{"id":458,"date":"2021-07-23T12:30:19","date_gmt":"2021-07-23T12:30:19","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/how-to-prevent-email-abuse\/"},"modified":"2021-07-23T12:30:19","modified_gmt":"2021-07-23T12:30:19","slug":"how-to-prevent-email-abuse","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/how-to-prevent-email-abuse\/","title":{"rendered":"How to Prevent Email Abuse"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Overview<\/h2>\n

This document outlines some of the best practices that you can follow to avoid email abuse on your cPanel & WHM server.<\/p>\n

Password Strength Configuration<\/h2>\n

If you increase the minimum password strength for your users\u2019 mail accounts, you can decrease the chance that a hacker will correctly guess their passwords.<\/p>\n

To define minimum password strength for all of your users\u2019 authenticated features, use WHM\u2019s Password Strength Configuration<\/em> interface (WHM<\/em> >> Home<\/em> >> Security Center<\/em> >> Password Strength Configuration<\/em>).<\/p>\n

\n
Note:<\/div>\n
\n

We recommend that you set the default minimum password strength to at least 50<\/code>.<\/p>\n<\/p><\/div>\n<\/div>\n

Enable cPHulk<\/h2>\n

cPHulk provides protection for your server against brute force attacks (a hacking method that uses an automated system to guess passwords). If you enable cPHulk, you can decrease the chance that a hacker can use a brute force attack to gain access to your server\u2019s mail accounts.<\/p>\n

To enable this feature, navigate to WHM\u2019s cPHulk Brute Force Protection<\/em> interface (WHM<\/em> >> Home<\/em> >> Security Center<\/em> >> cPHulk Brute Force Protection<\/em>) and click Off<\/em> to toggle the feature\u2019s status.<\/p>\n

Enable Greylisting<\/h2>\n

Greylisting is a service that protects your server against unwanted email or spam. When enabled, the mail server will temporarily reject any email from a sender that the server does not recognize. If the email is legitimate, the originating server tries to send it again after a delay. After sufficient time passes, the server accepts the email.<\/p>\n

To enable this feature, navigate to WHM\u2019s Greylisting<\/em> interface (WHM >> Home >> Email >> Greylisting<\/em>) and click Off<\/em> to toggle the feature\u2019s status.<\/p>\n

SMTP restrictions<\/h2>\n

If you enable the SMTP Restrictions<\/em> feature, spammers cannot directly interact with remote mail servers or work around mail security settings.<\/p>\n

    \n
  • \n

    This feature restricts outgoing email connection attempts to the mail transfer agent (MTA), the mailman<\/code> system user, and the root<\/code> user.<\/p>\n<\/li>\n

  • \n

    This feature forces both scripts and users to use Exim\u2019s sendmail<\/code> binary, which helps to prevent direct access to the socket.<\/p>\n<\/li>\n<\/ul>\n

    To enable this feature, navigate to WHM\u2019s SMTP Restrictions<\/em> interface (WHM<\/em> >> Home<\/em> >> Security Center<\/em> >> SMTP Restrictions<\/em>) and click Enable<\/em>.<\/p>\n

    Exim Configuration Manager<\/h2>\n

    WHM\u2019s Exim Configuration Manager<\/em> interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager<\/em>) provides a large number of spam and abuse prevention options.<\/p>\n

    We strongly<\/strong> recommend that you read the Exim Configuration Manager<\/em> documentation for each option in that interface.<\/p>\n

    Tweak Settings<\/h2>\n

    The following settings in the Mail<\/em> section of WHM\u2019s Tweak Settings<\/em> interface (WHM<\/em> >> Home<\/em> >> Server Configuration<\/em> >> Tweak Settings<\/em>) can help to prevent email abuse:<\/p>\n

    \n
    Note:<\/div>\n
    \n

    If you set the Max hourly emails per domain<\/em> option to 500<\/code>, this allows each of the domains that you host to send 500 email messages per hour. For example, a domain uses a mailing list with 500 members. If this domain sends a message to the mailing list, then sends another email message in the same hour, the domain will exceed the Max hourly emails per domain<\/em> limit.<\/p>\n

    Use the The percentage of email messages (above the account\u2019s hourly maximum) to queue and retry for delivery<\/em> setting to specify a \u201csoft limit.\u201d For example, if you set the The percentage of email messages (above the account\u2019s hourly maximum) to queue and retry for delivery<\/em> value to 150<\/code>, the domain can queue up to 250 messages to send in the next hour. In this scenario, the domain can queue the additional 25 email messages in the next hour.<\/p>\n<\/p><\/div>\n<\/div>\n

    Max hourly emails per domain<\/h4>\n

    This setting specifies the maximum number of emails that each domain can send per hour.<\/p>\n

    This setting defaults to Unlimited<\/em>.<\/p>\n

    \n
    Note:<\/div>\n
    \n
      \n
    • \n

      The system only<\/strong> enforces email send limits on remote email deliveries.<\/p>\n<\/li>\n

    • \n

      This setting does not<\/strong> appear if you disable the Exim Mail Server service in WHM\u2019s Service Manager<\/em> interface (WHM<\/em> >> Home<\/em> >> Service Configuration<\/em> >> Service Manager<\/em>).<\/p>\n<\/li>\n

