How to: Prevent Email Abuse

For cPanel *For cPanel & WHM 11.36 WHM 11.38*

This document provides best practices for preventing email abuse on your cPanel & WHM server.

Step 1: Enable WHM's SMTP Restrictions

Spammers commonly attempt to work around mail security settings by interacting directly with remote mail servers. WHM's SMTP Restrictions can prevent users from doing so.

You can access this feature in 2 locations:

• Home >> Server Configuration >> Tweak Settings, under the Mail Tab as Restrict outgoing SMTP to root, exim, and mailman.
• Home >> Security Center >> SMTP Restrictions

Enabling this setting restricts outgoing email connection attempts to the mail transfer agent (MTA), the mailman system user, and the root user. Ultimately, this forces both scripts and users to use Exim's Sendmail binary, rather than directly accessing the socket.

Important: Prior to version 11.32, this feature would simply block any attempt to connect to a remote mail server. Starting with cPanel & WHM 11.32, the software redirects the outgoing connection attempt to the local mail server.

Step 2: Prevent the nobody system user from sending mail

Preventing the nobody system user from sending mail to remote addresses prevents would-be abusers from having any anonymity in process accounting. This is because PHP and CGI scripts generally run as nobody when the system is using mod_php, or when suEXEC is disabled.

You can access the Prevent “nobody” from sending mail setting at Home >> Server Configuration >> Tweak Settings, under the Mail Tab.

Step 3: Enable suPHP and enable suExec or mod_ruid2

Enabling suPHP and suEXEC or mod_ruid2 will improve process accounting across your system. Ultimately, this step will allow you to know which users are running which processes system-wide.

• suPHP — This Apache module forces PHP applications to run as the cPanel account user. You can enable suPHP at Home >> Service Configuration >> Configure PHP and SuExec. You will need to enable suPHP for whichever version of PHP you intend to use.
• suEXEC — This Apache feature forces CGI applications to run as the cPanel account user. You can enable suEXEC at Home >> Service Configuration >> Configure PHP and SuExec.
• mod_ruid2 — mod_ruid2 is a different suEXEC module for Apache. This module will also force CGI applications to run as the cPanel account user. This module attempts to provide some performance enhancements over Apache's default suEXEC configuration by taking advantage of some POSIX.1e capabilities.

Step 4: Configure the max hourly emails settings

You can limit the number of emails a domain can send per hour. To do so, you can use the Max hourly emails per domain option under the Mail tab at Home >> Server Configuration >> Tweak Settings. This setting defines a server-wide limit for every domain.

You may further refine this setting by specifying values for an individual package ( Home >> Packages >> Edit a Package) or for an individual account (Home >> Account Functions >> Modify an Account).

You may also specify values for individual domains by editing the cpuser file at /var/cpanel/users/. To do so, add a MAX_EMAIL_PER_HOUR-[$domain] key and specify a value. Remember to replace $domain with the domain you wish to limit. If you make any changes to the cpuser file, make sure to run the /usr/local/cpanel/scripts/updateuserdomains script.

After configuring the maximum number of emails a domain on your system can send per hour, you need to also configure The percentage of email messages (above the account's hourly maximum) to queue and retry for delivery setting. You can configure this setting under the Mail tab at Home >> Server Configuration >> Tweak Settings.

When an account exceeds the maximum number of emails it is allowed to send per hour, by default, any additional messages are queued for delivery and sent in the next hour. This setting allows you to limit the number of messages that will be queued by the system.

Example

Setting the Max hourly emails per domain option to 500 would allow each of the domains you host to send 500 email messages per hour. Now, let's assume one of your domains uses a mailing list with 500 members. If this domain sends a message to the mailing list, then sends an additional 25 email messages in the same hour, the domain would exceed the Max hourly emails per domain limit. In this scenario, a domain is sending a high volume of messages; however, these messages are not spam.

For this reason, you can specify a "soft limit" using the The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery option. If, for example, you have set the The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery value to 150, the domain can queue up to 250 messages to send in the next hour. In this scenario, the domain is able to queue the additional 25 email messages to send in the next hour.

Step 5: Configure high failure rate protection

Finally, you need to set a value for the Maximum percentage of failed or deferred messages a domain may send per hour setting. You can configure this option under the Mail tab at Home >> Server Configuration >> Tweak Settings.

This setting provides automated rate-limiting for accounts that generate significant quantities of failed delivery attempts. Specify the percentage of outgoing mail that can fail in an hour. Once the account exceeds this percentage, the account is temporarily prevented from sending mail.

A significantly high number of failed delivery attempts is a good indicator that the user may be sending unwanted bulk mail. It could also indicate a severe misconfiguration of that user's mail forwarding settings.