One Communications allows email clients to make UP TO 1000 SMTP connections from an individual IP address to smtp.onecommunications.net per hour. If an IP makes more than 1000 SMTP connections to smtp.onecommunications.net the IP address will land on the smtp.onecommunications.net DENIED " Too many connections received this hour from <IP address> " listing.
At that point, any further connections attempts to SEND email thru smtp.onecommunications.net will result in the following error:
451 - Too many connections received this hour from <IP address>
If a client does not make an SMTP connection to our servers for one solid hour they are automatically removed from this automated deny listing.
How did my IP address end up getting listed for too many SMTP connections this hour? 99% of the time this is due to a mis-configuration of the clients internal mail server owned and maintained by the client, OR this is due to a virus/trojan, or "open relay" type problem, also internal to the client's LAN.
- Are you attempting to relay or send a BULK Mailing?
- If so you should be using smtp-big.onecommunications.net OR be sure you are using your own email server to relay email OUT to the WWW using DNS resolution
- Are you running your own email server on your LAN? (i.e. Microsoft Exchange Server, SendMail Server or any other email server to send mail OUT to the WWW via SMTP)
- If YES check to ensure you have your email server set up to "use DNS resolution to send outbound mail via SMTP" and NOT a "smart host"
- If you have your own mail server "in-House" in order to send mail OUTBOUND to the WWW, you should not be using smtp.onecommunications.net as a "smart host"
- If you do not have your own outbound email server "In-House" and you rely strictly on smtp.onecommunications.net to send mail OUT to the WWW, you may have been comprised by a SPAM virus or trojan of some sort, or your IP address may compromised as an "OPEN RELAY"
Above are a couple quick main line suggestions regarding how this could have happened...? There are numerous other reasons why an email client might cause an IP address to get listed such that you now receive the following error;
451 - Too many connections received this hour from <IP address>
The main thing now is to investigate how your internal network is setup to send mail OUT to the WWW. And then take measures to correct the configuration issue, and/or correct the root cause of the exorbitant amount of attempted outbound email connections initiated in the first place. In most cases the best thing to do is have your local network technician or your local "Exchange Server Admin" troubleshoot and take measures to resolve the issue.
(Additional SMTP server host names this pertains to are listed as follows; smtp.conversent.net, smtp.choiceone.net)
Additional notes are as follows;
In most cases this is not indicating to the client that their systems are sending out SPAM. This can be misleading but in most cases there was a completely different root cause. For example., many times these connection attempts are a result of an internal mail server trying to clear its queue, it may also be a result of virus\trojan or bot activity on ONE workstations, AND it is more often found to be a router or switch which is misconfigured trying to send logs via email. So if this "offending" device is located outside client's owned firewall they have in place no logging is found for this connection. This is probably the #2 root cause after the in-house client owned mail servers.
Resolutions:
If we find that they have an internal mail server we need assist the client in verifying their PTR and MX records are correct, and then migrating them off "smart hosting". The only reason they are bouncing mail off of our boxes is to reduce their work load for managing blacklisting and spam. This is a client side issue based oon the fact that the client chose to relay mail direct to the WWW from their own mail server and therefore the client should be advised against "smart-hosting" thru One Communications email relays.
Client side Virus activity is a given and will be extreamly evident thru a look at the raw flows, they need to clean house before reseting the counters.
Client owned firewall syslog events sent out via email need either to be correctly configured according to the manufacture specific documentation or completely disabled.
In the rare cases their systems may be sending SPAM as a result of other viral\BOT activities. It will be very evident in the raw flows if these smtp connections are being made to many different addresses or to sequential addresses outbound. In which case cleaning the infection will stop this traffic.
Testing:
If the client is getting smtp connections denied error with "451 errors too man connections recieved this hour from <IP>" they are being denied as a result of exceeding the 1000 connection /hr limit.
If the client is able to "telnet 69.95.226.254 25" from the command line and gets a 220 connection or 500 connection they are able to send mail via our servers.
Feel free to refer a client trouble ticket to Network Security as we can often lead these into a discussion of security solutions or proactive measures for the client to take in the future.
