Prevent Email Spamming

cPanel is a piece of hosting automation software (http://cpanel.net/), it provides a web interface to control many open source services (such as Apache, Exim and Pure-FTPD).

I believe the question concerns outbound mail (i.e. hosting accounts being used to send spam), but I'll briefly outline the inbound mail as well.

Inbound mail:

    Inbound mail enters on port 25 via the default MTA (Mail Transfer Agent) Exim.
    A number of options under the WHM "Exim Configuration Editor", which control how SpamAssassin is applied to inbound mail
    Users may choose to enable/disable SpamAssassin and "BoxTrapper" for their account via the cPanel interface.

Outbound mail: There are a couple of possible routes outbound mail may take:

    Sent by SMTP under a user account (e.g. a user connects from Thunderbird using SMTP, or sends mail from a SSH session using a shell script)
    Sent by SMTP under the "nobody" user (e.g. In a default cPanel installation, a compromised PHP application is tricked into invoking PHP's mail() thousands of times)
    Sent by direct socket connections (e.g. a script placed on the machine makes direct connections to mail servers, bypassing the local MTA: fsockopen("mail.example.com", 25, ...); fread()...)

I am not aware of cPanel providing an easy method to scan outbound mail for spam. However, there are several cPanel options to help mitigate the above scenarios:

    Ensuring the "nobody" user cannot send mail, instead forcing PHP/CGI scripts to send mail under the correct user. The default Apache install runs scripts under the "nobody" user. Enabling PHPSuexec and Suexec (within the WHM interface) forces scripts to run under the correct users, and so send mail from the correct users. With the suexec options applied, you can now prevent "nobody" from sending mail. WHM provides an option under "Tweak Settings": 'Prevent the user "nobody" from sending out mail to remote addresses'

    Prevent users from making direct socket connections to mail servers: Using the handy IPTables extension Owner Match, you can restrict which users (or *nix groups) may make outbound connections to port 25. With users unable to make direct connections, mail has to be sent via the system MTA (Exim), leaving a single place to deal with it. The free ConfigServer Security&Firewall WHM plugin (http://www.configserver.com/cp/csf.html) allows point and click enabling of this setup, the relevant being "Block outgoing SMTP except for root, exim and mailman". A good article on IPTables Owner Match also available: http://www.linuxjournal.com/article/6091

With the above setup, all mail is now funnelled through the MTA under the correct user, allowing per domain (and other per user) restrictions to be applied. cPanel provides a rate limiting point and click option:

    WHM "Tweak Settings": "The maximum each domain can send out per hour (0 is unlimited)". Slowing the rate of spam sent will limit the amount of spam sent before a system administrator can deal with it.

If you're interested in the domain rate limiting implementation, look at /etc/exim.pl and if it exists, /etc/exim.pl.local. A chunk of useful cPanel functionality is exposed in these, which may allow you to roll your own custom Perl based solution.

Ofcourse, the above solutions all catch the outbound spam after it's already started flowing. It would be preferable to catch root causes of the problem as well: Rogue users from being given accounts, users installing old vulnerable software, users having simple passwords and so on.

Good luck!

Knowledgebase

Categories

Categories

Related Articles

Support

Knowledgebase

Categories

Categories