    • \n

      This setting does not<\/strong> function if you disable the Eximstats driver in WHM\u2019s Service Manager<\/em> (WHM >> Home >> Service Configuration >> Service Manager<\/em>).<\/p>\n<\/li>\n

    • \n

      This setting does not<\/strong> override the following settings:<\/p>\n

        \n
      • Maximum Hourly Email by Domain Relayed<\/em><\/li>\n
      • Maximum percentage of failed or deferred messages a domain may send per hour<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
        \n
        Important:<\/div>\n
        \n

        The system only<\/strong> enforces email send limits on remote email deliveries. To prevent email abuse, we recommend that you specify a value that is not<\/strong> Unlimited<\/em>.<\/p>\n<\/p><\/div>\n<\/div>\n

        Account specific Max hourly emails per domain settings<\/h4>\n

        Use WHM\u2019s Edit a Package<\/em> interface (WHM<\/em> >> Home<\/em> >> Packages<\/em> >> Edit a Package<\/em>) or WHM\u2019s Modify an Account<\/em> interface (WHM<\/em> >> Home<\/em> >> Account Functions<\/em> >> Modify an Account<\/em>) to specify values for an individual package or an individual account.<\/p>\n

        To enable this setting from the command line, you must<\/strong> perform the following steps to manually edit the cpuser<\/code> file:<\/p>\n

          \n
        1. \n

          From the command line, open the \/var\/cpanel\/users\/username<\/code> file, where username<\/code> represents the desired account username.<\/p>\n<\/li>\n

        2. \n

          In this file, add the MAX_EMAIL_PER_HOUR<\/code> key and specify the value for the selected username: <\/p>\n

