Skip to main content

How to prevent cPanel account from sending email using hostname

Answered

Comments

28 comments

  • cPRex Jurassic Moderator

    Hey there!  Do you know specifically where those emails are coming from?  When things show up as coming from the hostname, it is often a PHP or other automated script.

    You should ensure the "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" in WHM >> Tweak Settings is enabled to prevent anything but Exim from connecting to the mail server directly.

    0
  • Ahmed Hamdy

    Unfortunately, I don't know specifically how my customers are sending their emails using my server's hostname!

    But "Restrict outgoing SMTP" is already On by default

    0
  • cPRex Jurassic Moderator

    It's good that it's enabled already.

    You may want to check the Exim log itself (/var/log/exim_mainlog) to see if it shows the directory location of that particular message, as that would give you something to work from.  For example, here's what a message sent from the CSF firewall tool looks like in the log after a root login notification::

    2024-03-25 10:38:33 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
    2024-03-25 10:38:34 1rolT7-00HP3T-33 <= root@host.hstname.com U=root P=local S=792 T="lfd on host.hostname.com: SSH login alert for user root from 1.2.3.4 (US/United States/104-" for root

    We can see this shows "/etc/csf" as the "cwd" value, which is the Current Working Directory.

    Maybe knowing that will get you pointed in the right direction as to where these message are coming from.

    If you have a large amount of messages you'd like to track down, you can run this command to search the Exim log and it will show the most common directories being used:

    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    0
  • Ahmed Hamdy

    When I run this command

    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    I receive the exact users who are sending emails using the hostname
     
     
    So, how can I prevent them? :)
     
    I checked one of my customers' website, I found that his website is sending these emails to his customers so they aren't being sent manually from someone!
    0
  • cPRex Jurassic Moderator

    Well, that is the trick, and unfortunately there's no easy answer to that.  You'll need to manually examine the directories mentioned to see where the messages are coming from, as it could be any file under that directory.

    0
  • Ahmed Hamdy

    Yes, I did this examination on their website, and I found that the newsletter module is sending their emails using my hostname.

    Is that harmful to my server? for example, my hostname could be marked as spam or something?

     

    0
  • cPRex Jurassic Moderator

    I wouldn't say it's harmful, but I would say it's less than ideal.  Ideally every script/tool/program should be authenticating through a valid email address created in cPanel, using the username and password, just like you would when you login to Webmail or a tool like Outlook.  That might mean they need to adjust their script, but that is the best way to ensure the email reputation stays as best as it can be.

    0
  • Ahmed Hamdy

    Yes, that's correct, but I can't force all my customers to modify their website scripts to use an authenticated email address, that's why I need to do anything on my server to prevent sending any email using my hostname.
    That's weird that this option is not available..!

    0
  • cPRex Jurassic Moderator

    Can you see how one of the scripts is sending the message?

    0
  • Ahmed Hamdy

    Yes, this script is for contact us form

     

    Email Tracking

    0
  • mtindor

    First off, bad idea to take an email address submitted on a form and then make it the FROM address.   That means if somebody fills out a form with an @yahoo.com address and you try to set that as the FROM address, it's going to fail one or more of SPF/DKIM/DMARC when it hits the recipient server (if the recipient server does checks for such things).   In this day and age, the FROM address should sent out from a contact form should be an email address that either exists on the server (so that it passes SPF, can be DKIM signed, and can pass DMARC) or at very least the typical envelope sender (which ends up being accountname@cpanelserver.name.   And you should have your server hostname set up with proper SPF / DKIM signing and a DMARC record as well.

    Of course that wasn't your question.  It's typical of generic scripts and Wordpress and such to show an accountname@cpanelserver.name address and use this address as the envelope sender, unless your script is actually authenticating / sending over SMTP on the server.  If you don't want any emails showing an envelope sender of accountname@cpanelserver.name you need to manipulate the code to force the FROM and envelope sender to be something other than accountname@cpanelserver.name.

     

    0
  • cPRex Jurassic Moderator

    I would actually push back against this a bit:

    Yes, that's correct, but I can't force all my customers to modify their website scripts to use an authenticated email address

    I think you can, and I think you should.  If they want the messages to be delivered, and you want yoiur server's reputation to be good across all major providers, they'll need to adjust.

    0
  • Ahmed Hamdy

    mtindor the websites that use these scripts are very old technology websites.

    I don't own these websites, they are my customers who purchased a web hosting service from my company. Now I would like to disable sending any email using my hostname, what I should do?

     

    0
  • Ahmed Hamdy

    cPRex Finally, there is no any option to disable/reject any email to be sent from my hostname :(

    Of course, I can't force my customers to do that. for example, Bluehost is getting thousands of new customers every day, do you think that they contact all their customers to modify their scripts?

     

    0
  • cPRex Jurassic Moderator

    There is another option, but it's more drastic - you could disable the PHP Mail function completely for the version of PHP they are using with the disable_functions line.  Details on how to do that can be found here:

    https://support.cpanel.net/hc/en-us/articles/360051980414-How-to-modify-disable-functions-in-WHM-when-using-PHP-FPM

    0
  • Ahmed Hamdy

    cPRex got your idea.

    Do you know what the large companies like Bluehost and GoDaddy do?

    0
  • cPRex Jurassic Moderator

    I would bet they have the function disabled in PHP - they really don't want someone to sign up for a cheap shared account, send a zillion emails, and mess up the shared IP reputation.

    0
  • Ahmed Hamdy

    I used the same script on Bluehost hosting and the email has been rejected, check the return email below:

    What did Bluehost do to reject this email?

    0
  • cPRex Jurassic Moderator

    That sounds like an excellent question for Bluehost, although there is some discussion on that error here:

    https://forum.spamcop.net/topic/72574-suddenly-my-message-is-rejected-aupsndr/

    but that isn't a cPanel error message.

    0
  • Ahmed Hamdy

    Do you think Bluehost is disabling the PHP Mail Function?

     

    0
  • cPRex Jurassic Moderator

    I have no way to know what Bluehost is doing, but if was running a shared hosting environment I certainly would.

    0
  • Ahmed Hamdy

    I talked to Bluehost support now and they confirmed me that they don't support PHP mail function :)

    0
  • cPRex Jurassic Moderator

    There we go :D

    0
  • Ahmed Hamdy

    Thanks for your time :)

    0
  • cPRex Jurassic Moderator

    You're very welcome!

    0
  • Ahmed Hamdy

    cPRex Do you know how to get the content of any email sent by a customer using my hostname?

    0
  • cPRex Jurassic Moderator

    There isn't going to be an easy way to do that.  There would be a lot of getting one mail ID from the log, then searching for that on the user account, and cross-referencing things.  There might be a better way to automate it, but I'm not able to think of a good method.

    0
  • Ahmed Hamdy

    ok never mind, thank you :)

    0

Please sign in to leave a comment.