A way to stop outgoing unauthenticated spam mail

[davide06]

Hello,

we've a problem with all of our customer that have compromised CMS installation that is sending outgoing spam.

In most of the case, we realize the problem with the setting "Max hourly email per domain", so we suspend the account and notify our consumer.

The ip address of our server goes in blacklist after this and we realized that we must prevent this spam action.

There is a way to reject this mail? I note that spammers change the FROM name, so we think that if we blocking all unauthenticated mail (sent from mail() function) with an external domain (not the local main domain), we can solve 85% of the problem

There is a way to do this in exim configuration?

We've blocked successfully authenticated mail with external from address thanks to this topic

Thanks

 

[24x7server]

Hello,

I think you will have to disable php-mail function on your server to stop this type of spamming. Also here are the some tips for you, Please check it : https://documentation.cpanel.net/display/CKB/How+to+Prevent+Email+Abuse

 

[davide06]

Hello,

thanks for your reply. The optimization that you suggest is already set
The problem is that our customer won't set authenticated SMTP by default, so for example, the Wordpress notification about the new comments doesn't work and this represent a large amount of assistance ticket

I've see this exim rules /http://bobcares.com/blog/blocking-spoofed-mails-going-out-of-your-cpanel-whm-web-hosting-server/, but if I change

acl_smtp_data = acl_smtp_data
Exim Default: unset cPanel Default: acl_smtp_data
This option defines the ACL that is run after an SMTP DATA command has been processed and the message itself has been received, but before the final acknowledgment is sent. See chapter 42 for further details.

I get some error in other lower rows

Can you tell me how to solve this problem?
Thanks so much

 

[cPanelMichael]

Hello

Disabling the ability for PHP to send email is really a better way to address such an issue. That being said, what are the specific error messages you receive when making those custom changes?

Thank you.

 

[davide06]

Hello,
the error is related to the custom message, I've changed it and exim has given no error
I've put it into a one of this custom section of acl_smtp_data, but this hasn't solved the problem:

Can you tell me exactly where I need to put this rule?
Thanks

 

[cPanelMichael]

Hello,
the error is related to the custom message, I've changed it and exim has given no error
I've put it into a one of this custom section of acl_smtp_data, but this hasn't solved the problem:

Could you elaborate on this? What problem has not been solved and what error message did you initially receive? Keep in mind that custom Exim ACL rules fall outside our scope of support, so you may want to post to the Exim mailing list for further input.

Thank you.

 

[davide06]

Hello,
yes I know that custom Exim ACL rules fall outside your scope of support, so I decided to write in cPanel Forums in the hope that someone could help!
I put the custom rule into an one of custom section of acl_smtp_data that I attached in my previous message, but this hasn't solved the problem.

We can't disable mail function for the user, because, as I told, the problem is that our customer won't set authenticated SMTP by default, so for example, the Wordpress notification about the new comments doesn't work and this represent a large amount of assistance ticket of our customer because their CMS isn't sending any email.

I need only to change the exim filter to stop the unauthenticated mail sent from mail() function that is changing the from address with a remote address (not included in /etc/localdomains)

Thanks

 

[topofminditalia]

hi,

i have same problem.
So i need interrupt this automatic send mail. But if i disable phpmail function, a user can't send any request into site.

I need a solution please.

Thank you

 

[cPanelMichael]

i have same problem.
So i need interrupt this automatic send mail. But if i disable phpmail function, a user can't send any request into site.

Have you tried getting the user to use SMTP authentication instead for their script?

Thank you.