In Progress CPANEL-42825 - Ratelimit incoming mail to non-existent accounts


Well-Known Member
Mar 22, 2021
United States
cPanel Access Level
Root Administrator
Thank you @cPRex.

So I set the smtp_accept_max_per_host to '20' but it didn't work. Also tried the smtp_accept_max to 20 but that didn't work either. It seems like absolutely nothing from Exim is working against dictionary attacks. This is crazy. Still getting exactly 100 messages on each attack, and something is obviously blocking or limiting them to 100, but I don't understand what it is. The only thing I can imagine is that the attacker is only sending 100 at a time, but that really defeats the purpose of sending a dictionary attack.


Well-Known Member
Mar 3, 2005
Hello, I just filed a similar post and see now that you are experiencing the same issue I am with my hosting servers. No doubt someone has found a new use for AI.

Mail sends are from a non-existant address to 100 random addresses at a hosted domain... using corrputed mail servers around the globe... then the next domain, and so on. Our sender verification and a few country code bans keeps all of them out of client boxes, but I'd sure like to take that load off the servers... as they still have to process them.

I've also been informed by cPanel that the case is being worked on... to see why the Dictionary setting is not restricting them to 4 per domain. I'm experimenting with allowing "no such user" email to go to the admin account to see if that allows the Dictionary setting to work, but with Sender verification enabled, maybe that setting trumps the dictionary one.

I believe the "smtp_max_per_host" setting and the other just limit how many emails can be in the Cc and Bcc fields.... I tried that too.
  • Like
Reactions: cPRex