Child pages
  • How to Prevent Email Abuse

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3
stylenone

Overview

This document outlines some of the best practices that you can follow to avoid email abuse on your cPanel & WHM server. 

Password Strength Configuration

If you increase the minimum password strength for your users' mail accounts, you can decrease the chance that a hacker will correctly guess their passwords.

To define minimum password strength for all of your users' authenticated features, use WHM's  Password Strength Configuration interface (Home >> Security Center >> Password Strength Configuration).

Note
titleNote:

We recommend that you set the default minimum password strength to at least 50.

Enable cPHullk

cPHulk provides protection for your server against brute force attacks (a hacking method that uses an automated system to guess passwords). If you enable cPHulk, you can decrease the chance that a hacker can use a brute force attack to gain access to your server's mail accounts.

To enable this feature, navigate to WHM's  cPHulk Brute Force Protection interface (Home >> Security Center >> cPHulk Brute Force Protection) and click Off to toggle the feature's status. 

SMTP restrictions

If you enable the SMTP Restrictions feature, spammers cannot directly interact with remote mail servers or work around mail security settings.

  • This feature restricts outgoing email connection attempts to the mail transfer agent (MTA), the mailman system user, and the root user.
  • This feature forces both scripts and users to use Exim's sendmail binary, which helps to prevent direct access to the socket.

To enable this feature, navigate to WHM's  SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions) and click Enable.

Tweak Settings

The following settings in the Mail section of WHM's Tweak Settings  interface (Home >> Server Configuration >> Tweak Settings) can help to prevent email abuse:

Note
titleNote:

If you set the Max hourly emails per domain option to 500, this allows each of the domains that you host to send 500 email messages per hour. For example, a domain uses a mailing list with 500 members. If this domain sends a message to the mailing list, then sends another email message in the same hour, the domain will exceed the Max hourly emails per domain limit.

Use the The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery setting to specify a "soft limit." For example, if you set the The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery value to 150, the domain can queue up to 250 messages to send in the next hour. In this scenario, the domain can queue the additional 25 email messages in the next hour.

Multiexcerpt include
MultiExcerptNameMax hourly emails per domain
nopaneltrue
PageWithExcerptALD:Tweak Settings - Mail

Warning
titleImportant:

The system only enforces email send limits on remote email deliveries.

To prevent email abuse, we recommend that you specify a value that is not Unlimited.


Account-specific Max hourly emails per domain settings

Use WHM's Edit a Package interface (Home >> Packages >> Edit a Package) or WHM's Modify an Account interface (Home >> Account Functions >> Modify an Account) to specify values for an individual package or an individual account. 

To enable this setting from the command line, you must perform the following steps to manually edit the cpuser file:

  1. From the command line, open the /var/cpanel/users/username file, where username represents the desired account username. 

  2. In this file, add the MAX_EMAIL_PER_HOUR key and specify the value for the selected username: 

    Code Block
    languagetext
    MAX_EMAIL_PER_HOUR=500
  3. Run the /usr/local/cpanel/scripts/updateuserdomains script.

Multiexcerpt include
MultiExcerptNamePrevent “nobody” from sending mail
nopaneltrue
PageWithExcerptALD:Tweak Settings - Mail

Warning
titleImportant:

To prevent email abuse, we recommend that you select On.

Multiexcerpt include
MultiExcerptNameThe percentage of email messages (above the domain's hourly maximum) to queue and retry for delivery.
nopaneltrue
PageWithExcerptALD:Tweak Settings - Mail

Multiexcerpt include
MultiExcerptNameMaximum percentage of failed or deferred messages a domain may send per hour
nopaneltrue
PageWithExcerptALD:Tweak Settings - Mail

PHP configuration

Warning
titleWarning:

Do not enable suEXEC with either ModRuid2 or suPHP. suEXEC is not compatible with these modules.

If you configure PHP and suEXEC, ModRuid2, or suPHP, you can improve server performance and security. This configuration allows you to know which users run which processes system-wide.

  • ModRuid2 and suPHP force CGI applications to run as the cPanel account user. In addition, ModRuid2 exploits some of the POSIX.1e capabilities in order to provide some performance enhancements over Apache's default suEXEC configuration.
  • The suEXEC Apache module forces CGI and PHP applications to run as the cPanel account user. For instructions to enable suEXEC, read our Configure PHP and suEXEC documentation.

Experimental: Rewrite From: header to match actual sender

Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email.

To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's  Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).

After you enable this feature, you will see output that is similar to the following in the /var/log/exim_mainlog file:

Code Block
languagetext
2014-04-23 08:09:52 1Wcwvu-0000On-Sb From: header (rewritten was: [fakemail@example.com], actual sender is not the same system user) original=[fakemail@example.com] actual_sender=[spammer@spammer.com]

The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.

Additional documentation

Localtab Group
Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("cphulk","php","security","email","passwords") and label = "whm" and space = currentSpace()

Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("cphulk","php","security","email","passwords") and label = "cpanel" and space = currentSpace()

Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("cphulk","php","security","email","passwords") and label = "whm" and space = currentSpace()

Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("cphulk","php","security","email","passwords") and space = "SDK"