setting for the maximum amount of emails that can be sent by a domain in an hours time. The reason behind such rules is if a spammer has hacked his way into your account he might get caught before sending hundreds of thousands of emails.

It may be possible, on a case per case basis, raise this limit for domains with special needs.

This automated process that's built into cPanel DOES NOT change folder or file permissions.

[Thomas T]

I understand the blacklist thing... But the mails should not be identified as WHM mails... They should be identified as our mails. (That is a gripe I tried to explain to a tech, three times, and they did not comprehend what I was saying.)

WHM will not get blacklisted, it will be our sites. (Should be our sites.)

Blacklisting comes from millions of mails, not hundreds of mails. I am quite sure the CPU LIMITS will be reached, before any threatening level of mails could be sent. (No need to padlock the door, to the already 3 foot thick bank-safe door. Rather, I should say, duct-tape the bank-safe door.)

The mails are identified by their source IP address (in most cases) and all domains on a server share the same source IP address for email. This is not by our design, but by the specific blacklisting groups. Domain names can be spoofed.

It only takes one spam email to get a server blacklisted. It takes time to get them cleared from the blacklists.

[mpyusko]

It only takes one spam email to get a server blacklisted. It takes time to get them cleared from the blacklists.

I can verify that from my own experience. My old webhost's IP got nailed by SPAM Haus. For 3 days I couldn't send e-mails to 95% of my users. This was EXTREMELY inconvenient since we were trying to coordinate a fundraiser and the event took place during that 3 day outage. In my experience that is my only con to shared hosting. (You guys with bigger sites have other issues with shared hosting, I know, I understand.) On bad account blocked the whole IP. No matter how many e-mails I sent to Spam haus, they refused to remove the block until they heard from my webhost the problem was resolved. Those guys are like the power company. They have too much influence over our life. If they want to cut you off, they can, and there is nothing you can do about it. The fact it took 3 days for my webhost to resovle it, was a major reason I'm with WHB now. It's handled in hours not days, and they are flexible.

[Alan B]

This is one of the inherent limitations with cPanel hosting: all accounts on a server share a single outbound mail server hostname and IP. Thus, when one sender gets blacklisted, everyone on the server is effectively blacklisted.

[Colin]

I forget exactly how I did this, we're talking a one shot hack on a mail server to achieve a mailing list function, but I managed to get the programming to process and chuck somewhere around 16,000 emails at the mail server, but the mail server que'd them all and would only spit out one per, thinking it was like 15 seconds, and would take a minute breather between every 100 emails.

BTW, this WAS a legit mailing list, just our host at the time did not support mailing lists.

Is it possible to do something like this with the WHB servers?

[Alan B]

16,000 at a time? I think you need a dedicated server or a specialized mail host. That's not a number that is appropriate for a normal shared hosting server.