Email Security - Blocking outgoing spoofed emails from cPanel server

As a company that proactively manages web hosting servers, we do regular security audits on them. One of the recurring issues we have seen with un-managed servers is loss of server reputation, and service up-time through outbound spam mails.

To combat spam, the first step is finding a common pattern that is common to the majority of those spams. A quick accounting showed that up to 76% of outgoing spam mails are spoofed. Spoofing is where the mail headers are manipulated to appear as if the mail comes from some other domain. So, blocking spoofed mails will instantly prevent 3/4th of the outbound spam mails.

Spoofed mails originate from the following two sources:

1. Exploiting vulnerable form to mail scripts to send out spoofed mails through local mail agent.
2. Using stolen mail account login details to send spoofed mails through SMTP authentication.

Let’s look at a solution on how spoofing can be prevented in Exim mail servers commonly implemented in cPanel/WHM servers.

I. Blocking all un-authenticated spoofed outbound emails


2. Add the following entry in the top using Add additional configuration setting:

domainlist remote_domains = lsearch;/etc/remotedomains

3. Add the following code under acl_not_smtp : custom_begin_outgoing_notsmtp_checkall

condition = ${if ! match_domain{${domain:${address:$h_From:}}}{ +local_domains : +remote_domains : +allow_domains}}
message = Sorry, you don't have permission to send email from this server \
with a header that states the email is from ${lc:${domain:${address:$h_from:}}}.

Here, the ACL will check for the presence of domain name part of the from address in either of the files – /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

It should be something like this:

II. Blocking all authenticated spoofed outbound emails


2. Search for acl_smtp_data and add the following lines under it: custom_begin_outgoing_smtp_checkall

authenticated = *
condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
{ !eqi{$authenticated_id} {${address:$header_From:}} }\
message = Your FROM address ( $sender_address , $header_From ) must match your authenticated email user ( $authenticated_id ). Treating this as a spoofed email.

Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message “Your FROM must match your authenticated email user. Treating this as spoofed email”

PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.


IMPORTANT points to keep in mind

a. POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
b. Username in the format will not work. They have to use instead.

These solutions have been tested on our test cPanel servers, and in a limited set of production servers. We have found it to be working in 100% of cases. However, using the above solution should be at your own risk. If you do not understand the ACLs posted above, always ask for expert opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.