Plesk 8.4 has been out for a while now. We recently rolled it out to our management clients and discovered that they have added a maximum recipient patch to Qmail.
Though I did not see it on the What’s New page for the release, I discovered by happenstance. About two years ago, we were dealing with a client issue regarding maximum recipients. Spammers were flooding the box with emails being sent to 100 people at a time. Looks like we added the maximum recipient restriction but at that time Plesk did not have that patch in Qmail. Looks like it is now available and we recommend enabling to help with spam attacks.
For years, Sendmail has permitted you to limit the number of emails that can be contained in a TO, BCC or CC field. This has been useful to block certain type of directory harvesting attacks on email systems.
This has been going on some time as you can read in this 2004 Postini Whitepape. Though attackers have newer methods, I still see attacks where someone tries to send an email to 100 people or more at once. I’ve also seen this on the server-side when a site is exploited and the attackers try to send out spam.
By limiting maximum recipients, the server will reject any emails with too many users in the TO-related fields. Based on your email usage, you can probably safely set this to 10-20 without serious impact to your users.
We recommend that if someone is routinely sending to more than 20 users at a time that they using mailing list software. Many ISPs drop emails with large numbers of recipients anyway. Yahoo! is relatively forgiving with a max of 100 recipients per email.
This will not prevent DHA attacks but can make it much more difficult for the harvester. Instead of pushing 100 emails or more to you at once, they now have to send 5-10 at a time. This is much less efficient.
Enabling Max Recipients in Qmail
To limit the number of emails that can be put in a To:, CC: or BCC: field of an email, you can add:
To your qmail configuration. The file takes a single number, which is the limit you wish to impose.
On shared hosting platforms, we recommend you set this as low as your clients will bare. This will help with server loads on systems flooded by email – a problem we often find on shared hosting systems. A low value will also mitigate certain types of outbound spam attacks.