Skip to main content

Email forwarders added to non-legitimate addresses

Sokpet
Hello, I have a weird case on one of the servers. The non-legitimate forwarders emails (gmail addresses) have been added to cPanel from white listed IP. I can not blacklist that IP because it is legitimate and there is no way to trace which machine is sending non-legitimate request to add forwarders. Can I add the rule to block the forwarders email change and allow to do it only manually via cPanel? Or can I restrict forwarder to only one domain, so no one can add gmail or other addresses? I checked email filters and /etc/valiases/domain.com and all is correct. Any help would be appreciated. Thank you.

Comments

6 comments

Date Votes
  • cPanelWilliam
    Hello! You can disable the "Email Filtering Manager" and "Forwarder Manager" features via the Feature Manager in WHM to prevent forwarders and filters from being added via cPanel and webmail for the account. We also have an article detailing how you can
    0
  • Sokpet
    Hello! and thank you for your prompt answer and advises. I will try to perform malware scan on all devices. Do you know if disabling email forward hook script will help to stop from changing addresses? Here is the script I found. Will it work?
    0
  • cPanelWilliam
    Hello @Sokpet, thank you for your reply. I don't have any experience using that specific hook, but I believe it would work. The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.
    0
  • Spirogg
    Hello @Sokpet, thank you for your reply. I don't have any experience using that specific hook, but I believe it would work. The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.

    is this an issue with exim where it is exposed to the public and hackers are getting in to add forwarders, or is this a user account issue? either way it they are hacking into the system from cPanel to exim that should be looked at further from cPanel yes ? just wondering how can we prevent a hacker from running wild and adding forwarders to other users cpanel accounts ? ( if this is the case) not sure cause I have not had this issue but have seen a few people complain about this lately thanks Spiro
    0
  • Sokpet
    Hello @Sokpet, thank you for your reply. I don't have any experience using that specific hook, but I believe it would work. The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.

    Thank you for checking that. I my particular case it will work since users are not allowed to use any external emails for forwarding.
    0
  • Sokpet
    is this an issue with exim where it is exposed to the public and hackers are getting in to add forwarders, or is this a user account issue? either way it they are hacking into the system from cPanel to exim that should be looked at further from cPanel yes ? just wondering how can we prevent a hacker from running wild and adding forwarders to other users cpanel accounts ? ( if this is the case) not sure cause I have not had this issue but have seen a few people complain about this lately thanks Spiro

    From my understanding it is user account related issue. From few hundred email accounts only 2 of them are vulnerable and get external forwarders added. The problem is that it is almost impossible to detect infected machine since server logs are showing only one IP address for all requests (which is data center) and all machines are connecting to the server via that data center. Obviously cPanel can not detect which request is legitimate and which is not since IP is white listed.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post