That’s the question I was asking myself as I got up one Saturday morning and noted that I’d not received any email since Friday evening.
That’s highly unusual, particularly as some of those emails are automated notifications that happen on a schedule over night.
What I found was that a hacker had (inadvertently) caused me to DDOS myself.
I thought I’d share this peek into the complexities of email. While it might get a little geeky at times, here’s what happened, why everything actually worked as it should, and how I fixed it.
Become a Patron of Ask Leo! and go ad-free!
But first a word about backups and backup plans
My email is run through my own domain name – similar to leo@randomisp.com where I actually own the domain randomisp.com. Rather than support my own email server on that domain, I simply have that email address forwarded to my Gmail account. I login to Gmail to read and send email, even though my correspondents never see the gmail.com address.
A quick test showed that it was in fact that Gmail account that had stopped receiving email. Test messages sent to it from other services, like Outlook.com, never arrived. Interestingly, email sent from that account was also not being delivered.
My first step was to set up actual email services on my private domain. (In my case, that was very easy to do as I run my own servers. An alternate solution would have been to change the forwarding to another service, like Yahoo! or Outlook.com where I also have accounts.) That got me back online to receive any new mail that arrived and allowed me to send email once again.
I actually wasn’t worried about the messages that hadn’t yet been delivered since the prior evening. As you might expect, I have another layer of backup. When mail is sent via my private domain, I also squirrel away a copy of the mail message as a backup in addition to forwarding it to my Gmail account. Those backups were available (although they were somewhat inconvenient to access), if I needed them. I elected to see how things played out before going that far.
Diagnosing the problem
I’m sorry to say that this won’t help the average email user, but because I run my own servers, I was able to look at activity logs generated by my mail server. I noted that when I tried to send something to my Gmail account, there would be an error message:
The user you are trying to contact is receiving mail too quickly. Please resend your message at a later time. If the user is able to receive mail at that time, your message will be delivered.
Too quickly? Well, that’s odd.
Note that this type of failure isn’t something that would generate an immediate “hard bounce” or failure notice. In most cases, the messages would be held by the email server that was trying to send them so that it could automatically try again later. A hard bounce back to the sender would only happen if a message couldn’t be sent after many attempts – usually several days.
So the mail was probably waiting for me, in limbo somewhere.
But then I realized that “limbo” was probably my own server. Because the mail had made it to my own domain to be forwarded on to Gmail, it was my server’s attempts to pass it on to Gmail that were being thwarted. That meant that the messages were sitting in the mail queue on my server waiting to be tried again later.
So, I went to look at my server’s mail queue.
Nearly 1000 messages were waiting to be sent. That’s definitely not a normal amount for overnight.
The life of a server on the internet
A quick diversion. As you may or may not know, almost any server that sits on the internet is under a fairly constant attack from automated hacking software and malware running on infected machines elsewhere on the ‘net. There are various forms of attack, and they happen at different rates and come from different locations – typically overseas.
But they’re pretty constant.
…almost any server that sits on the internet is under a fairly constant attack from automated hacking software and malware…
Like Windows, the best defense is to keep the software as up-to-date as possible, but also like Windows, it’s a good idea to include additional security software. One such piece of software is a firewall plug-in for WordPress that blocks common types of attacks. It’s actually very nice to have that additional security in place.
One of the reasons why I know that it’s happening is that the firewall plug-in sends me an email when it blocks an attack.
And that’s where the pieces of the puzzle fall into place.
What happened
Sometime Friday night, one of my sites came under a heavier-then-normal hacking attack. The firewall plug-in did its job nicely and blocked them all, sending me an email about each one. The net result is that it sent something like 700 emails to me in less than a few minutes.
When those were forwarded to my Gmail account, Gmail balked. An email flood (or “mailnado” as someone on Facebook put it) can bring a mail server to its knees, so Gmail has to do something like this to protect itself. Fortunately, it’s not rejecting the mail as much as it’s saying, “I’m too busy. Go away and come back later.”
Gmail would thus throttle the incoming mail to my account for a while. It’s not published anywhere, but based on what I’ve seen, it’s probably on the order of 12-24 hours, and it is probably adjusted based on any continuing attempts to flood the server.
