Discarding all Outgoing Email without a Specific Subject Line

[Glowball]

I'm a Web Developer but I'm also in charge of configuring CPanel. I really don't know what I'm doing when it comes to system administration or email administration, so I'm pretty clueless when it comes to solving this issue. I don't have direct access to the email logs but I can ask for bits of them if necessary. My Web host has said that my domain is sending out a lot of spam and I'm hoping to stop it.

This Web site represents a small division in a large company. There is one "Contact Us" Web form that needs to send a "thank you" email to whoever uses it as well as send the information to Customer Service. This is the only email that should pass through this domain.

So that means I know the subject lines of all non-spam email. Would the best approach be to use CPanel's Email Filter and a regular expression to discard all email that does NOT contain the exact subject line? I'm going on the assumption that this works with outgoing email as well as incoming email. Yes, spam could still get through if they use that subject line but I would assume that this wouldn't be as much of an issue.

What would I put in as the regular expression? I assume that the filter should have a "Subject" that "matches regex" and then the regular expression. I need it to match this:

Good Subject Line|Second Subject Line

I'm not sure how to tell it that if it does NOT match one of those two then just discard it. Of course, if this doesn't work on outgoing mail then I'm not sure what to do. Help? Thanks!

[nickp666]

rather than filtering out the stuff your script shouldnt be sending, IMO it would be a much better idea to fix the script so that it only sends what it should, adding filters to counter out insecure scripts isnt the best solution in this instance

[Kent Brockman]

rather than filtering out the stuff your script shouldnt be sending, IMO it would be a much better idea to fix the script so that it only sends what it should, adding filters to counter out insecure scripts isnt the best solution in this instance

Correct. The problem is surely due to a insuficient filtering method in the website before it is emailed. You must verify the correct format of every var sent to the system from the online form before you actually send the message. Please comment your code to see how are you filtering/analyzing the input data.

[Glowball]

Sorry, I may have been unclear. The spammers are not using the Web form to send their spam. The code that processes the form does a lot of checking, and there are a lot of required fields. The subject and body of the two emails that it sends are in the script. The spam is being sent some other way.

[Kent Brockman]

Sorry, I may have been unclear. The spammers are not using the Web form to send their spam. The code that processes the form does a lot of checking, and there are a lot of required fields. The subject and body of the two emails that it sends are in the script. The spam is being sent some other way.

ok, fine. And does your hoster provided you some clues to know if the spam is being sent form a real address in that domain or not?

May the spammers be bypassing your SMTP server entirely. To avoid this possibility, check in your WHM -> Security -> Security Center -> SMTP Tweak and activate that service (you should have activated all these security measures) in order to curb malicious users from bypassing your SMTP server. (this is taken from a similar post in the forum, answered by cPanelDavidG)

[Glowball]

I'm going through the files to see if there is any other script that can send email, just in case that was compromised. Unfortunately, this isn't a site I work on. Maybe there's something in a random folder somewhere that spammers are using.

As for the Security area in WHM, I don't seem to have that option. I'm using WHM 11.15.0 and cPanel 11.18.3-C21703. Where should I see it? Thanks!

[Kent Brockman]

I have the same version of WHM (only differs in that I use the Stable, not the Current) and shouldn't be differences. Under Security Center you have several options: cPHulk Brute Force Protection, Host Access Control (block IP access), SSH Password Auth Tweak, PHP open_basedir Tweak, Apache mod_userdir Tweak, Compilers Tweak, Traceroute Tweak, SMTP Tweak, Shell Fork Bomb Protection. don't you have these items present?

Do you have SSH access to the host?

[cPanelDavidG]

I'm going through the files to see if there is any other script that can send email, just in case that was compromised. Unfortunately, this isn't a site I work on. Maybe there's something in a random folder somewhere that spammers are using.

As for the Security area in WHM, I don't seem to have that option. I'm using WHM 11.15.0 and cPanel 11.18.3-C21703. Where should I see it? Thanks!

You have to be in Security Center, which itself is within the Security section of the WHM interface.

[Glowball]

I don't see anything to do with security anywhere -- not in the left navigation frame and not in the icons on the home page. If I ask our host to enable the Security Center for our WHM would that make sense?

[cPanelDavidG]

I don't see anything to do with security anywhere -- not in the left navigation frame and not in the icons on the home page. If I ask our host to enable the Security Center for our WHM would that make sense?

Only those with root-level access to the server can access the Security Center. Contact your hosting provider for assistance as it is unlikely they will grant you that level of access.

[Glowball]

I've asked them about it. This is a dedicated server so they may give it to us. If not, I'll ask them to follow the instructions here. Between that and a site cleanup I'm hoping we can stop this spam issue.

[Kent Brockman]

If you are paying for a dedicated server or a vps you NEED and MUST have access to Security options in WHM. Ask for that access to your provider.

I suppose that you are seeing a WHM panel but not admin, you really have been granted to use a reseller panel.

Regards.

[Glowball]

It's a managed server so they take care of that stuff for us (obviously if I was to handle all of it it would be hopelessly broken in a matter of minutes). They said that SMTP Tweak is activated and has been. I think we're okay -- there has to be a script somewhere that is allowing spam. It seems that people are using this domain for storage in addition to the site, so once we pull all of that down and clean it up we should be good. Fingers crossed.

[Kent Brockman]

Well, being so, detecting the spam source won't be easy.
Then you should download the entire site, look for hosted php/pl scripts that contain mail function calls, and check whether they are validating input data or not.

[Glowball]

I'm feeling pretty good about things. I deleted about 80% of the site, some of which had references to mail. I even found an unused pile of scripts for sending mail, which got deleted. Now I'm down to one email class and one form, and they both look good. Everything is validated. I want to thank you for your help with this -- I'll post back if there's still an issue, but I think everything is good.