Blocking emails (sendmail) from localhost?

celitocomm

Registered
Nov 17, 2014
2
0
1
cPanel Access Level
Root Administrator
Hi all,

I have done a lot of searching and have done the things I thought I had to to prevent this, but it hasn't seemed to help.

My company runs a cPanel server with about 100 domains on it. One of our users running WordPress was just infected with PHP/Kryptik which was a virus that was sending spam from the server itself. The mail queue in cPanel was filled with messages that were showing as being from the server itself.

Without revealing actual information, here is what I mean:
Client's root user name is [email protected]
Our cPanel server is hosting.mycompany.com

In the mail queue, the messages were shown as being from [email protected]. The command that this malicious PHP script was running was: /usr/sbin/sendmail -t -i . What can do I do to prevent all users from being able to use sendmail, and send mail that comes from @hosting.mycompany.com when that isn't how they should be sending email? I believe from what I read if they use webmail, it will show up that way as well, so I need to be able to do this without breaking anything.

SMTP Restrictions are enabled. I have "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" and "Prevent “nobody” from sending mail" enabled.

I also have another client that is running a (legitimate) cron job that is sending messages from [email protected]. It's from a WordPress plugin that is running backups. So, again, how can I block these types of things without breaking anything?

Thanks for any help.
 

celitocomm

Registered
Nov 17, 2014
2
0
1
cPanel Access Level
Root Administrator
Hey Michael,

I tried the one where I block email from one domain, but it didn't seem to work. I assume because mail was being generated from the server itself so the domain didn't match their domain.

It looks like your second look will do what I need to do though. I'll tes tit out and update. Thanks for the help!

-Brent