This hacking attempt to my website had caused my server to essentially create a Denial Of Service (DOS) attack on my mail account.
After doing exactly nothing, mail started to flow again later on Saturday. Even the messages that had originally been sent overnight would trickle in over the next day.
What I changed
a
- affiliate
- affiliate program
- algorithm
- Animated GIF
- anonymizer
- anti-malware
- aspect ratio
b
- back up
- backup
- bandwidth
- bare metal
- BCC
- Blind Carbon Copy
- binary
- BIOS
- Basic Input/Output System
- bit
- bit-ness
- blog
- web log
- bot
- botnet
- bounce
- breach
- brick
- broadband
- brute force attack
- BSOD
- Blue Screen of Death
- buffer
- bug
- bus
- byte
c
- Completely Automated Public Turing test to tell Computers and Humans Apart
- CAPTCHA
- CDN
- Content Delivery Network
- certificate
- click bait
- clipboard
- clone
- cloud
- codec
- CSV
- Comma Separated Values
- compression
- context menu
- cookie
- core
- CPU
- Central Processing Unit
- CPU bit-ness
- craplet
- crapplet
- crapware
- CRC
- Cyclic Redundancy Check
- XSS
- cross-site scripting
- Cruft
d
- dark web
- dashboard
- DDOS
- Distributed Denial Of Service attack
- deep web
- defrag
- defragment
- device driver
- DHCP
- Dynamic Host Configuration Protocol
- dialog box
- differential backup
- digital signature
- disc
- DLL
- Dynamic Link Library
- Domain Name System
- DNS
- dongle
- download
- Dots Per Inch
- DPI
- driver
- DRM
- Digital Rights Management
- Digital Subscriber Line
- DSL
e
- echo chamber
- ellipsis
- encryption
- encryption – asymmetric
- encryption key
- encryption – public key
- encryption – symmetric
- epub
- electronic publication
- ESP
- Email Service Provider
- ethernet
- executable
f
- Fallacy of Composition
- file system
- Fiber Optic Service
- FiOS
- firewall
- Focus
- foistware
- form factor
- FTP
- File Transfer Protocol
- FUD
- Fear Uncertainty Doubt
- full backup
g
- GIF
- Graphics Interchange Format
- Graphical User Interface
- GUI
- guid
- Globally Unique IDentifier
h
- hack
- hacker
- ham
- hamburger
- hamburger menu
- hash
- HDD
- Hard Disk Drive
- HDMI
- High-Definition Multimedia Interface
- home page
- honeypot
- HyperText Mark-up Language
- http
- HyperText Transfer Protocol
- https
- HyperText Transfer Protocol – Secure
- hub
i
- idle
- image backup
- Internet Message Access Procotol
- IMAP
- incremental backup
- IOT
- Internet Of Things
- Input/Output
- I/O
- Internet Protocol Address
- IP address
- ISO image
- ISO
- Internet Service Provider
- ISP
j
- Java
- javascript
k
- keylogger
- kilobyte
l
- LAN
- Local Area Network
- latency
- Linux
m
- mainboard
- malware
- malicious software
- man in the middle
- map
- Master Boot Record
- MBR
- megabyte
- memory
- mobo
- motherboard
- modem
- Modulator Demodulator
- motherboard
- Mount
- MTBF
- multi-factor authentication
n
- NAS
- Network Attached Storage
- Network Address Translation
- NAT
- nonbreaking space
- nbsp
- net etiquette
- Netiquette
- netizen
- network
- network adapter
- Network Interface Controller
- NIC
- notification area
- nybble
o
- OCR
- TLD
- op-level domain
- open wifi
p
- packet
- partition
- passphrase
- patch
- Portable Document Format
- Problem Exists Between Chair And Keyboard
- PEBCAK
- Phishing
- pixel
- POP
- Point Of Presence
- pop-up menu
- POP3
- Post Office Protocol version 3
- populate
- port
- Port 25
- POTS
- Plain Old Telephone System
- protocol
- proxy
- pst
- Personal STore
- Potentially Unwanted Program
- PUP
- pwn
q
- Quick Response
- QR Code
r
- RAID
- redundant array of independent disks
- rainbow table
- RAM
- Random Access Memory
- ransomware
- RDP
- reboot
- recovery drive
- registrar
- registry
- root
- rootkit
- router
s
- sandbox
- SATA
- Serial ATA
- scareware