          \n
          MAX_EMAIL_PER_HOUR=<\/span>500<\/span><\/code><\/pre>\n<\/div>\n<\/li>\n
        3. \n
          Run the \/usr\/local\/cpanel\/scripts\/updateuserdomains<\/code> script.<\/p>\n<\/li>\n<\/ol>\n
          Prevent nobody from sending mail<\/h4>\n
          This setting denies the nobody<\/code> user the ability to send mail to a remote address.<\/p>\n
          The setting defaults to On<\/em>.<\/p>\n
          \n
          Note:<\/div>\n
          \n
          PHP and CGI scripts generally run as the nobody<\/code> user. To use a PHP or CGI script to send mail, enable the suEXEC<\/code> or mod_php<\/code> modules in your Apache configuration.<\/p>\n<\/p><\/div>\n<\/div>\n
          \n
          Important:<\/div>\n
          \n
          To prevent email abuse, we recommend that you select On<\/em>.<\/p>\n<\/p><\/div>\n<\/div>\n
          The percentage of email messages above the account hourly maximum to queue and retry for delivery<\/h4>\n
          This setting specifies whether to queue outgoing messages for later delivery after a domain reaches its limit for outgoing messages per hour.<\/p>\n
          \n
          Note:<\/div>\n
          \n
          The minimum value for this setting is 100<\/code>, with a maximum value of 10,000<\/code>.<\/p>\n<\/p><\/div>\n<\/div>\n
          For example, with the default value of 125%<\/code>, after the domain reaches its hourly limit Exim queues any additional messages, up to 125% of the Max hourly emails per domain<\/em> value. After the account reaches 125% of the Max hourly emails per domain<\/em> value, any additional outgoing messages will fail.<\/p>\n
          This setting defaults to 125%<\/em>.<\/p>\n
          \n
          Note:<\/div>\n
          \n
            \n
          • \n
            To force the failure of all<\/strong> outgoing messages after the domain reaches its limit, set this option to 100<\/code>.<\/p>\n<\/li>\n
          • \n
            This setting does not<\/strong> appear if you disable the Exim Mail Server service in WHM\u2019s Service Manager<\/em> interface (WHM >> Home >> Service Configuration >> Service Manager<\/em>).<\/p>\n<\/li>\n
          • \n
            This setting does not<\/strong> function if you disable the Eximstats driver in WHM\u2019s Service Manager<\/em> (WHM >> Home >> Service Configuration >> Service Manager<\/em>).<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
            Maximum percentage of failed or deferred messages a domain may send per hour<\/h4>\n
            This setting allows you to specify a maximum percentage of failed or deferred messages that your domain may send per hour. Your server temporarily blocks outgoing mail from a domain if both<\/strong> of the following conditions are true:<\/p>\n
              \n
            • \n
              The percentage of failed or deferred messages, out of the total number of sent messages, is equal to or greater than<\/strong> the specified percentage.<\/p>\n<\/li>\n
            • \n
              The domain has sent at least<\/strong> the number of failed or deferred messages that the Number of failed or deferred messages a domain may send before protections can be triggered<\/em> setting specifies.<\/p>\n<\/li>\n<\/ul>\n
              The system examines all outgoing and local mail over the previous hour to determine whether these conditions are true. If only one<\/strong> of these conditions is true, the system does not<\/strong> block outgoing mail.<\/p>\n
              For more information, read our Mail Limiting Features documentation.<\/p>\n
              This setting defaults to Unlimited<\/em>.<\/p>\n
              \n
              Note:<\/div>\n
              \n
                \n
              • \n
                This setting does not<\/strong> appear if you disable the Exim Mail Server service in WHM\u2019s Service Manager<\/em> interface (WHM >> Home >> Service Configuration >> Service Manager<\/em>).<\/p>\n<\/li>\n
              • \n
                This setting does not<\/strong> function if you disable the Eximstats driver in WHM\u2019s Service Manager<\/em> (WHM >> Home >> Service Configuration >> Service Manager<\/em>).<\/p>\n<\/li>\n
              • \n
                The system uses this setting in conjunction with the Number of failed or deferred messages a domain may send before protections can be triggered<\/em> setting. Your server does not<\/strong> temporarily block outgoing mail from a domain until the domain meets both<\/strong> settings\u2019 requirements.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n
                Initial default\/catch-all forwarder destination<\/h4>\n
                This setting specifies the initial forwarding destination for new accounts\u2019 default (catch-all) email addresses. The cPanel account default address handles email that nonexistent users on your server\u2019s domains receive.<\/p>\n
                \n
                Important:<\/div>\n
                \n
                  \n
                • If you receive large amounts of spam, we recommend that you change this setting from System account<\/em> (the default) to Fail<\/em>.<\/li>\n
                • Check your domains\u2019 default addresses often<\/strong> for missing messages. The domain default address may receive messages for your existing email addresses if they contain typos or other issues. For example, if your email address is corgis_sploot@example.com<\/code> but a sender uses corgi_splot@example.com<\/code>, the default address will receive it.<\/li>\n<\/ul><\/div>\n<\/div>\n
                  This setting changes the default setting for newly-created accounts. To change this setting for an existing account, perform the following steps:<\/p>\n
                    \n
                  1. \n
                    Log in to the desired cPanel account or use WHM\u2019s List Accounts<\/em> interface (WHM >> Home >> Account Information >> List Accounts<\/em>) to access it.<\/p>\n<\/li>\n
                  2. \n
                    Navigate to cPanel\u2019s Default Address<\/em> interface (cPanel >> Home >> Email >> Default Address<\/em>).<\/p>\n<\/li>\n
                  3. \n
                    From the Send all unrouted email for the following domain<\/em> menu, select the domain for which you wish to set a default address.<\/p>\n<\/li>\n
                  4. \n
                    Select the Discard the email while your server processes it by SMTP time with an error message<\/em> setting. This setting will send an error message to the sender.<\/p>\n<\/li>\n
                  5. \n
                    Enter an error message in the Failure Message (seen by sender)<\/em> text box.<\/p>\n<\/li>\n
                  6. \n
                    Click Change<\/em>.<\/p>\n<\/li>\n<\/ol>\n
                    PHP configuration<\/h2>\n
                    \n
                    Warning:<\/div>\n
                    \n
                    Do not<\/strong> enable suEXEC with ModRuid2. suEXEC is not<\/strong> compatible with this module.<\/p>\n<\/p><\/div>\n<\/div>\n
                    If you configure PHP and suEXEC, ModRuid2, or suPHP, you can improve server security. This configuration allows you to know which users run which processes system-wide.<\/p>\n
                      \n
                    • \n
                      ModRuid2 and suPHP force CGI applications to run as the cPanel account user. In addition, ModRuid2 exploits some of the POSIX.1e<\/code> capabilities in order to provide some performance enhancements over Apache\u2019s default suEXEC configuration.<\/p>\n<\/li>\n
                    • \n
                      The suEXEC Apache module forces CGI and PHP applications to run as the cPanel account user.<\/p>\n<\/li>\n<\/ul>\n
                      EXPERIMENTAL Rewrite From header to match actual sender<\/h2>\n
                      Any local cPanel user can use the 127.0.0.1<\/code> IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email.<\/p>\n
                      To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender<\/em> option in WHM\u2019s Exim Configuration Manager<\/em> interface (WHM<\/em> >> Home<\/em> >> Service Configuration<\/em> >> Exim Configuration Manager<\/em>).<\/p>\n
                      After you enable this feature, you will see output that is similar to the following in the \/var\/log\/exim_mainlog<\/code> file:<\/p>\n
                      \n
                      2014<\/span>-04-23 08<\/span>:09:52 1Wcwvu-0000On-Sb From: header (<\/span>rewritten was: [<\/span>fakemail@example.com]<\/span>, actual sender is not the same system user)<\/span> original=[<\/span>fakemail@example.com]<\/span> actual_sender=[<\/span>spammer@spammer.com]<\/span><\/code><\/pre>\n<\/div>\n
                      The actual_sender<\/code> portion of the log entry shows that spammer<\/code> is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
                      Overview This document outlines some of the best practices that you can follow to avoid email abuse on your cPanel & WHM server. Password Strength Configuration If you increase the minimum password strength for your users\u2019 mail accounts, you can decrease the chance that a hacker will correctly guess their passwords. To define minimum password …<\/p>\n","protected":false},"author":1,"featured_media":459,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/458"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=458"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/458\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/459"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}