SOLVED [CPANEL-20917] Exclude users from "Large Amount of Outbound Email Detected" notification

[rclemings]

Muting the messages isn't enough.

If a feature like this was going to be introduced (and who asked for it? CSF/LFD already has a much better version) then it needs to be configurable to set: (a) the number of emails that triggers an alert, and (b) which users will be covered.

As it is, every time somebody posts something to one of my Mailman lists, I start getting notifications that the mailman user is a spammer. Every time Drupal sends out a new content notice or a newsletter subscription, I get notifications that the Drupal user is a spammer.

 

[cPanelMichael]

Hello @rclemings,

I moved this post to it's own thread, as the thread you posted to is related to a specific case (e.g. the notification still occurring after the notification type is disabled). As far as the functionality of the feature itself, it was first introduced in cPanel & WHM version 68:

Large Amount of Outbound Email Detected notification
In cPanel & WHM version 68, we added the Large Amount of Outbound Email Detected notification to WHM's Contact Manager interface (WHM >> Home >> Server Contacts >> Contract Manager). The system counts every user's outbound messages every 15 minutes. It will send a notification when a mail user exceeds the preconfigured threshold of 500 unique outbound messages over the previous hour (excluding mailing lists). This will help the administrator detect potential spammers or compromised accounts.

Notes:

• This notification defaults to disabled on existing systems and enabled for new installations.
• We do not currently offer the option to configure the threshold.

We plan to expand upon this feature in cPanel & WHM version 72 by adding the Number of unique recipients per hour to trigger potential spammer notification. option in the Mail tab of WHM >> Home >> Server Configuration >> Tweak Settings. This setting will allow you to specify the number of emails that any account may send in one hour before the system sends an alert notification. As far as a per-user configuration, I encourage you to open a feature request for that via:

Submit A Feature Request

[Moderator Edit - It's not possible to exclude Mailman deliveries from the emails counted by this notification type. See This Post for more details]

Thank you.

 

[rclemings]

I still think it would be useful to be able to exempt certain users from the checks, or (better) set higher triggers for them. I have another user that can send several thousand legitimate emails per day (Drupal content notifications, to be specific) and I'm getting multiple alerts. If I could change the trigger for that user to (say) 5,000 it would solve the problem while still providing some degree of spam protection.

I see the feature request site is back up now (although missing recent posts) so I will compose a request there.

 

[cPanelMichael]

Hi @rclemings,

Feel free to post the link to the feature request here once you've opened it so that other users reaching this thread with the same request can vote for it.

Thank you.

 

[Kelli]

There has been discussion about being able to exempt certain users. This is also something we want to do, but I don't yet know when we will be able to get to it. It is on our radar. Do post in the feature site!

 

[rclemings]

Per-user customization for outbound email (spammer) notifications

 

[leith]

I made an assumption that the Mailman list exclusion would be fixed fairly quickly. For my servers, it has not, at least for the lists with over 500 recipients.
I get literally dozens of messages daily. Here's an example covering 2 mailman lists:

warn [eximstats_spam_check] The system has detected an unusually large amount of outbound email. The following sender(s) may be sending spam: [email protected], [email protected]

Admittedly the lists may have been imported years ago but they do follow the standard naming convention. I hope this can be corrected soon as it would be an excellent feature if the mailing list exclusion was working.

 

[cPanelMichael]

Hello Everyone,

To clarify, there are two separate features discussed on this thread:

1. Max hourly emails per domain found under the Mail tab in WHM >> Tweak Settings.

This option is used to define the maximum number of emails each domain can send out per hour. The Count mailman deliveries towards a domain’s Max hourly emails option will ensure Mailman deliveries are not counted towards this limit.

2. Large Amount of Outbound Email Detected is a notification type found in WHM >> Home >> Server Contacts >> Contract Manager.

This option is not associated with the Max hourly emails per domain limit and thus the Count mailman deliveries towards a domain’s Max hourly emails option will have no effect on the number of outbound emails it detects.

In cPanel & WHM version 72, we added the Number of unique recipients per hour to trigger potential spammer notification. option in the Mail tab of WHM >> Home >> Server Configuration >> Tweak Settings. While this won't allow for the exclusion of Mailman deliveries from the counted number of outbound emails, it does allow an administrator to modify the value the used to determine when the notification is triggered.

Additionally, an internal case (CPANEL-20917) is now open to exclude Mailman deliveries from the number of emails counted by the Large Amount of Outbound Email Detected notification type, similar to how it's possible to do this for the Max hourly emails per domain limit. I'll monitor this case and update this thread with more information on it's status as it becomes available.

Thank you.

 

[cPanelMichael]

In cPanel & WHM version 72, we added the Number of unique recipients per hour to trigger potential spammer notification. option in the Mail tab of WHM >> Home >> Server Configuration >> Tweak Settings. While this won't allow for the exclusion of Mailman deliveries from the counted number of outbound emails, it does allow an administrator to modify the value the used to determine when the notification is triggered.

Hello,

For anyone waiting for the addition of this feature in cPanel & WHM version 72, it's added as part of version 72.0.7:

Fixed case CPANEL-19544: Add a new tweak setting to configure eximstats_spam_check.

07/18/2018 Update: CPANEL-19544 was published with version 70.0.54 as well.

As for CPANEL-20917, it's planned for inclusion with cPanel & WHM version 74, but we do still have backport requests open to have it added into versions 72 and 70. I'll update this thread with more information on the status of CPANEL-20917 as it becomes available.

Thank you.

 

[rclemings]

The feature request that I opened above (Per-user customization for outbound email (spammer) notifications) was closed and marked completed with the change to Tweak Settings (72 Release Notes - Version 72 Documentation - cPanel Documentation)

But that change doesn't really address the feature request. The Tweak Settings change allows you to change the threshold for notifications for mail from any accounts. But it doesn't allow you to set different thresholds for different accounts, which was the central point of my request.

I hope my feature request can be updated and the comments corrected. Unfortunately, I had to post this here instead of on the feature request because it is marked completed and no longer accepts comments.

 

[cPanelMichael]

But that change doesn't really address the feature request. The Tweak Settings change allows you to change the threshold for notifications for mail from any accounts. But it doesn't allow you to set different thresholds for different accounts, which was the central point of my request.

Hello @rclemings,

The functionality is offered in cPanel & WHM version 74 as part of the following case:

Implemented case CPANEL-20694: Ability to set auto-detect threshold for users

It's not yet offered as part of an option in WHM >> Modify an Account or as a package value, but you can manually add the following value to an account's cPanel user file (e.g. /var/cpanel/users/username123):

EMAIL_OUTBOUND_SPAM_DETECT_THRESHOLD=

The value must be higher than the value set for the global Number of unique recipients per hour to trigger potential spammer notification setting (thus you can allow some accounts to send more emails than what's configured with the global value).

Thank you.

 

[rclemings]

Good to know, thanks. I usually stick to stable so I will watch for 74 to get there.

 

[cPanelMichael]

Hello,

To update, this is solved in cPanel & WHM version 74:

Fixed case CPANEL-20917: Update eximstats_spam_check to ignore mailman.

Version 74 is now available on the RELEASE tier. You can read more about it at:

The Hosting Platform of Choice | cPanel Release Highlights | cPanel, Inc.

Thank you.