- screen shot
- script
- sector
- Secure Boot
- SED
- Self-Encrypting Drive
- SFTP
- Secure File Transfer Protocol
- Share
- shell
- shovelware
- Short Message Service
- SMS
- SMTP
- Simple Mail Transfer Protocol
- sniffing
- SSD
- Solid State Disks
- spam
- spoof
- spyware
- SSD
- Solid State Disk
- Secure SHell
- SSH
- Service Set IDentifier
- SSID
- SSL
- Secure Sockets Layer
- streaming
- switch
- system tray
t
- telemetry
- Tethering
- TOR
- The Onion Router
- third party ad
- Time-based One Time Password
- TOTP
- TLA
- Three-Letter Acronym
- top-level domain
- TLD
- Too long; didn.t read
- TL;DR
- TLS
- Transport Layer Security
- tooltip
- tray
- trojan
- TPM
- Trusted Platform Module
- Two-factor authentication
u
- UAC
- User Account Control
- Unified Extensible Firmware Interface
- UI
- URL
- Uniform Resource Locator
- USB
v
- VGA
- virtual desktop
- virtual machine
- Virtual Memory
- virus
- VLC
- vlog
- video blog
- vlogger
- VNC
- Voice Over Internet Protocol
- VOIP
- volume (disk)
- Virtual Private Network
- VPN
- VPS
- Volume Snapshot Service
- VSS
- vulnerability
w
- WAN
- Wide Area Network
- weblog
- Wi-Fi
- wifi
- wireless network
- wireless network adapter
- What You See Is What You Get
- WYSIWYG
x
- XSS
y
- Your Mileage May Vary
- YMMV
z
- zero-day
- zombie
1) The firewall could be configured to not send a message on every similar attack type, but rather bundle them up into fewer emails.
2) I changed the email address that those messages were sent to so that they would be archived on my server, but no longer forwarded to Gmail.
Ultimately, my experience was nothing more than the system working as it should. Fortunately, I had the tools and access to properly diagnose what was going on. In retrospect, I believe that even without server access, the problem would have become obvious as the 700 firewall messages were eventually delivered. It just would have taken a day or two to sort it all out.
Hi Leo, as one who hates TLAs & FLAs (Two, Three and Four Letter Acronyms) without an explanation the first time used, I was somewhat perplexed by DDOS and assumed it was something to do with Disc Operating System (yes, Disc – I’m English and prefer English to the American foreign language). Imagine my surprise to discover I must be a dinosaur if I still think of DOS in those terms.
I suppose it’s OK (Orl Korrect) that acronyms must move with the times but sometimes it’s hard for us oldies to keep up.
I was recently castigated (the unkindest cut of all) for interpreting SMEs for Small to Medium Enterprises when the writer (unexplained) meant Subject Matter Expert! Aah well, I’m not an expert as I take the meaning to be Ex – as in has been and Spurt being a drip under pressure.
Keep up the good work.
That’s why I included a definition of DDOS in the article. :-)
I see hack attempts on our webserver every day. It’s always .PHP extensions which is no problem for us because we have no PHP pages…thus the reason they stand out in the error logs. I get a 404-Page Not Found report each morning that shows the standard “index.php” or “wp-login.php” attempts, I’m guessing that second one is a WordPress hack attempt. What’s interesting, once-in-a-while a really obscure string will appear like “some-strange-folder-path\some-strange-file-name.php” and if I search the net for that specific string, often I’ll only get a few hundred hits and they are always sites discussing a new exploit found in PHP. At that point I imagine someone who runs a bot network enters that string into their hacker script and it dutifully starts searching countless websites just to score a hit on that page. They fail on our site but it’s only a matter of time before they score a hit and I can only imagine what they do at that point.
