Email Security - Blocking outgoing spoofed emails from cPanel server

As a company that proactively manages web hosting servers, we do regular security audits on them. One of the recurring issues we have seen with un-managed servers is loss of server reputation, and service up-time through outbound spam mails.

To combat spam, the first step is finding a common pattern that is common to the majority of those spams. A quick accounting showed that up to 76% of outgoing spam mails are spoofed. Spoofing is where the mail headers are manipulated to appear as if the mail comes from some other domain. So, blocking spoofed mails will instantly prevent 3/4th of the outbound spam mails.

Spoofed mails originate from the following two sources:

1. Exploiting vulnerable form to mail scripts to send out spoofed mails through local mail agent.
2. Using stolen mail account login details to send spoofed mails through SMTP authentication.

Let’s look at a solution on how spoofing can be prevented in Exim mail servers commonly implemented in cPanel/WHM servers.

I. Blocking all un-authenticated spoofed outbound emails


2. Add the following entry in the top using Add additional configuration setting:

3. Add the following code under acl_not_smtp : custom_begin_outgoing_notsmtp_checkall

Here, the ACL will check for the presence of domain name part of the from address in either of the files – /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

It should be something like this:

II. Blocking all authenticated spoofed outbound emails


2. Search for acl_smtp_data and add the following lines under it: custom_begin_outgoing_smtp_checkall

Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message “Your FROM must match your authenticated email user. Treating this as spoofed email”

PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.


IMPORTANT points to keep in mind

a. POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
b. Username in the format will not work. They have to use instead.

These solutions have been tested on our test cPanel servers, and in a limited set of production servers. We have found it to be working in 100% of cases. However, using the above solution should be at your own risk. If you do not understand the ACLs posted above, always ask for expert opinion.

5 thoughts on “Email Security – Blocking outgoing spoofed emails from cPanel server”

  1. Hello, I am going to test this configuration. We have implemented also boxtrapper but boxtrapper pass spoof mails that changed from to some internal mail. :/

    Let me check this week

    1. Take care with proper escaping / spaces / lines inside WHM’s Exim configuration editor!
      It might not work because of wrong lining or extra spaces in editor.

  2. This is great. Our server is having a problem with exploit scripts that send mail in the background, bypassing our local mail exchange server. Will these settings work in my case?

    1. Hello there.
      It will block all spoofed mails (from backdoors / php shells / php hidden mailers for example) plus all non-smtp authenticated mails.
      So it’s basically safe except it someone steal SMTP credentials and send mail from that specific address (without spoofing).

  3. This seems to be working except that it I have a spoofed from, it generate a non delivery message that is sent back to the spoofed from.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.