I had 2 e-mail addresses on 1 small window where I could click on 1 and when I was thru with that 1 I just clicked on the other. Everything was fine until one day one, my personal one, disappeared. I’ve tried everything, followed the screen instructions, got a response once asking for more info, and now 2-3 months later still no recovered e-mail address. It is an @hotmail.com. Now what???
Tom:
“OK” originally stood for “ZERO KILLED”” as in The Civil War, (among The North (States) and The South (States) as the “Daily Statistics were Posted on a Chalk Board” for all to see, and know if their loved ones were still safe. (in the Civil War??? –NOBODY was “Safe”).
So over the years it has taken on different meanings. And here we are today……
Hey There! I’ve been having “major” problems with my ancestry.com &/or AOL. Ancestry.com sends out a montly newsletter, which I haven’t seen in almost 2 years. When I ask them about it they tell me to email AOL and have them check with the “postmaster” (whatever the heck that means) and I go to AOL and they tell me check with Ancestry and have them check with the “postmaster). I will say I get email from “support@ancestry.com” .. but not the monthly emails and/or anything else they send me including my notice of renewal. NO I don’t have them blocked and I’m really tired of getting the runaround from both of them. Any suggestions? Thanks much.
You might consider opening a GMail or Yahoo account for receiving email which is blocked by AOL.
My record for getting my server to (unintentionally) spam myself sits at about 65,000 emails in a 2-hour period. I managed to kill the outbound queue before about 50k of those got forwarded, but I was clearing them out of Gmail as they trickled in for at least 18 hours. Automated emails are powerful, and can be dangerous.
Hi Leo.
Another interesting article. Thanks.
As a matter of interest, which WordPress firewall do you use? There are a number of choices and I would value your opinion.
http://www.seoegghead.com/software/wordpress-firewall.seo
Leo, I belong to a site I am working on making money. So I get emails constantly from this site. Well, so far I’ve had to open two different email accounts as they stop the sites emails from coming to me. Last night I opened a new Hotmail account. The site was able to send me all night and all day and now suddenly, I can’t get those emails they are sending me. I should have a good 20 emails from them right now but nothing for the last few hours. They have already asked me to change my email address once cause they couldnt’ send to my inbox.. now I’m seeing they are unable to send again. What can I do to get all those emails??
This site doesn’t really sound legitimate. But if you want to continue in that direction then your best bet is to not use a service such as Gmail, Hotmail, Yahoo and the like. Those services work hard to prevent spam. The only real option is to purchase your own domain name, and find a server which provides you with a back end management software (such as cpanel) where you can create and manage your own email accounts. You’ll be able to set up accounts that do not filter spam.
Here’s an article to help you get started with this: https://biz.askleo.com/use-your-own-domain-for-email/
Honestly, I don’t know. What you’re describing makes me believe that the sender is being treated as a spammer, and being blocked. You can try getting a new email address on a completely different provider, perhaps.
I stopped receiving emails about a week ago,I tried to contact Yahoo.com.there’s no where that you can ask a question,until I came to the bottom of this site.A couple of times I almost got help.I changed my password,but then they wanted me to put in this crazy backup email address&phone number,I think I put in the email wrong but then they wanted me to put in the phone number I tried to explain the number wasn’t mine,because they were going to send me a code to put in I tried putting in my phone number but they said it was ain correct.number.They gone tell me I got the wrong number. Get these dumb ass people at Yahoo to open my frickin email address back up I got important stuff getting ready to occur.and this is not the time for it to be acting like a damn fool. {name removed}. …I am so…o mad
Why have I not received any emails in the last 4 days?
Read the article you are commenting on. It discusses that.
I am not getting e-mail for the last 3 days and prior to that some of my mail was going to spam folder.
I have already set up my email account or email address to this new computer,, my email is there but I am not receiving any email at all,, why?
When you say “to this computer” — what exactly does that mean?
YESTERDAY, I HAD SEVERAL E MAILS, I COULD NOT CHECK VERY MANY OF THEM , ONLY THE LAST FEW OF THE NEW ONES, NOW THERE IS NOTHING ! WHAT AM I DOING WRONGE ?
I’m afraid that you’ve not given us nearly enough information to go on. Please read the article, and perhaps seek out some local technical support who can look at your system and tell you what’s what. Good luck!